This post shows an updated version of it which now stores the password reset tokens using PBKDF2 hashing.
To start, open Bbot, and click on the New Random User link:
Which will quickly create a test user for us to use.
Copy the email address, and use it on the passwordForgot page (link available from the login dialog/page):
Once the email is submitted:
You can go to TBot’s View Emails Sent page:
Where you can see the email that (was supposed to be) sent to the user (the SMTP password is not set-up on this server, which is why the email was not sent and shown in read)
Here is the email (sent to the user) with the password reset details:
Copy the password reset url, open it on the browser and set a password:Hi FName LName, a password reminder was requested for your account. You can change the password of your test_user_SiZif account using https://teammentor-33-ci.azurewebsites.net:443/passwordReset/test_user_SiZif/762cb15a-fa30-44f9-bcdc-1393c487bbc6 If you didn't make this request, please let us know at firstname.lastname@example.org.
Once the password is successfully changed, you can login as that user:
Another way to test this feature, is to go to the TBot’s Current Users page:
Select the desired user:
And click on the open password reset page link:
Which will open the password reset page for this user with a valid token (which can only be used once)
Note that if you open the Raw/Xml Data page for this user
You will see that the password token is stored as a long hash (very similar to the password one)