User-initiated sign-up and password reset¶
This page explains how to use user-initiated sign-up and password reset (see the bottom of this page for password reset).
The sign-up feature requires a functional SMTP-configuration in EntryStore, see the corresponding knowledge base article for this.
To avoid spam and non-human user accounts it is recommend to activate the reCaptcha functionality, both reCaptcha 2.0 and the old API are supported.
The sign-up process is controlled via the sign-up resource at
A sign-up is initiated by sending some parameters as form-data via a POST request. The information may also be sent as JSON-object instead of form-data.
The following parameters are required:
If reCaptcha is configured the following parameters from the reCaptcha-script are required.
For reCaptcha API 2.0:
g-recaptcha-responseas form data, or
grecaptcharesponseif the value is sent in a JSON object
For reCaptcha before 2.0:
The following parameters are optional:
urlfailure: the location to forward to in case the sign-up fails
urlsuccess: the location to forward to after a successful sign-up
The forwards above happen after the confirmation step.
After sending the user information as POST-request, a confirmation email will be sent. After successful confirmation (by following the link the email within 24 hours) a new user including a connected home context will be created.
Returns a JSON array containing all email domains that are allowed to perform a user-initiated sign-up. An empty array means that it is possible to perform a sign-up with any domain.
This list is intended to be used in user interfaces, e.g. to let users choose from a fixed list of domains instead of entering the whole email address manually.
Basic sign-up form¶
A plain GET-request without parameter returns a basic sign-up form. This form is not intended to be used by end-users, the interaction with the sign-up resource should happen only via scripts.
Like the rest of EntryStore's configuration all sign-up settings are set in entrystore.properties.
The following settings are available for sign-up:
entrystore.auth.signup: on|off, default: off
entrystore.auth.signup.email.subject: email subject of the confirmation mail [optional]
entrystore.auth.signup.email.template: path to an email template [optional]
entrystore.auth.signup.whitelist.n: a list of email domains that are allowed for sign-up; one domain per line, replace
nwith the domain's number in the list, starting from 1 [optional]
The following settings are of generic character and are also used by the password reset functionality:
entrystore.auth.email.from: the originating email-address in the confirmation email [required]
entrystore.auth.email.bcc: a comma-separated list of email-address which should receive a BCC of every sign-up email
entrystore.auth.recaptcha: on|off, default: off
entrystore.auth.recaptcha.public-key: your reCaptcha public key [required for reCaptcha before API 2.0]
entrystore.auth.recaptcha.private-key: your reCaptcha private key [required for reCaptcha, all API versions]
Confirmation email template¶
The template can be any HTML intended to be presented by email clients. The following strings can be used as placeholders and will be replaced with user-specific values before the confirmation message is sent:
__CONFIRMATION_LINK__: the URL to the confirmation page
__NAME__: firstname lastname
__EMAIL__: email address
__YEAR__: current year, to be used in e.g. copyright footer
entrystore.auth.signup=on entrystore.auth.signup.email.subject=E-Mail confirmation needed entrystore.auth.signup.email.template=/path/to/template.html firstname.lastname@example.org email@example.com entrystore.auth.recaptcha=off entrystore.auth.recaptcha.public-key=your-public-recaptcha-key entrystore.auth.recaptcha.private-key=your-private-recaptcha-key
User-initiated password reset¶
Users can manually reset their passwords if this feature is activated:
entrystore.auth.password-reset=on (default: off) entrystore.auth.password-reset.subject=E-Mail confirmation needed entrystore.auth.password-reset.email.template=/path/to/template.html
Every attempt to reset a password is confirmed by sending a confirmation-link to the respective user's email address. The new password is asked for already during the initiation of the reset; this is done to make this a two-step process (1. request, 2. confirm) instead of three-step process (1. request, 2. confirm, 3. set new password) which would not have any security benefit.
A password reset is initiated by sending form-data via a POST request (the information may also be sent as JSON-object instead of form-data.):
The following parameters are required:
All other parameters such as reCaptcha and redirect URLs on success and failure are the same as for the sign-up (see above).
reCaptcha keys cannot be configured separately from sign-up.