Sounds familiar. Also working on a service and the reset password flow is actually the last thing to do before putting it live. In my experience it's not really necessary during a beta/alpha period with a few users, as you just want to test out the features your service is about 👍
I can only agree :-)
"I set him a new one manually"
If I read that, I always am afraid that security is breached by not hashing and salting the passwords, please tell me you do that though. Additionally, while I agree it offers more flexibility by using no framework, you do sacrifice the built-in security components in frameworks such as CSRF and session hijacking. Even when you use a framework, you do have to be wary about security. For instance, a lot of frameworks do not throttle requests which could result in brute force attacks and such.
I really like to work with security concepts, so that is why this comment is so security oriented.
Thanks for your comment Wesley.
Well, my post or way of doing this kind of project is not about sacrificing security needs. I would say, that having a PW Reset Flow does not mean, that things are more secure, with or without a framework. Of course, always having in mind, that eg saving a PW need some hashing and salting, as you 100% correclty said. Don't worry, I never would save a PW without that, manually or implemented. :-)
yeah, that's exactly the point.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.