In this article, we will go over the steps on how to force users to reset their passwords.
Scenario
You need to ensure that users are prompted to reset their password the next time they log in.
This can be achieved by utilizing page rules and record actions. Alternatively, if you are on a specific plan, you can also fulfill this requirement using the built-in Knack security setting.
Requirements
Users will need to be enabled in your app.
If this is your first time creating an app, you'll need to know some basics about adding tables, fields, pages, and views. You can start by reading our Builder Basics section.
Other good resources can be found in our About Your Database and Working With Pages sections of the knowledge base.
Steps
Create a Field to Track Who Needs to Reset Their Password
To get started, create a Yes/No field in order to keep track of users who need to reset their passwords. This field should be added to the main table at the top of the User Roles section in the Builder. You can name the field something like "Reset Password?" or "First Login?".
The Accounts table might have a different name in your app. However, as long as you add the field to the top table in the User Roles section, you will be able to follow the steps outlined in this article.
To ensure that all new users are prompted to reset their passwords, simply set the default value of the field you created to "Yes":
Create a Page for Resetting Their Password
Now that we have determined the method for keeping track of users who need to reset their passwords, we need to create a dedicated page where users can easily reset their passwords.
This can be either a newly created page or an existing page.
Creating a New Page
To create a new page for resetting passwords, locate the green "+" button next to User Pages in the Pages section of the Builder and click on it.
In the page creation wizard, you'll want to use the following settings:
- Give permission to all users.
- Name the page.
At this step, you can add a Form view to the page created above. For the Data Source, we will use the "Accounts" table or the equivalent table that you have directly under the User Roles section of your app.
You have the flexibility to let users reset their passwords in two different ways using the Password field:
- Prompt the user to enter their current password before setting up their new password.
- Users will only be required to enter a new password.
To configure either option, simply edit the Password field by clicking on the pen icon in the form preview. Then, select the desired checkboxes from the Password Actions section.
Using an Existing Page
Many users have the default Account Settings page in the User Pages section, which is already set up for users to reset their passwords:
If you prefer to use a different existing page, please ensure that it contains a Form view similar to the one created in the "Creating a new page" section mentioned above.
Create a Page Rule to Redirect Users
To ensure that users are prompted to reset their passwords the next time they log in, you can utilize a Page Rule on the page(s) where users can log in. This will provide a way to prompt users and guide them through the password reset process.
As an example, in our Members Directory sample app, two pages require a login: Members and Admin. Therefore, we will proceed to add a page rule to both pages.
To redirect users who need to reset their passwords to the dedicated password reset page, you can add a page rule to the desired page. To do this, navigate to the page in the page tree and click on the Rules tab at the top.
The page rule will have the following settings:
- When Accounts > Reset Password? is "Yes" (You'll select the field you created in the first step.)
- Action: Redirect to an existing page.
- Page: Reset Password (You'll select the page you created in the second step.)
Record Action to Update Users
Lastly, we will need to indicate which users have already reset their passwords so that they are not redirected to reset their passwords again during their next login. This can be accomplished by implementing a record action on the password reset form.
To implement a record action, navigate to the password reset page you created and click on the password reset form to open the editor.
Select the Rules section in the view editor and then click on the Record Actions tab.
The record action will have the following settings:
- Action: Update this record
- When: Every form submission
- Values: Reset Password? to a custom value "No"
Optional Feature
Create a Page Rule to Show Message on Reset Password Page
You may also want to consider adding a second page rule & action to this workflow to ensure that your users know what to do when they arrive at the Reset Password page.
- When: Accounts > Reset Password? is "Yes"
- Action: Show a Message
- Message: "You must set a new password." (example message)