WEBVTT 00:01.850 --> 00:04.670 So we're not quite done with resetting passwords. 00:04.700 --> 00:11.030 One very common security practice is to ensure that when you send a password, reset email or text or 00:11.030 --> 00:16.970 whatever it may be, that you have some expiry that it's only good for, let's say, 60 Minutes. 00:16.970 --> 00:18.290 And we're not doing that right now. 00:18.320 --> 00:20.300 And it's really easy to implement that. 00:20.300 --> 00:22.570 It requires only a few lines of code. 00:23.090 --> 00:26.150 So in handlers don't go in the function. 00:26.150 --> 00:31.400 So reset password, the part where we're showing the page that lets them reset their password. 00:31.430 --> 00:33.300 All we have to do here is add another check. 00:33.710 --> 00:41.350 So after we make sure the token is valid, we'll say make sure not expired and we'll make it 60 Minutes. 00:42.080 --> 00:47.570 So I'm going to call a function in that sinor package that we created you earlier, our package, and 00:47.570 --> 00:49.030 it's the one that checks the expiry. 00:49.080 --> 00:55.460 So I'll create a variable called expired and I'll call SINOR expired and handed our token, which in 00:55.460 --> 01:00.830 our case is test you, Earl, you are visiting and we want to make sure that no more than 60 Minutes 01:00.830 --> 01:01.470 have gone by. 01:02.090 --> 01:04.530 So if this comes back true, then it's expired. 01:04.700 --> 01:12.110 So if it expired and I'll just do the same thing I did here, I'll just print out a message to our console 01:12.860 --> 01:13.990 and I will return. 01:14.000 --> 01:18.560 And of course, you could redirect to an error message page or whatever you wish, but I'll just say 01:21.110 --> 01:23.550 link expired, OK? 01:23.570 --> 01:25.940 And literally, that's all we have to do in this case. 01:25.970 --> 01:32.000 So when we send that email out, of course, we should actually send some text that says this link is 01:32.000 --> 01:33.800 good for only good. 01:33.810 --> 01:34.820 Only 60 Minutes. 01:36.610 --> 01:46.000 So also, this link expires in 60 minutes, and I'll just copy that and put it in the other version 01:46.000 --> 01:50.860 of our email, which is the HTML one right here. 01:53.610 --> 01:56.000 Was that I should have a closing tag here somewhere? 01:57.010 --> 01:57.460 Yes. 02:01.980 --> 02:06.420 And I'll put another paragraph with the same text, and that takes care of it. 02:07.440 --> 02:07.740 All right. 02:07.740 --> 02:08.990 We're not quite finished, though. 02:09.750 --> 02:12.300 There's one other thing we probably should take into account. 02:13.020 --> 02:20.340 So if I look at the reset password page at the very bottom in this JavaScript function, Val, we're 02:20.340 --> 02:26.030 putting in the payload the email and we're just putting in the email address that's to be changed. 02:26.160 --> 02:32.760 The one that's associated with the user whose password we want to reset now, a malicious user who examines 02:32.760 --> 02:38.610 the source code for this password reset page could say, oh, all I have to do is change the email in 02:38.610 --> 02:39.990 this payload variable. 02:40.910 --> 02:46.160 And I can change somebody else's password and we need to take care of that, and there are many, many 02:46.160 --> 02:52.490 ways of doing so, but we can't use a really conventional approach, which is to stick it in session 02:52.490 --> 02:57.710 because the session for our front end exists only for our front end and we have no access to it from 02:57.710 --> 02:58.250 the back end. 02:58.910 --> 03:03.770 So one easy approach to take care of this is something that will actually be useful in other situations 03:03.770 --> 03:04.260 as well. 03:04.640 --> 03:11.530 We can encrypt that email to a text value, a long string of characters that appear to be random. 03:11.750 --> 03:16.880 So we encrypt it when we write it to this page and when we get the payload on the back end, we decrypt 03:16.880 --> 03:17.030 it. 03:17.540 --> 03:19.760 So we'll take care of that in the next lecture.