(Re)Setting passwords
(Re)Setting passwords
Password (re)set flowEVA offers a single flow for creating and resetting passwords, both involve the use of stencils.
On this page we cover the underlying configurations needed and the behavior to expect: Stencil template(s) based on scenario (creation or reset) and SMTP.
Although it might seem like common sense, it's important to emphasize that from a security perspective, it's best for every user to have control over their own password. This means that even Admin roles responsible for creating new users cannot set initial passwords or access other users' passwords.
The flows mentioned in this page follow the timeline of core drop 2.0.698 and will therefore reach Production environments in EUW and ASE on July 31, 2023 and in CUS on August 1, 2023.
Password creation (new users)
Once you create a new user, a stencil called EmployeeCreated will be triggered and an email will be sent out to the new user containing its content. The stencil should at the very least include the link for creating a password, and that could look like this:
<a href='{{:SuiteUrl}}/forgot-password/{{:PasswordResetToken}}'>Set password</a>
There is however a lot more useful information your stencil could contain, such as the link validity (example: 24 hours), and of course, your own look and feel.
Useful links
- About Stencils
- What are Helper functions?
Stencil configuration steps:
- Stencil Type: Template
- Stencil Name:
EmployeeCreated - Stencil Destination: e-mail
- Stencil Matching: As applicable/desired
- Stencil Content: In the link you'll find a general sample. You can modify this to your own needs. However, as a head start, here is a specific sample for this scenario of password creation:
{#subject} Welcome to New Black {#/subject}
<body>
<p style="font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em;">Hi {{>User.FirstName}},</p>
<p style="font-family: 'Sk-Modernist', 'Helvetica', sans-serif; font-weight: 700; font-size: 24px; line-height: 28px; color: #0E1720; margin: 0em;">Welcome to New Black.</p>
<p style=" width: 70%; font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em; margin-top: 1em;">Thanks for registering an employee account with us, we can't wait to welcome you in our store!</p>
{{if User.SingleSignOnOnly }}
<p style=" width: 70%; font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em; margin-top: 1em;">You can login on our EVA Admin Suite via this link: <a href='{{:SuiteUrl}}'>Admin Suite</a> with your SSO credentials.</p>
{{else}}
<p style=" width: 70%; font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em; margin-top: 1em;">Please set a password before {{:~date(ResetExpiresAt,'DD-MM-YYYY, HH:mm', LanguageID + '-' + CountryID )}} by clicking on this link: <a href='{{:SuiteUrl}}/forgot-password/{{:PasswordResetToken}}'>Set password</a></p>
{{/if }}
<p style=" width: 70%; font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em; margin-top: 1em;">See you soon.</p>
</body>
function date(value, format, culture, timezone='Europe/Amsterdam') {
return require('moment-timezone').tz(value, timezone).locale(culture).format(format);
}
Password reset
Just as with password creation, no one else can request a password reset except the user him/herself.
A password reset can be done by clicking the Forgot password button.
The forgot password flow can be initiated from the login page of both Admin 1.0 and Admin Suite.
It's quite straight forward, but just in case, here are the steps:
- Click the blue Forgot password? button from the login page
- Enter your email address
- Click the Send password reset button
If a user exists with this email address, a password reset email will be received, and another when completed (both if respective stencils are configured).
Password reset emails (stencils)
The password reset emails that users would receive are based on stencils which you'll need to configure.
A rest flow would usually include two stencils Password reset requested and Password reset completed.
Password reset requested
This is the initial email received by a user requesting a password reset. The one including a password reset link.
Stencil configuration steps:
- Stencil Type: Template
- Stencil Name:
PasswordResetRequested - Stencil Destination: e-mail
- Stencil Matching: As applicable/desired
- Stencil Content: In the link you'll find a general sample. You can modify this to your own needs. However, as a head start, here is a specific sample for this scenario of password reset:
{#subject} Password reset requested {#/subject}
<body>
<p style="font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em;">Hi {{>User.FirstName}},</p>
<p style="font-family: 'Sk-Modernist', 'Helvetica', sans-serif; font-weight: 700; font-size: 24px; line-height: 28px; color: #0E1720; margin: 0em;">Let's get you a new password</p>
<p style=" width: 70%; font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #0E1720; margin: 0em; margin-top: 1em;">Click the button below to create yourself a new password.</p>
<a href="{{>SuiteUrl}}/forgot-password/{{:Token}}" style="text-decoration: none; display: inline-block; width: auto; background: linear-gradient(180deg, #1283FF 0%, #007AFF 100%); border-radius: 6px; padding: 4px; padding-left: 16px; padding-right: 16px; margin-top: 16px;">
<p style="font-family: 'Inter', 'Helvetica', sans-serif; font-size: 14px; line-height: 22px; color: #ffffff; margin: 0em;">Reset</p>
</a>
</body>
Although users can never interact with other user's password, a user with the proper permissions can perform a reset of another user's two-factor authentication methods. This way, a locked-out user can always be reset via the most basic authentication flow: a password (reset).
This can be performed from within the locked-out user's profile page in the Employees section.
Password reset completed
This is the email received by a user notifying that his/her password reset has been successfully completed/done.
Stencil configuration is similar to that of Password reset requested with one exception, the stencil name should read PasswordResetCompleted. And of course, the template contents to your taste.
Once again, here is a general Template example.
SMTP
Since both new and password reset methods rely on sending out emails, it is necessary to have SMTP configured.
Changing email addresses
Now, changing an employee email address is quite impactful since this is basically the username as well. Therefore, we've made changing an email address not possible (for now).
A new email address would mean a new user, and that would be the route you should follow (if applicable). However, we did not lock this up too hard. Changing an email address of an existing user can still be done but via a service. The service is called Recover employee account.
If you have several accounts using the same email address, then the email address on all those accounts will be changed if changed in one.
Reset token
Although we do not recommend it due to obvious security issues, it's possible to (re)introduce a password reset token in the Profile of other users.
This reset token allows one to create a token from within another user's profile by which the other user can then login. This can be used in case of a forgotten (or unconfigured) password.
This can be enabled by setting Security:Password:AllowTemporaryForEmployees to true.
Recover employee account
If all else fails, there is one service that can be used to recover any account: this service will allow you to change an email address and/or generate a temporary password for employee accounts.
The service is called RecoverEmployeeAccount and can only be accessed via API by users with the associated RecoverEmployeeAccount functionality.
With great power comes great responsibility therefore, be sure to only assign this to users who are allowed to gain access to all accounts.
Password security policies
A few policies apply when it comes to (re)setting passwords. Users will in turn be notified should a breach to those policies be sensed. In general, a password is considered valid when it contains 8 or more characters (excluding spaces), and does not exceed 1024 characters.
The following are possible responses you can expect, with a brief explanation to each:
- UserOrPasswordInvalid: “User or password is not valid.”
- NewPasswordIsRequired: “New password is required.”
- TooShort: “Password is too short - it must be at least 8 characters.”
- PasswordAuthenticationDisabled: “Password authentication is disabled for this user.”
- TooLong: “Password is too long - 1024 seems like a decent enough length for a strong password, right?”
- Pwned: “This password has been found in one or more breaches and should not be used! Visit have I been pawned for more information.”
- PwnedUnavailable: “Password safety check could not be performed.”
Please refer to the ChangeUserPassword service in case of newly added responses.