User change password

[rudolphpienaar]

No description provided.

[kindyluv]

I would like to work on this issue.... Is this issue still available

[jennydaman]

This issue is available and similar to the one here, please read my comment.

FNNDSC/ChRIS_store#57 (comment)

As a relatively large feature, doing a detailed proposal of how you would deliver a solution would count as a meaningful contribution for your Outreachy application. If you are interested in this issue then please draft a solution proposal and have me review it (before working on implementation),

[kindyluv]

Okay I will do just that

[kindyluv]

@jennydaman

i) User will provide the email they used to open their user account

ii) The email would be verified if it belongs to an existing user account

iii) If the email is successfully verified, a token that has limited time-to-live will be sent to their email to reset a new password

iv) The token would be used to fetch the user and change the password to the new one, as long the token has not expired

[kindyluv]

@jennydaman can I carry on with this issue now?

[jennydaman]

Tell me more details about iii.

1. How will you generate the token?
2. How will the email be sent?

[kindyluv]

sending an email with send grid/Gmail
Step 1:
getting a SendGrid API key

Step 2:
Add a .env file for the SendGrid API key and email that would be used to send the mail

Step 3:
Add a config/settings file that reads the env file
Next, add the other email configuration in the settings file

Step 4:
Have a class and function in view that does the logic

Token generator
Step 1:
I could use PasswordResetTokenGenerator from django.contrib.auth.tokens
Or
I could use rest_framework.authtoken

[jennydaman]

Good job doing research on programmatic email.

Currently ChRIS does not depend on any SaaS. Using SendGrid would be a big decision. Let's discuss a few more concerns:

• ChRIS is usually deployed inside hospitals. Are there any security concerns related to using a public SaaS, specifically SendGrid?
• Any reason to use SendGrid over its competitors? e.g. AWS SES
• Currently the number of ChRIS users per deployment is ~10-100. Maybe we could implement a solution in parts? The ability to generate a "password reset URL" (which could be sent from an admin to a user manually) is a higher priority target than being able to automate the process.
• Would you tell me more about how the password reset URL would work? Can django provide a rudimentary UI for this (like how it can display JSON responses as a HTML webpage, or the /chris-admin/ page) or will it be necessary to add support for this in the ChRIS_ui?

[kindyluv]

1. Since Chris does not depend on any saas we could work with gmail smtp for sending emails.
   i) Its secured and free to use all we need is to have a .env file that we wont be adding to github that would have Chris gmail details
   ii) And a settings file that we would call the values in our .env file

2. For sending the email with the token we would have a template in the project the would house the token and a link to the frontend page
   i) The Frontend would send back the new password and the token to authenticate the user
   ii) I will work on both the the backend and the frontend

[kindyluv]

@jennydaman ...... waiting for your approval so I can start the issue

[jennydaman]

Instead of specifying it in .env, it could also be configured in the /chris-admin/ dashboard. Here is a reference to how SMTP email server is configured in Nextcloud 23

Gmail might work, but it's not necessarily a good choice. I don't think Google's terms of service allows for automatic sending of emails from personal Gmail accounts. Moreover, we are still concerned about Google's privacy policy.

[kindyluv]

We could still use other mail sender there is alot of options and I know some of them allows their users automate things. Like Mail_Gun I used it on a Java projects sometime ago for an organization and its still works fine.

But if you are fine with Gmail SMTP then I will start working on it with your approval