Local User Password reset via email

[darkassassin07 434]

I would like to allow users to reset their passwords via a time-limited reset link sent to their email, similar to how Ombi does this.

Each user can have an email address linked, and the server has SMTP details set; users can then press 'reset password' and enter an email to have a link sent to said email (assuming they entered a valid one and its linked a user) which takes them to a password reset page where they can enter and confirm a new password. Only if any of this isn't setup correctly does it request you contact the admin instead.

 

 

I've had a few users somewhat frequently forgetting their passwords, especially when they don't use emby regularly. It would be nice to have a way for them to resolve this themselves. 

Currently the 'reset password' link on Emby just tells you to contact the admin (presumably it's more functional with connect users? Don't know, I don't use connect) and it involves manually resetting their password for them to something fairly complex, sending that password to them via text/email (neither of which I'm comfortable with, I just just don't have better options most of the time), then hoping/pestering them to change it to something only they know. It's far more of a hassle than it needs to be and rather insecure.

Edited June 4, 2023 by darkassassin07

[Luke 37231]

It’s not a bad idea, but can you think of how to improve it for users who don’t have their own email server?

[darkassassin07 434]

You don't require your own email server: most public email services like outlook, gmail, yahoo, etc let you access them and send mail via SMTP.

 

I use my regular hotmail account to automatically send email notifications about requested media and ombi password reset links for example:

Host: smtp-mail.outlook.com

Port: 587

TLS/SSL: enabled

Then my email+pass to login.

I could probably setup a dedicated email address for that as well, but ombi let's me specify the sender name as well so they show up as from: "<my server name> Media Requests" with my email below that. (if you expand the details to see it)

Here's a test notification from ombi to see how that's displayed:

 

Optionally a user could setup their own smtp server, I just haven't gotten around to exploring that. I hear it's a hassle to get your mail accepted by the above services.

Edited June 4, 2023 by darkassassin07

[Luke 37231]

Right. Take email out of it for a second. What other possible ways can you think of?

[darkassassin07 434]

You could likely Integrate into various social platforms like Facebook, Reddit, Twitter, Discord, Whats App, Telegram, Pushbullet, etc to pm users via their handles on those platforms if you really wanted more options.

An sms relay is also an option, though rather unlikely imo.

 

Email just seems like the simplest and most ubiquitous to me.

[Luke 37231]

11 minutes ago, darkassassin07 said:

You could likely Integrate into various social platforms like Facebook, Reddit, Twitter, Discord, Whats App, Telegram, Pushbullet, etc to pm users via their handles on those platforms if you really wanted more options.

An sms relay is also an option, though rather unlikely imo.

 

Email just seems like the simplest and most ubiquitous to me.

What if the user doesn’t have those? Or what if they fail? Can you get creative and come up with something more universal that doesn’t rely on an external service?

[darkassassin07 434]

If a user has lost their emby login credentials, they clearly can't login to my services anymore, to correct that I'm either going to have to give them new ones in person, or contact them through some other service....

We already have talking to them in person, that's the problem I'm trying to get away from.

I don't understand how you would do this any other way than a third service outside emby. I'm asking you to integrate those options.

 

18 minutes ago, Luke said:

What if the user doesn’t have those? Or what if they fail?

Then you fall back to the current lack of options where you tell the user to contact the administrator. Just because some people don't have/use certain options doesn't mean nobody should have them.

 

 

I don't understand what you're asking/how that would be accomplished without an external notification system like email.

 

You sound like you've got some ideas. How do you think you guys should achieve this?

Edited June 4, 2023 by darkassassin07

[Luke 37231]

Right the point is that those options will only benefit a portion of users. 
 

that’s not to say it can’t be done, but first we should exhaust all possible improvements that everyone can use without having to first set something up.

[darkassassin07 434]

So I ask again then;

 

How do you think this should be achieved?

 

How would you send notifications allowing a user to reset their password, when they can't login to the service that would be sending them that notification?

 

 

You seem to be happier leaving people with no options at all instead of giving a variety of option's for people to choose what they'd like to use.

 

Nothing is not better than something.

[Luke 37231]

Well we could have a page to allow them to handle the reset process on their own without having to send them a new password.

Then you only need to give them the link, which you would have to handle. 
 

to actually send them something you’re talking about a generalized means for an admin to communicate with users, which could be used for other purposes. That’s a whole separate discussion but I would consider that step two of this.

[darkassassin07 434]

That's certainly a step in the right direction.

From there you could tie into the notifications feature to deliver that link via whatever notification plugin is installed/configured. (and probably a notice about it to admins as well)

 

6 minutes ago, Luke said:

to actually send them something you’re talking about a generalized means for an admin to communicate with users, which could be used for other purposes. That’s a whole separate discussion but I would consider that step two of this.

Is this not what the notification system does already? It's just typically configured to notify admins, but allows you to notify anyone about anything from whatever means are installed. Other plugins can even send whatever info they like via this. (playback reporting for example has notifications it can send to every user)

 

 

That's really all I'm asking for; a new notification, just a little more functional than plain text.

[rbjtech 4324]

I think whatever way you do this, you are going to run into the issue of does the user requesting the password reset have the Authorisation/Authentication to do so.  ie are they who they say they are and should be allowed to reset the password.

If you have to give them a 'link' then you may as well reset their password ... 

Just spitballing - but I guess we have the deviceid to work with (unique to that device I believe) meaning you need the physical device to be able to reset a password, we have the last logged on users for that device.

So maybe setup a PIN per user - in conjunction with the above deviceid and previously logged on user within say the last week - and they can reset their own password (using a link on the emby login page) using the pin, but only on Approved devices and only within 1 week of the last sucessful login on that device.?   if the user forgets their PIN.. then pack up and go home ... 

Edited June 7, 2023 by rbjtech

[ebr 14958]

52 minutes ago, rbjtech said:

I guess we have the deviceid to work with (unique to that device I believe)

Only on non-browsers...

[darkassassin07 434]

4 hours ago, rbjtech said:

I think whatever way you do this, you are going to run into the issue of does the user requesting the password reset have the Authorisation/Authentication to do so.  ie are they who they say they are and should be allowed to reset the password.

If you have to give them a 'link' then you may as well reset their password ... 

Why would that be an issue?

Just check that the user that is being reset has the permission 'allow user to change their password'. If you really wanted to, you could break that out into its own permission, but that seems unnecessary.

 

If that's true have emby deliver a reset link via the notification method thats been setup for that user (email, twitter, Discord, etc) or, failing that, notify the admin a reset has been requested and provide a link for the admin to pass on themselves.

[TeamB 2356]

 

On 6/5/2023 at 5:01 AM, Luke said:

Right. Take email out of it for a second. What other possible ways can you think of?

STOP before anyone starts adding password reset approaches stop.

This is an attack surface that is exploited daily on all sorts of systems, password reset in general is a reasonably well know issue that nearly ALL authenticated systems have to deal with, there are lots of models out there and I would suggest having a close look at the different approaches some well know services use before trying to come up with something new.

At a bare minimum you should add a link to the login page to "Request a password rest" as a bare minimum this would notify the Admin accounts on the system that a user has sent a password reset request. There is already a notification system built into Emby with email plugins etc. The admin can then do what they need to. Hopefully the admin has contact details of the user and they can just ping them a new password.

Automated Solutions:

From an automation point of view. The email is a good idea but for local users there is no email associated so that would have to be added.
And then to send the email, well there is already an notification system in Emby with an email notification plugin so perhaps that might be usable. I don’t know I have not played with the new user set up for notification much.

But as a bare minimum you should add request password reset to the login page that notifyes the admin users. If it is just a matter of adding a new notification type to the existing notification system and then admins can set themselves up to be notifyed.

 

[darkassassin07 434]

2 minutes ago, TeamB said:

At a bare minimum you should add a link to the login page to "Request a password rest" as a bare minimum this would notify the Admin accounts on the system that a user has sent a password reset request.

 

Annoyingly; this button is already there. It just tells the user to contact their server admin. 

 

No notifications are sent at all. Completely up to the user.

[Luke 37231]

Hi, yes we are looking at all of this. Thanks.

[dylan62370 6]

Hello

Do you have any news on this subject?
I'm waiting patiently for this option.

[Luke 37231]

On 8/22/2023 at 3:21 AM, dylan62370 said:

Hello

Do you have any news on this subject?
I'm waiting patiently for this option.

HI, not yet, sorry, but there are improvements to the password reset process in the upcoming 4.8 server release. Thanks.

[dylan62370 6]

On 8/26/2023 at 12:03 AM, Luke said:

HI, not yet, sorry, but there are improvements to the password reset process in the upcoming 4.8 server release. Thanks.

That's great news!