"Change password" flow

Klaas_Klever · May 19, 2021, 3:09pm

I want to implement a “change password” flow in UI Builder. A logged-in user should be able to change her current password. As a prerequisite, she must enter the currently valid password.
I found this previous post for this topic:

There, the solution proposed is to use the login API to verify the current password. My question:
Does the number of logins for this user pile up? So, if the user is changing her password 3 times, it is counted as 4! simultaneous logins?
Is it possible somehow to figure out how often a certain user is logged-in?

Regards,

mark-piller · May 19, 2021, 4:23pm

Hi Klaas,

Yes, in that scenario the number of concurrent logins for a user will add up. There is no API to get the number of active logins per user. I will open an internal improvement ticket to provide the API to verify user’s password. The API will be restricted only to business logic (Cloud Code) for security reasons.

Regards,
Mark

Klaas_Klever · May 19, 2021, 4:56pm

Makes sense. A “simple” verification API without side effects.
Thanks

Klaas_Klever · June 21, 2021, 12:38pm

When implementing this “change password” flow, I ran into an issue.
Here is my block-code:

If the “old password” is correct, login works fine and the userObject is returned. Then, I’m changing the passwrd field in userObject to the new value and use the “Update User” block to change the password in the user database. At this point the code is running into an exception with the error

Error: Session timeout. Url: <https://eu-api.backendless.com/.../page/session_expiration/index.html>
    at new ResponseError (sdk.js:14)
    at checkStatus (sdk.js:14)

However, the password has been updated correctly in the database!

Any ideas what I’m doing wrong here?

mark-piller · June 21, 2021, 12:49pm

Hi Klaas,

Could you please check where exactly the error is thrown? Is it from the “Update User” block?

Regards,
Mark

Klaas_Klever · June 21, 2021, 1:45pm

Hi Mark,
The exception is thrown, if I try to send a notification email.
Here is my complete code:

The last printed message is “Component toggeled!”. The email is not sent, so it seems that the Send Email block is causing the exception.

Just as a cross-test: if I’m replacing the block “set userObject to Login user …” with “set userObject to Get current user”, then the code runs through and the notification email is sent.

Thanks

mark-piller · June 21, 2021, 2:13pm

I believe the problem occurs because when the user’s password in the database is updated, the current user session (i.e. user-token) is invalidated. To circumvent the problem, try doing user login right after you update the user - that will refresh the user token in the app.

Regards,
Mark

Klaas_Klever · June 21, 2021, 2:24pm

The user login is done as a workaround to check the validity of the current password, I.e. to prove the identity of the one who wants to change the password.
That’s why I don’t want to update the user DB with a new password before knowing that the right person is requesting the change.

I think a clean solution would be really an API that just validates the current password without side effects (as concluded above already)

mark-piller · June 21, 2021, 2:29pm

Password verification is available in Codeless, but it can be used only from Cloud Code.

Klaas_Klever · June 21, 2021, 2:42pm

OK. Password Verification - Backendless SDK for JavaScript API Documentation
I didn’t see this API earlier. Maybe it is new?
I will use this API for sure.
Thanks

mark-piller · June 21, 2021, 2:49pm

Yes, the doc was recently updated to include this information.

Regards,
Mark