password reset UX issues #27644
Comments
|
Hi there, Welcome to Laravel and we are glad to have you as part of the community. Unfortunately this GitHub area is not for ideas, suggestions etc. This is only for issues/bugs with the framework code itself. I will be closing your ticket here. You are able to open a ticket at https://github.com/laravel/ideas Alternatively you are able to open a PR using the Contributions guidelines: https://laravel.com/docs/5.7/contributions#which-branch If you feel I've closed this issue in error, please provide more information about how this is a framework issue, and I'll reopen the ticket. Thanks in advance. |
|
How come laravel default Auth scaffolding being not user friendly is not an issue? |
|
The patterns Laravel uses in its authentication scaffolding are very common. These are reasonable defaults that are easily changed if you want something different. This repository is for bug reports. The Laravel/Ideas repository is specifically for suggestions/improvements, which perfectly fits your issue. |
|
Redirecting user to a form with invalid hidden input is not very common. |
In my personal opinion, currently Laravel password reset workflow has some issues that might be annoying for users:
1. Double submissions invalidates tokens emailed earlier.
A user requests password resets twice. Then he/she opens the first email and clicks on its link. But unfortunately, the link is invalid and user sees an "invalid token error" after he submits the form. I think there is no security need to invalidate the first token. For exampble, Github doesn't do that; it invalidates all the tokens after the password is successfully reset.
2. User have to re-enter his/her email.
I also think there is no need for that either.
3. User have to enter his new password twice.
Again no need for that really.
4. Tokens are validated too late.
The tokens are only validated after the user filled 3 inputs, (2 of them passwords) then submits the form. A user who did the double submission is now frustrated and confused. Why not validate just when the user hits the reset password page, before filling in the form. Again Github does this as an example.
5. Invalid token error is redirected to a wrong form.
After invalid-token occurs, user should see a different form to re-enter his email and request for a new token again. Seeing an error (This password reset token is invalid) above a form that really doesn't work is not helpful.
Moreover, I think showing user's email alongside a timer to the user after he requests for token is helpful. During the timer count down, user must not be able to request for token again, unless he thinks he entered a wrong email.
The text was updated successfully, but these errors were encountered: