{"id":16834922,"url":"https://github.com/dchest/passwordreset","last_synced_at":"2025-03-17T04:32:38.580Z","repository":{"id":57483284,"uuid":"1623035","full_name":"dchest/passwordreset","owner":"dchest","description":"[DEPRECATED] Go package passwordreset implements creation and verification of secure tokens useful for implementation of \"reset forgotten password\" feature in web applications. ","archived":false,"fork":false,"pushed_at":"2019-08-26T08:00:14.000Z","size":14,"stargazers_count":78,"open_issues_count":0,"forks_count":15,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-02-27T18:01:28.941Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dchest.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-04-16T13:55:25.000Z","updated_at":"2022-12-10T21:44:23.000Z","dependencies_parsed_at":"2022-08-27T21:02:07.166Z","dependency_job_id":null,"html_url":"https://github.com/dchest/passwordreset","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchest%2Fpasswordreset","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchest%2Fpasswordreset/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchest%2Fpasswordreset/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dchest%2Fpasswordreset/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dchest","download_url":"https://codeload.github.com/dchest/passwordreset/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243841898,"owners_count":20356570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T12:08:23.545Z","updated_at":"2025-03-17T04:32:38.291Z","avatar_url":"https://github.com/dchest.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Package passwordreset\n=====================\n\n\timport \"github.com/dchest/passwordreset\"\n\nPackage passwordreset implements creation and verification of secure tokens\nuseful for implementation of \"reset forgotten password\" feature in web\napplications.\n\nThis package generates and verifies signed one-time tokens that can be\nembedded in a link sent to users when they initiate the password reset\nprocedure. When a user changes their password, or when the expiry time\npasses, the token becomes invalid.\n\nSecure token format:\n\n\texpiration time || login || signature\n\nwhere expiration time is the number of seconds since Unix epoch UTC\nindicating when this token must expire (4 bytes, big-endian, uint32), login\nis a byte string of arbitrary length (at least 1 byte, not null-terminated),\nand signature is 32 bytes of HMAC-SHA256(expiration_time || login, k), where\nk = HMAC-SHA256(expiration_time || login, userkey), where userkey =\nHMAC-SHA256(password value, secret key), where password value is any piece\nof information derived from user's password, which will change once the user\nchanges their password (for example, a hash of the password), and secret key\nis an application-specific secret key.\n\nPassword value is used to make tokens one-time, that is, once a user changes\ntheir password, the token which they used to do a reset, becomes invalid.\n\nUsage example:\n\nYour application must have a strong secret key for password reset purposes.\nThis key will be used to generate and verify password reset tokens.  (If you\nalready have a secret key, for example, for authcookie package, it's better\nnot to reuse it, just use a different one.)\n\n\tsecret := []byte(\"assume we have a long randomly generated secret key here\")\n\nCreate a function that will query your users database and return some\npassword-related value for the given login.  A password-related value means\nsome value that will change once a user changes their password, for example:\na password hash, a random salt used to generate it, or time of password\ncreation.  This value, mixed with app-specific secret key, will be used as a\nkey for password reset token, thus it will be kept secret.\n\n\tfunc getPasswordHash(login string) ([]byte, error) {\n\t\t// return password hash for the login,\n\t\t// or an error if there's no such user\n\t}\n\nWhen a user initiates password reset (by entering their login, and maybe\nanswering a secret question), generate a reset token:\n\n\tpwdval, err := getPasswordHash(login)\n\tif err != nil {\n\t\t// user doesn't exists, abort\n\t\treturn\n\t}\n\t// Generate reset token that expires in 12 hours\n\ttoken := passwordreset.NewToken(login, 12 * time.Hour, pwdval, secret)\n\nSend a link with this token to the user by email, for example:\nhttps://www.example.com/reset?token=Talo3mRjaGVzdITUAGOXYZwCMq7EtHfYH4ILcBgKaoWXDHTJOIlBUfcr\n\nOnce a user clicks this link, read a token from it, then verify this token\nby passing it to VerifyToken function along with the getPasswordHash\nfunction, and an app-specific secret key:\n\n\tlogin, err := passwordreset.VerifyToken(token, getPasswordHash, secret)\n\tif err != nil {\n\t\t// verification failed, don't allow password reset\n\t\treturn\n\t}\n\t// OK, reset password for login (e.g. allow to change it)\n\nIf verification succeeded, allow to change password for the returned login.\n\n\nVariables\n---------\n\n\tvar (\n\t    ErrMalformedToken = errors.New(\"malformed token\")\n\t    ErrExpiredToken   = errors.New(\"token expired\")\n\t    ErrWrongSignature = errors.New(\"wrong token signature\")\n\t)\n\n\n\tvar MinTokenLength = authcookie.MinLength\n\nMinTokenLength is the minimum allowed length of token string.\n\nIt is useful for avoiding DoS attacks with very long tokens: before passing\na token to VerifyToken function, check that it has length less than [the\nmaximum login length allowed in your application] + MinTokenLength.\n\n\nFunctions\n---------\n\n### func NewToken\n\n\tfunc NewToken(login string, dur time.Duration, pwdval, secret []byte) string\n\t\nNewToken returns a new password reset token for the given login, which expires\nafter the given time duration since now, signed by the key generated from the\ngiven password value (which can be any value that will be changed once a user\nresets their password, such as password hash or salt used to generate it), and\nthe given secret key.\n\n### func VerifyToken\n\n\tfunc VerifyToken(token string, pwdvalFn func(string) ([]byte, error), secret []byte) (login string, err os.Error)\n\t\nVerifyToken verifies the given token with the password value returned by the\ngiven function and the given secret key, and returns login extracted from\nthe valid token. If the token is not valid, the function returns an error.\n\nFunction pwdvalFn must return the current password value for the login it\nreceives in arguments, or an error. If it returns an error, VerifyToken\nreturns the same error.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdchest%2Fpasswordreset","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdchest%2Fpasswordreset","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdchest%2Fpasswordreset/lists"}