How to prevent user from requesting password reset link multiple times in a row?

Third Party Coronium
#1

Basically, title

My first idea was to check [coronium].[cc_users_pw_reset] table if record already exists and sent_on data is less than 15 minutes from now. But when I’m trying to access coronium database from server side I got error:

 

Error occured:Unauthorized database

Any way to implement this?

My current code:

local record, err = core.mysql.selectOne( "coronium", { tbl = "cc\_users\_pw\_reset", where = {email = params.email}, } ) if (err) then print("error occured", err) return core.error(err) else --check for existing link goes here end local res, err = core.users.sendPasswordResetLink(...)
#2

Hi,

Generally this is something handled on the client side. If I remember correctly you are automating the login?

As far as the Coronium side there is nothing that can help with this. You could store a file with a timestamp or something. The other possibility is to use a separate database/table and associate a record with the user id and use that as a check mechanism.

One thing to note is that a password reset does not create a new entry each time one is requested, it only updates the reset link if a request already exists in the database, so in reality its not that big of an issue. An email needs to be provided by the user, so your reset password would/should be in a separate area.

My guess is that since you are automating the log in, the user can click a button repeatedly because they don’t have to enter an email address. Again, this is something you would need to handle on the client side.

Modifying the Coronium Core administrative database is not supported nor recommended because there may be changes to the structure in future updates, and you would not be able to update your instance any longer.

Hope that helps.

-dev

#3

Ok, I understand why modifying administrative database is not supported.

One thing to note is that a password reset does not create a new entry each time one is requested, it only updates the reset link if a request already exists in the database, so in reality its not that big of an issue.

Yes, but I just want to prevent multiple emails being sent to one email.

So my current solution is to store “last time reset link sent” in user.extra field to prevent many emails

#4

So my current solution is to store “last time reset link sent” in user.extra field to prevent many emails

That’s a great solution.  :slight_smile:

-dev

#5

Hi,

Generally this is something handled on the client side. If I remember correctly you are automating the login?

As far as the Coronium side there is nothing that can help with this. You could store a file with a timestamp or something. The other possibility is to use a separate database/table and associate a record with the user id and use that as a check mechanism.

One thing to note is that a password reset does not create a new entry each time one is requested, it only updates the reset link if a request already exists in the database, so in reality its not that big of an issue. An email needs to be provided by the user, so your reset password would/should be in a separate area.

My guess is that since you are automating the log in, the user can click a button repeatedly because they don’t have to enter an email address. Again, this is something you would need to handle on the client side.

Modifying the Coronium Core administrative database is not supported nor recommended because there may be changes to the structure in future updates, and you would not be able to update your instance any longer.

Hope that helps.

-dev

#6

Ok, I understand why modifying administrative database is not supported.

One thing to note is that a password reset does not create a new entry each time one is requested, it only updates the reset link if a request already exists in the database, so in reality its not that big of an issue.

Yes, but I just want to prevent multiple emails being sent to one email.

So my current solution is to store “last time reset link sent” in user.extra field to prevent many emails

#7

So my current solution is to store “last time reset link sent” in user.extra field to prevent many emails

That’s a great solution.  :slight_smile:

-dev