How long does the email template changePasswordId id last before it expires? How can invitation expiration be implemented?
-
Hello,
For future users that land on this topic, I've figured out an answer for the first question—"How long does the email template changePasswordId id last before it expires?". The
Account Created
email has a variable in it calledchangePasswordId
in it that you can use it to the reset the users password by passing it to the Change a User’s Password API. The expiration time setting for thischangePasswordId
is calledSetup Password
in the FusionAuth settings. There is a different expiration time setting for thechangePasswordId
that is returned from theStart Forgot Password Workflow
. ThatchangePasswordId
setting is calledChange Password
. Both of these expiration time settings can be adjusted in the FusionAuth UI by navigating to the advanced settings of the tenant.I've ran into some issues with the invitation flow and providing a good experience to the users of our application. One issue I'm having is that is that there is no way to distinguish an error for the
invite user flow
from an error on areset password flow
. This means that I can't display "Your invite has expired" to the user, I can only give them a generic, your invite didn't work message with no direction for recourse other than telling them that they can reset their password to get their account back. This is not a desirable behavior for our application. Please let me know if there are any solutions to this that I'm missing.The workflow I would like to achieve in our application UI is the following:
- Invites expire after 7 days
- In the list of users I can see what users have accepted the invite and which haven't
- If user's invite has expired, an admin can resend them the invite
There doesn't seem to be the concept of invites expiring in FusionAuth (Email Verification can expire, but that doesn't prevent change password requests). What I'm thinking I would need to do to achieve this is the following:
- Set
Email Verification
in the advanced tenant settings to 7 days (604800
seconds) - Store a boolean for if the password has been initially set—this will let us know if the invite has been accepted. We can call this
hasInviteBeenAccepted
. - Intercept the complete reset password API
- If 7 days have not passed, reset the password and set
hasInviteBeenAccepted
to true - If 7 days have passed and
hasInviteBeenAccepted
is false, return an error
- If 7 days have not passed, reset the password and set
- If 7 days have passed
- Remove application registration to deny login attempts
- If
hasInviteBeenAccepted
is false, display a button on the users screen for admins that allow them to resend the invite. The user will also need to be reregistered to the application.- I think the only way to resend the initial invite is to remove the user and recreate them
- Intercept the initiate password reset request
- If
hasInviteBeenAccepted
is false, return an error - If
hasInviteBeenAccepted
is true, initiate the password reset request
- If
Am I missing anything? Are there any suggestions for a better workflow for this?
Is this something that makes sense to be included as a feature of FusionAuth?
Thanks,
Stephen -
So what I'd do is control access to the application outside of the normal FusionAuth flow.
Set up a page in your application to send people an invite. Only admin users can do so. (This solves the re-sending problem as well.)
When an invite is sent, record the timestamp and the fact that the user was invited on the user object (in the
data
field. Create the user, but don't register them to the fusionauth application.When the user tries to register, it depends if you are building your own registration page or not. Given your custom needs, I'd recommend building it. In that case, you'd just see if they existed and were able to be authenticated (using the
login
api). After the loginapi
returns (it'll be a 202, since they are authenticated but not authorized for the application), check to see if the timestamp is within 7 days. If so, they're registered and fine. If not, then they are presented with an error message.As far as being able to query, if you are using elasticsearch, anything in
user.data
can be queried, so you could show all the users with aninvited
flag and ainvitedTimestamp
of less than 7 days. I don't have any examples of this elastic search query, but here's an example of how to run this against aregistration.data
field: https://fusionauth.io/docs/v1/tech/guides/advanced-registration-forms#searching-on-user-dataDoes that make sense?
An alternative is to file a feature request, but I agree, the
setupPassword
functionality isn't quite like aninvitation
feature. -
This is great, thanks Dan.
I have one question though regarding resends:
Set up a page in your application to send people an invite. Only admin users can do so. (This solves the re-sending problem as well.)
How does this solve the resend issue? When an admin hits the resend invite button, I would still have to remove the user and readd them, correct? Is that the only way to resend that invite email?
Thanks for your help.
-
@stephen said in How long does the email template changePasswordId id last before it expires? How can invitation expiration be implemented?:
Is that the only way to resend that invite email?
Ah, sorry I wasn't clear. I'm not sure you want to use the FusionAuth email templates. If you send the email yourself you'll have more granularity and control.
-
Added a feature request for this issue: https://github.com/FusionAuth/fusionauth-issues/issues/904