@mattab opened this Issue on October 2nd 2018 Member

When requesting a password reset, the email content is out of date

Current email

Hi USERNAME,

A password reset request was received from A.B.C.D. To confirm this password change so you can login with your new credentials, visit the following link:

https://demo.matomo.org/index.php?module=Login&action=confirmResetPassword&login=root&resetToken=xxxxxxx

Attention: Changing the password will also change your token_auth. You can look up your new token_auth on your settings page.

If you are using your API token_auth in any external applications or for archiving, make sure to update the token_auth as requests to the API will fail otherwise.

Note: this link will expire in 24 hours.

And thank you for using Matomo!

Changes to make:

  • Remove the 2 sentences saying the token_auth changes when you reset password. Since a few versions ago, we have de-coupled password and token_auth and now changing password does not change token anymore.

  • Do not make the link clickable. it is too easy to fall in a trap of an attacker requesting a password reset, and one opening the email and clicking on the link by mistake / habit of trusting all emails from Matomo. Requesting a password reset is one of the most critical things and it's important to make sure people understand what they're doing (and can't be easily tricked).

  • Update the text from "visit the following link" to "please copy and paste the following link in your browser:"
@diosmosis commented on October 4th 2018 Member

Note: the link is not clickable by default, clients like gmail parses it and make it clickable.

@mattab commented on October 11th 2018 Member

Note: the link is not clickable by default, clients like gmail parses it and make it clickable.

Oh interesting, is there maybe a way to disable this feature somehow? @diosmosis

Edit: maybe once we have HTML emails then it's possible :+1:

@diosmosis commented on October 11th 2018 Member

I tested removing the protocol and that was enough to make it not clickable. We'd have to display a link like: www.blahblahmatomo.org/index.php?... instead of https://www.blahblahmatomo.org/index.php?....

@mattab commented on October 11th 2018 Member

Ok, let's leave it clickable for now, and once we move to have all-HTML emails we can make the link not clickable.

This Issue was closed on October 12th 2018
Powered by GitHub Issue Mirror