Base logic:
- Create reset password form with
emailfield. - When user submit form then you should:
- check this email in database
- generate undistinguished crypto random secret key (next just secret key)
- store this key, current timestamp and user identifier to cache or database
- send it to user email or sms
- When user apply secret key (for example with url or special form) you should:
- validate it (exist, not expired, not used before)
- get user identifier
- delete or mark as used current secret key
- provide logic to enter/generate new password.
Logic to enter/generate password can be different:
- login user and show form to enter new password – one time login key
- show form to enter password than login if valid
- generate new password and send it to user email
- generate new secret key for form to enter new password and send it to user email
- generate new secret key to approve form, send it via sms, show form to enter new password and approval secret key then login if valid