"Forgot Password?" in /panel

Heyo,

I just had a request come in today from a client who wants a “Forgot password?” system in the panel. In the short-term I can just assure here that I can reset her password using my own account, but I’m wondering - is this a feature that was left out intentionally?

I see somebody made a plugin for this, but that’s no longer maintained or online.

This has been asked for on several occasions and there is a GitHub issue as well. I have no idea though if this is going to be implemented in the near future or at all.

you could offer a php skript that take a new password param alters the account file. reset to a random one and send a mail. following skirpt is untested, just use this as an inspiration.

// URL http://www.example.com/user:myuser/forgot-password:1
// URL Routing http://www.example.com/forgot-password/user:myuser
if($newpassword = get('forgot-password' && $changeUser = get('user'))) {
  $newPW = str::random(8);
  $site->user($changeUser)->update(array(
      'password' => $newPW
  ));
 // send mail to user with new pw
 $mail = $site->user($changeUser)->email();
 $email = new Email(array(
    'to'      => $mail,
    'from'    => $mail,
    'subject' => 'new password',
    'body'    => 'some text: '.$newPW
  ));

  if($email->send()) {
   echo 'The email has been sent';
  } else {
    echo $email->error()->message();
  }
}

https://getkirby.com/docs/cheatsheet/user/update
https://getkirby.com/docs/toolkit/api/str/random
https://getkirby.com/docs/toolkit/sending-email


1 Like

Problem is that this way you send a plain text password via an unencrypted mail which is not really such a good idea.

…at least not if you don’t force the user to change their password after the first login in some way.

… and set a time limit to access with this password.

And I still think that a password reset via reset link - done right - is the best option and should be part of the core - to be enabled via a config setting.

5 Likes

I’d definitely agree with you there.

sure but a random password is too hard to remember so its a good guess the user will change it. an the text in the mail could tell him too. its just a workaround.

Most of my passwords are almost impossible to remember, they are just some long random strings …

1 Like

mine too, using 1password. but i understand your concerns.

Good News! I added the forgot password plugin back . Download it here. The installation instructions is in this thread.

this does not work since update password does hash on its own. can not fix code above. :frowning:

Thanks, I corrected it above.