Thursday 28 March 2013

Testing TeamMentor's password reset feature (now with token stored as a Hash)

In the The Power of UnitTests when refactoring code (for example Security Pages) post I showed the new TeamMentor feature of password reset.

This post shows an updated version of it which now stores the password reset tokens using PBKDF2 hashing.

To start, open Bbot, and click on the New Random User link:

image

Which will quickly create a test user for us to use.

image

Copy the email address, and use it on the passwordForgot page (link available from the login dialog/page):

image

Once the email is submitted:

image

You can go to TBot’s View Emails Sent page:

image

Where you can see the email that (was supposed to be) sent to the user (the SMTP password is not set-up on this server, which is why the email was not sent and shown in read)

image

Here is the email (sent to the user) with the password reset details:

Hi FName LName,  a password reminder was requested for your account.

You can change the password of your test_user_SiZif account using https://teammentor-33-ci.azurewebsites.net:443/passwordReset/test_user_SiZif/762cb15a-fa30-44f9-bcdc-1393c487bbc6

If you didn't make this request, please let us know at support@teammentor.net.
             
Copy the password reset url, open it on the browser and set a password:

image

Once the password is successfully changed, you can login as that user:

image

image

Another way to test this feature, is to go to the TBot’s Current Users page:

image

Select the desired user:

image

And click on the open password reset page link:

image

Which will open the password reset page for this user with a valid token (which can only be used once)

image

Note that if you open the Raw/Xml Data page for this user

image

You will see that the password token is stored as a long hash (very similar to the password one)

image