Improve documentation of password reset feature.

2016-02-12 22:46:07 +01:00 · 2016-02-12 22:46:07 +01:00 · a9932a1675
--- a/handlers.go
+++ b/handlers.go
@ -110,7 +110,7 @@ func passwordResetLinkPostHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if tokens[0] != name {
-		execTemplate(w, "error.html", "Wrong!")
+		execTemplate(w, "error.html", "Wrong answer(s).")
 		removeLineStartingWith(pwResetPath, urlPart)
 		return
 	}
@ -121,7 +121,7 @@ func passwordResetLinkPostHandler(w http.ResponseWriter, r *http.Request) {
 	if "" != tokensUser[2] &&
 		nil != bcrypt.CompareHashAndPassword([]byte(tokensUser[3]),
 			[]byte(r.FormValue("secanswer"))) {
-		execTemplate(w, "error.html", "Wrong!")
+		execTemplate(w, "error.html", "Wrong answer(s).")
 		removeLineStartingWith(pwResetPath, urlPart)
 		return
 	}
--- a/templates/pwresetrequest.html
+++ b/templates/pwresetrequest.html
@ -1,16 +1,23 @@
 {{ template "header" }}
 <form method="post" action="passwordreset">
 	<fieldset>
-		<legend>Reset password</legend>
+		<legend>Request password reset</legend>

 		<div>
-			<label for="name">Name</label>
-			<input type="text" id="name" name="name" maxlength="140" required />
+			<label for="name">Account whose login to reset</label>
+			<input type="text" id="name" name="name" />
+
+                        <hr />
+
+                        <p>To reset the password for an account, an e-mail address <a href="/accountsetmail">must have been set</a> for it. The request here will be answered with an e-mail to the address which contains nothing but a randomized URL pointing back to a page on this server.</p>
+                        <p>Said page will only be available for a limited time. It will ask for the account name, a new password (must be entered twice), and, if a security question <a href="/accountsetquestion">has been set</a> for the account in question, an answer to that. The new password will only be set when the account name given there is the same given here, and, if a security question was set for that account, the answer is the one previously defined for it. Wrong answers will remove the temporary account reset page at once. A new one can be requested here then.</p>
+                        <p>Note that clicking the button below will always redirect you to this site's start page – no matter whether the server actually sends out a password reset link for any account or not.</p>
+
 		</div>

 		<hr />

-		<button type="submit">Request password reset</button>
+		<button type="submit">Request</button>
 	</fieldset>
 </form>
 {{ template "footer" }}