Enhancement: Add Logic for Hashed uidb64 and Token with 6 digits for password reset in mobile applications built with Kotlin or Java or Flutter
Ronnie-Leon76 opened this issue · comments
Problem Statement
The current implementation of password reset in the Dj_rest_auth repository exposes the uidb64 and token directly in the URL parameters when making a request to the /auth/password-reset-confirm/{uidb64}/{token}/ endpoint. This can potentially expose sensitive information, and there is a need to enhance security by introducing a mechanism to hash the uidb64 and token with a short-lived 6-digit code.
Proposed Solution:
I propose adding logic to hash the uidb64 and token with a secure algorithm sending the 6-digit code to the user's email address when initiating a password reset from a mobile app. This hashed information will be decoded back to the original uidb64 and token on the mobile app before making a POST request to the following endpoint: /auth/password-reset-confirm/{uidb64}/{token}/
Implementation Steps:
- Introduce a hashing mechanism for uidb64 and token on the PasswordReset class implementation hence a 6-digit code will now be sent to the user's email address.
- Implement corresponding logic on the mobile application to decode the 6-digit code to their corresponding uidb64 and token.
- Update documentation to reflect the changes in the password reset process.