Password Reset

The Password Reset flow provides a secure, self-service way for users to regain access to their accounts if they forget their credentials.

Purpose

To maintain security while minimizing support overhead, billetsys allows users to independently reset their passwords. This flow is protected by CAP (CAPTCHA) integration to prevent abuse, such as automated spam or enumeration attacks.

The Reset Flow

  1. Requesting a Reset: A user initiates the process from the login page by clicking “Forgot your password?”. They are prompted to enter their email address.
  2. CAP Verification: Before the request is accepted, the user must solve a CAP challenge. This ensures that the request is coming from a human and protects the system from automated bots.
  3. Email Delivery: If the email matches an active account, billetsys sends an email containing the user’s username and a secure, time-limited reset link. The email format follows that user’s profile preference when one has been configured.
  4. Setting a New Password: Clicking the link takes the user to a secure reset page where they can establish a new password and immediately regain access to the application.

Security Considerations

Administration and Configuration

For the password reset flow to function correctly in a live environment, administrators must explicitly configure the CAP integration and an outbound SMTP mailer.

CAP Configuration

The system requires a CAP service to verify requests. Configure these application environment variables:

Note: For local compose environments, these are typically http://localhost:3000 and http://localhost:3000/siteverify.

SMTP Configuration

To deliver the reset emails to users, real SMTP must be configured. The development mock mailer (quarkus.mailer.mock=true) will not send real emails.

Configure the following variables to enable real email delivery:

# Disable the local mock mailer
quarkus.mailer.mock=false

# Sender address
ticket.mailer.from=no-reply@example.com

# Standard SMTP settings
quarkus.mailer.host=smtp.example.com
quarkus.mailer.port=587
quarkus.mailer.username=your-email@example.com
quarkus.mailer.password=your-secure-password
quarkus.mailer.start-tls=REQUIRED
quarkus.mailer.auth-methods=PLAIN LOGIN