Metrici's password reset feature automates the resetting of user passwords.
Password reset process
In outline, the process involves:
- The user enters their email on the password reset page.
- Metrici looks up the user with that email address.
- Metrici looks up the owner or owners of the user, i.e. all users with own-users authority over the user's owning user group. These are the people who can reset the password for the user and who should be contacted if there are any difficulties.
- The user is informed that they have been sent an email to reset their password, and who they should contact if they have difficulties.
- The user is sent an email with a link to reset their password. The link contains a short-lived (1 hour) single-use session token and redirects the user to the password reset landing page. This directs the user to a password reset page or shows a message indicating their password reset is invalid.
- The owners are also sent an email informing them of the password reset attempt.
- If there are multiple users with the same email, the above processing is repeated for each user.
The password reset processing is carried out by the ResetPassword service. For security reasons, this service is not authorised for access through the service interface. The service provides additional system-wide configuration including a list of users who should not be considered as contacts, to prevent users such as account authorities from being constantly emailed.
Customising password reset
The password reset emails are controlled using properties mostly set on the account of the user.
Set the Disable Password Reset property to true on the user properties or the account properties to disable the password reset emails. This is used for administrative accounts to remove the possibility of account takeover using an email intercept. It can be set for account or individual users where clients do not want the email-based password reset feature.
Use the Password reset owner email address account property to change the list of owners/contacts. This list can be a comma or newline delimited list. Each person can be identified by email address or email address and name using the format Person Name <person.name@somewhere.com>.
Use the Password reset email template account property to control the password reset email. The default email template is:
${applicationName} password reset
<p>You have requested a reminder of your user id and a password reset for the
${applicationName} service at ${rootPath}</p>
<p>Your user id is ${userLogonReference}</p>
<p>Click on the link below to reset your password.</p>
<p><a href="${signInLink}"
data-l10n-id="system-password_reset-resetPasswordLinkCaption">Reset password</a></p>
<p>If you have difficulty using the link, paste this address into your browser:</p>
<p>${signInLink}</p>
<p>You may only use this link once, and you must use it within one hour of requesting
the password reset.</p>
${contactDetails}
<p>If you have not requested a password reset please contact support so that they can
investigate. Look for support contact details on
<a href="${rootPath}">${rootPath}</a>/</p>
<p>Thank you</p>The first line of the email is the subject.
The remainer of the email may contain placeholders encoded in ${..} sequences. The placeholders are listed below.
Use the Password reset owner email template account property to control the email sent to the owners. The default email template is:
${applicationName} password reset for ${userName}
<p>${userName} (${userEmailAddress}, user id ${userLogonReference}) has requested a password
reset for the ${applicationName} service at <a href="${rootPath}">${rootPath}</a></p>
<p>They have been sent instructions to reset their own password, but they might ask you for
help. You can reset their password for them using the Settings screens in
${applicationName}.</p>
<p>Please contact support if you need assistance.</p>
<p>Thank you.</p>The available placholders for the email templates are:
| applicationName | The name of the application, read from the curren theme. |
| userName | The name of the user whose password is being reset. |
| userEmailAddress | The email address of the user whose password is being reset. |
| userLogonReference | The logon reference (user id) of the user whose password is being reset. |
| rootPath | The server address, e.g. https://www.metrici.com/ |
| signInLink | Link that the user should follow to reset their password. |
| contactDetails | Details of who to contact if there are difficulties. This may be blank. |
Translating password reset
Translating the password reset is slightly complicated.
The password reset screens (not emails) are translated using the language pack specified by the Language pack reference property on the current theme (not the user's current theme, if that is different, since the user is not signed in), using cookies or browser preferences to identify the user's language.
The emails will be translated using the language package specified on the user's theme, using the language settings set for the individual users.
In most cases these will be the same. However, it may be that the translation language is different. For example, if a French user used a colleagues' PC to request a password reset, they may see the screens in English and get French emails.
The translation screens and emails contain localization ids. Additional ids are used to contain the subject and body of the emails:
- system-password_reset-emailSubject and sysem-password_reset-emailMessage are used for the user email.
- system-password_reset-ownerEmailSubject and sysem-password_reset-ownerEmailMessage are used for the owner email.