langfuse
feat: Add "change password" flow to user settings
Describe the feature you'd like to request
Currently users can only be created and the initial password that is chosen at /auth/sign-up is hashed and saved to user table. Users cannot change or reset the password.
Suggested core feature
- [ ] New page for user settings accessible via the user menu that currently only includes "sign out"
- [ ] Form to set a new password while being logged in
Users who do not know there current password, cannot change it -> need password reset flow; this would require adding transactional emails which is probably out of scope to make this easy to finish. Happy to contribute if you want to go for it though.
Describe the solution you'd like to see
- Add update route to user trpc router, user id of signed in user is available in context (ctx.session.user.id) -> src/server/api/routers/users.ts
- Update user table using prisma
Additional information
The project uses:
- shadcn/ui for ui components, find them in src/components/ui
- trpc for typed APIs used by the frontend, check out how the creation of new API keys works for reference
- src/features/publicApi/components/CreateApiKeyButton.tsx
- src/features/publicApi/server/apiKeyRouter.ts
Happy to help/contribute, find me on the langfuse Discord: https://langfuse.com/discord
is this design is ok for 'user settings' page
You can add additional features in the future, such as billing, support, contact us, account deletion and more
Hi @marcklingen I was thinking on working on this issue. May I I please know as to why the above PR was closed so that I can improve on the same? Thanks
Working on it!
Hi @khareyash05, back then there was no outbound email setup. Now it can be reused from the user invite email notifications.
Implementation thoughts
- need to create a token and store in db
- send deep link via email that includes the token
- password reset page that works unauthed and checks token
- use same implementation for change password (currently signed in) and password reset (forgot password) -> both use cases get email to reset the password on public page
Further thoughts
- some users are SSO users, some even on SSO only domains (see env var). Those users should not be able to set a password or reset it as they should stick to SSO for security (eg 2FA)
Oh Lots to be done on the server side! Can I segregrate the work in smaller PR's? Thanks for taking time to explain the full process
Sure. However you like. I'd suggest to create one draft PR and a single "password-reset" branch for this whole issue and then create sub/stacked PRs for the individual pieces. Happy to give feedback on each if you like. Just @ me
Sure! This is the UI for the user settings page https://github.com/langfuse/langfuse/pull/760. Also there would be lot of questions to ask and lots of reviews to be done. Where can I ask them?
Hi @khareyash05, back then there was no outbound email setup. Now it can be reused from the user invite email notifications.
Implementation thoughts
- need to create a token and store in db
- send deep link via email that includes the token
- password reset page that works unauthed and checks token
- use same implementation for change password (currently signed in) and password reset (forgot password) -> both use cases get email to reset the password on public page
Further thoughts
- some users are SSO users, some even on SSO only domains (see env var). Those users should not be able to set a password or reset it as they should stick to SSO for security (eg 2FA)
@marcklingen any specific reason for the design choice on a db-persisted tokens here, instead of a JWT? (ofc, there are advantages & drawbacks)
released recently, need to add smtp and from email address to env to enable this