The accounting system of SUSI.AI provides its users the option to change the password of their accounts. This features gives us two options, either we can change our password by entering the older password or if the user forgot the password, they are provided a link on their email address through which we can change our password. Using either option, the user has to authenticate themselves before they can actually change their passwords. If the user has the current password, it is considered as a parameter of authentication. In other case the user has to check their email account for the link which also confirms the authenticity of user. In this post we will discuss how both options works on SUSI.
Password Change Service
The password change service works by sending an ajax request to the server at the https://api.susi.ai/aaa/changepassword.json endpoint. This request is handled by the PasswordChangeService.java file on the server This request also contains some query parameter. These are
- changepassword
- password
- newpassword
- access_token
The changepassword parameter contains the value of the email id of the user which is fetched by the browser cookies with key “emailId”. The password parameter contains the current password and newpassword contains the new password. The access_token is also passed as a safety parameter to check whether the user session is loggedIn or is expired. The server also authenticate again when the request is send with the help of email id and current password as a final confirmation as to which user the request belongs to and to double check the authenticity of the user.
var password = this.state.currentPassword.trim(); var newPassword = this.state.newPassword.trim(); let BASE_URL = 'https://api.susi.ai'; if (!newPassword || !password) { return this.state.isFilled; } var email = ''; if (cookies.get('emailId')) { email = cookies.get('emailId'); } let changePasswordEndPoint = BASE_URL + '/aaa/changepassword.json?changepassword=' + email + '&password=' + encodeURIComponent(password) + '&newpassword=' + encodeURIComponent(newPassword) + '&access_token=' + cookies.get('loggedIn'); if (!this.state.currentPasswordError && !this.state.newPasswordError) { $.ajax({ url: changePasswordEndPoint, dataType: 'jsonp', jsonpCallback: 'p', crossDomain: true, headers: { Accept: 'application/json, application/xml, text/play, text/html', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', }, success: function(response) { let state = this.state; state.success = true; let msg = response.message; state.msg = msg; state.showDialog = true; this.setState(state); console.log(response.message); }.bind(this),
Password Recovery Service
The password recovery request is made to the server at the https://api.susi.ai/aaa/recoverpassword.json endpoint. This request is handled by the PasswordRecoveryService.java file on the server. Unlike the change password request this request contains only one parameter which is the email id of the user.
if (email && validEmail) { $.ajax({ url: BASE_URL + '/aaa/recoverpassword.json?forgotemail=' + email, dataType: 'jsonp', crossDomain: true, timeout: 3000, async: false, success: function(response) { let msg = response.message; let state = this.state; state.msg = msg; state.success = true; this.setState(state); }.bind(this), error: function(errorThrown) { let msg = 'Failed. Try Again'; let state = this.state; state.msg = msg; this.setState(state); }.bind(this), }); }
Password Reset Service
Once the user sends a request to the password recover service, an email is send with the link to reset password. This link redirects us to the accounts.susi.ai to its reset password page which contains the reset form with the email already entered. This confirms the id for which the reset request will be made. The recovery link send to our email is of the below format.
https: //accounts.susi.ai/?token=<your token here>
Note: The token here in the reset url is not the access token of the user but instead a token for password reset whereas the access token is for the login status of an account.
In the reset form when we enter our new password and submit the form, since our authenticity is verified by this reset token, a final request is made to the server to finally reset our password. This request has two parameters, the resettoken and our new password.
let resetPasswordEndPoint = BASE_URL + '/aaa/resetpassword.json?token=' + resetToken + '&newpass=' + encodeURIComponent(newPassword); if (!this.state.confirmPasswordError && !this.state.newPasswordError) { $.ajax({ url: resetPasswordEndPoint, dataType: 'jsonp', jsonpCallback: 'p', crossDomain: true, headers: { Accept: 'application/json, application/xml, text/play, text/html', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', }, success: function(response) { let state = this.state; state.success = true; let msg = response.message; state.msg = msg; state.showDialog = true; this.setState(state); console.log(response.message); }.bind(this), error: function(errorThrown) { let msg = 'Failed' + errorThrown.message; let state = this.state; state.msg = msg; state.showDialog = true; this.setState(state); console.log(this.state); }.bind(this), }); }
Resources
- Java servlets – https://en.wikipedia.org/wiki/Java_servlet
- Jquery – https://jquery.com/
- Ajax requests – https://www.w3schools.com/jquery/ajax_ajax.asp
- PasswordChangeService.java – https://github.com/fossasia/susi_server/blob/69934e49e5a62d99f1861f462b14395d9d90bc05/src/ai/susi/server/api/aaa/PasswordChangeService.java
- PasswordRecoveryService.java – https://github.com/fossasia/susi_server/blob/9b2665a231db5fe95e9f5197e1d6ed8e2fd9ca35/src/ai/susi/server/api/aaa/PasswordRecoveryService.java
- PasswordResetService.java – https://github.com/fossasia/susi_server/blob/69934e49e5a62d99f1861f462b14395d9d90bc05/src/ai/susi/server/api/aaa/PasswordResetService.java