• Categories
  • Recent
  • Tags
  • Popular
  • Solved
  • Unsolved
  • Users
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Darkly)
  • No Skin
Collapse
brainCloud Forums
J

Jake Simpson

@Jake Simpson
About
Posts
3
Topics
2
Groups
0
Followers
0
Following
0

Posts

Recent Best Controversial
    Password content specification?
  • J Jake Simpson

    Thinking about this some more, perhaps having a specification of what is required in a password is a step too far?

    Honestly, these days, a single step validation to ensure that passwords are :

    • At least 8 characters long

    • Have a capital letter included

    • Have a number included

    • Have one of the 'special characters' (e.g. + or - or , or . or ! or ? or % or # or @ or = or whatever you guys decide the special characters to be) included

    would probably be enough? Perhaps a check box (off by default, because existing applications that are already released should NOT have this turned on, because then it would invalidate all the existing passwords they have, plus its probably that the existing clients aren't enforcing this) on the BrainCloud application definition side that says "Enforce Password Specification Requirements", with those requirements spelled out, and a new bit of text in the default email being sent out that details password requirements would be all that is required?

    Obviously it means some JS work on the password reset form inside of BC, to validate a new password and tell the user that they are in error, if this flag is turned on, but it would be a REALLY good thing for security going forward.

    Thanks

    • Timeout for email validation?
  • J Jake Simpson

    I ran into an interesting issue with email account validation yesterday.

    I had SendGrid set up against my Braincloud account, for email validation and password reset needs. This used to work.

    Tried it again yesterday, and no email!

    I tracked it down to SendGrid having canceled my account, due to inactivity (we made all this work at the start of the project, created test accounts, and then never really needed to revisit this system in terms of usage. SendGrid saw that and helpfully closed our account for us, because we hadn't used it in a while!)

    Anyway, I sorted this out, created a new account, reset Braincloud for the new API key, and was able to create new account with email validation for new email addresses.

    However, the existing login request, with the ForceCreate set to true, is still in the system. If I try creating a new account with this same email address, I get no email -the back end error logs are telling me that it's waiting on email verification, which will never happen because there was no email sent out for me to reply to, to validate.

    Does the ForceCreate flag, when used on Login, that forces the system to create an account have a timeout? Like a couple of days? It would be great if that were the case. The default verification email I got for other accounts does NOT mention a time out period (most systems like this tell you in the email that the link is only valid for X days or hours, indicating that the back end has a timeout if the email is not validated in that time period.)

    Is there some mechanism in place here? And if so, how long is it? And if not, could there be?

    The problem is that there is no way to actually alleviate the blockage once it hits. There's nothing in the CSR tools that allows me to unblock an account create on a profile that doesn't actually exist yet, but that is in the system in terms of waiting for validation to create. My simply trying to create the account again doesn't do anything since the system is already waiting for a response to an email that was never sent. Without a time out (or perhaps resending the Validation Required email everytime a login with ForceCreate = true is encountered), this basically places an account in limbo.

    I am informed that operators on your end can resolve this, but in the case of a successful game that has email interruptions (SendGrid issues you can't control or be aware of), this basically means one person fixing possibly thousands and thousands of account requests that get stuck in limbo? Not a very tenable solution.

    So yeah, my request would be either
    a) A time out, where the request is canceled on the back end within X days/Hours (and that is reported in the default email, so if you come across an email from a while ago, you know the link is already dead)
    or
    b) Resend the email everytime you see a new request for login with ForceCreate = true, regardless of whether there is a validation request already in the system.

    Preferably both, just to be sure the problem is resolvable.

    Thanks

    • Password content specification?
  • J Jake Simpson

    Is it possible to force a requirement spec for passwords associated with a player account?

    While we can do it in the client by simply requiring the incoming string be X length, contain a number, a capital letter and a special character, it doesn't look like we are able to specify those restrictions with the "Forgot Password" API call, which means it's entirely possible for a player to create an email on the back end - that we don't control - that won't be considered legal inside the app.

    What can we do about this?

  • Login
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Solved
  • Unsolved
  • Users