TWiki password reset by email

Only applies to pre-Dakar TWiki releases

What is it about

Before the Dakar (TWiki 4.0) release, the 'reset password' system in TWiki required manual actions by the administrator(s) of the machine. That is, the ResetPassword form only provides a user with the encrypted hash of the wanted password. The user must, then, send this encrypted hash to the admin(s), so that they can write it manually into the .htpasswd file. Here, I provide files and documentation for a system which performs this function automatically, without any intervention from the site admins.

Reference : there has been discussion on this topic on twiki.org, see TWiki:Codev/EmailResetPassword.

How it's done

Simply, the ResetPassword is updated so that it asks only for the WikiName^? of the user. Then, this username is given as a URL parameter to a script (in the TWiki "bin" directory) which generates a new password, sends it to the email address found in the HomeTopic^? of the user, and writes the hash of the new password in the appropriate format into TWiki's .htpasswd file.

Requirements

This system only works if you're using the BasicAuthentification^? system of TWiki (that is, the one using .htpasswd files). Also, if your TWiki installation is running with https connection, the security of this is questionnable, since the password is sent without any encryption to the user. If you're running in normal plain http mode, you don't care about that anyway You need the perl package Net::SMTP to be installed in your machine.

This has been tested on TWiki:Codev/TWikiRelease01Sep2004 and TWiki:Codev/TWikiBetaRelease2004x10x30. It will be maintained to work with Dakar, sure.

Installation

1. Copy the passwdreset script into the "bin" directory of your TWiki installation ; alternatively, you can copy the french passwdreset, and rename it to passwdreset. Make sure this script is readable and executable by the apache user (e.g. www-data). You should also edit this same file in order to set the variable $SMTP_SERVER with the address of your SMTP server ('localhost' should work in many cases).
2. Copy the oopsresetpassword.tmpl file into the "templates" directory of your TWiki installation. Make sure the file is readable by the apache user (e.g. www-data).
3. Apply (with the 'patch' command) the two .diff files (this one and this one) to the "lib/TWiki/User.pm" and "lib/TWiki/HtPasswdUser.pm" files, respectively, of your TWiki installation.
4. Edit the ResetPassword topic of your TWiki, and put something like ResetPassword.txt. A french version is on ResetPassword.
5. It should be working

Possible problems

This system should work with any recent version of TWiki. It may, nevertheless, happen that the application of the patches fail, because of minor modifications on the to-be-patched files. Or, maybe, the passwdreset script encounters another problem while it is running because of API changes in TWiki. In any case, if there are problems, contact DjRom .

Limitations

The main limitation is the need of Net::SMTP, but this can be easily overcome by a little patching. Patches welcome

-- DjRom - 07 Apr 2005