password reset

Hey Rene,

I vaguely remember starting to work on something for someone a long while ago but they suddenly dropped off the radar. It is not a feature I’m excited about writing to be honest. I’m concerned that it adds risk as it would be the first feature to do any writing to the external database.

It gets more complicated as we’re starting to talk about syncing. At the moment, when you login to WordPress we create (or update) a user from the external database in WordPress’ database. Every time the user logs in from the external database we update the information. That does mean that if a user updates their password on the external system it doesn’t immediately update in WordPress – only when they next try to login. If the external password is unobtainable, due to a failed request or the database being down, the user is then able to login to WordPress with the old password. This is why I added the disable local login feature for those that want to prevent local login and ensure that the user is always using the password in the external database.

I think I would similarly have to enforce the use of this strict link to do this as, if a password change was requested in WordPress I would first have to make sure that the password matched the requirements in WordPress and then firstly update it in the external database, ensure that was successful before updating in WordPress. Otherwise if the request failed we’d have passwords out of sync.

It also raises the question of if other information (such as e-mail address) is updated in WordPress, should this be synced. This adds a lot more complexity which I won’t go in to now. At the moment, any of the data that is pulled from the external database will always write over what is in WordPress when the user next logs into WordPress.

As another thought if both WordPress and the External Database are currently in use – often the external database will have a reset password flow. A tidier solution for some users would be to modify the reset password feature within WordPress and replace it with a button that links the user to the external systems reset password flow. This is better in a lot of ways as this means only one reset password flow is managed. There are different ways to reset a password so it is probably best to only have one system handle this. I could understand however that some people would rather have WordPress be the way to handle this.

Wow I’ve really rambled at you ?? Apologies. This was mostly me just thinking out loud regarding how this would even be tackled but I wanted to voice as I’d be interested in the perspective of yourself and other users.

To be completely honest, If I do work on this feature, I think it would be the first feature I would add to a pro version of the plugin due to the time it’ll take to write and support.

Please let me know your thoughts Rene,

Thanks,

Tom ??

Hi Tom,
I think you are right. Keeping a read-only approach for your plugin is probably a better idea. Otherwise I am worried you are going to open a can of worms…
I will manage the reset on my side using lostpassword_url hook.
Anyway, thanks for your hard work. Truly appreciated.
Rene
PS: did you receive the $50 through Paypal?

I did Rene – I really appreciate it – thank you very much! ??

I promise you it will only go towards the best beer! ??

I’ll mark this as resolved for now however I’m sure someone will ask me to re-open this in the future.

Thanks again and good luck with your project,

Tom

Hey @ketr64,

Just a small update regarding this post.

I’ve decided to release a Pro version of the plugin. I will not be starting any work on that until I have resolved your current issue with you.

However, I wanted you to know that this could possibly be a feature that I implement.

I will keep you posted but feel free to come back to me and query if you haven’t heard anything for a while.

I may also come back to your for advice on what you’d expect from the feature.

Will try and keep you posted ??