pass v0.3.0 Pass.ResetPassword

Handles password resets by generating, verifying, and redeeming JWTs.

The idea is that you would use Pass.ResetPassword.generate_token/1 to create a JWT that you could then send to the user (probably in a link in an email).

When the user accesses your interface redeem the token and reset their password, you would use Pass.ResetPassword.verify_token/2 to first verify the JWT and that the time has not expired before asking for the new password.

Once the user has given you the new password, you would use Pass.ResetPassword.redeem_token/2 which would first verify the JWT and then reset the password.

To prevent replay attacks, we generate a random string to send in the jti attribute of the JWT and store it in the data store.

Summary

Functions

Takes in an email address and creates a JWT with the following claims:

  • sub: The email address passed in
  • aud: “Pass.ResetPassword”
  • jti: Random 16 bytes encoded as URL-safe base 64 string with no padding
  • iat: The current time from epoch in seconds

Returns the secret key used to sign the JWT

Takes in a JWT to verify and the new password that will be set for the user if the JWT is valid and hasn’t expired

Takes in a password reset JWT and verifies that the JWT is valid, that the JWT hasn’t expired, and that the email address in the sub attribute and the random string in the jti attribute match a user in the data store

Functions

generate_token(email)

Takes in an email address and creates a JWT with the following claims:

  • sub: The email address passed in
  • aud: “Pass.ResetPassword”
  • jti: Random 16 bytes encoded as URL-safe base 64 string with no padding
  • iat: The current time from epoch in seconds
key()

Returns the secret key used to sign the JWT.

redeem_token(token, password)

Takes in a JWT to verify and the new password that will be set for the user if the JWT is valid and hasn’t expired.

verify_token(token)

Takes in a password reset JWT and verifies that the JWT is valid, that the JWT hasn’t expired, and that the email address in the sub attribute and the random string in the jti attribute match a user in the data store.