Support for .well-known/change-password

[DragonByte Tech]

See the spec here: https://github.com/WICG/change-password-url | https://wicg.github.io/change-password-url/

Essentially, all you need to do is add a new route: .well-known/change-password whose controller has a 302 redirect to account/security. That's it

It's used by password managers (at the time of writing only supported by Safari and iCloud Keychain as it was developed by an Apple engineer) to tell users where to change their passwords in the event of a breach. Many password managers have integration with HIBP or similar services to alert you of a breach, and support for .well-known/change-password will be the logical next step.

 

[briansol]

i'm not sure if i should like it or upvote it :/

 

[DragonByte Tech]

Upvote

 

[Chromaniac]

wouldn't this be doable with just a single line in hta file?

 

[DragonByte Tech]

wouldn't this be doable with just a single line in hta file?

If everyone ran .htaccess-compatible servers, or if everyone on shared hosts had access to modifying .htaccess files, sure

 

[Sim]

Good idea, but the main problem with this suggestion is that it would only work for forums installed in the root of the site.

The well known url is /.well-known/change-password, not /community/.well-known/change-password or anything else - it only works at the root level.

It would simply not work for any forum not installed in the root - for example, this site - xenforo.com - because XenForo can only control routes under the forum root path.

Unfortunately I just don't think this can be implemented reliably by XenForo and is better handled at the web server level.

 

[Chromaniac]

Errm. Don't just need to redirect it to community/account/security?

nm. i got what you mean.

 

[arn]

Redirect 302 /.well-known/change-password https://yourforum.com/account/security

for those who want to do it in .htaccess

 

[Rhody]

That works well, added to .htaccess