Forgot Credentials functionality
The Bloomreach Commerce Accelerator provides OOTB basic components and templates supporting credentials reset. The credential reset components invoke the related operations of CustomerRepository implemented by the specific Commerce Connector Module. Bloomreach Commerce Accelerator does not include the implementations for the supported connectors yet. So, until the operations of the specific Commerce Connector Module are implemented, the reset credentials components cannot work properly.
The Commerce Connector SDK API introduced two new operations in the CustomerRepository: please have a look at the reset credentials methods introduced in the Customer Repository.
Reset credentials pages/components are not enabled by default in the Bloomreach Commerce Accelerator boot applications. The related components implemementation needs to be extended in most of the cases considering specific scenarios. The next paragraph details how to enable this functionality and how to extend accordingly.
The Bloomreach Commerce Accelerator library provides the following components dealing with the credentials reset operation:
These two components are based on the HST components: the current implementation is mainly focused on the forgot password reset flow. These components/templates can be extended to support other requirements, such as forgot username, security questions etc.
Reset credentials pages are not enabled in Bloomreach Commerce Accelerator by default: this means that the related pages are not "reachable" from the login form. In order to display the forgot link, the isCredentialsResetEnabled component configuration must be set to true.
Depending on your specific backend, connector component service base url, method type and request body must be specified accordingly. Once the new connector component has been published, the login page will display a new link pointing to the forgot credentials form.
The reset credentials flow included with Bloomreach Commerce Accelerator is designed to be compliant to the Forgot Password Cheat Sheet  defined by the OWASP foundation. The reset credentials components does not implement all the requirements specified in that Cheat Sheet, but the implementation provided by default can be extended depending on the specific requirements. At the moment, Bloomreach Accelerator: B2C Commerce provides two different pages/components compliant to the reset flow suggested by OWASP:
- The page rendering the forgot credentials form (powered by the ForgotCredentialsComponent)
- The page rendering the reset password form (powered by the ResetCredentials component)
Considering the flow suggested by OWASP, an ideal implementation of the credentials reset flow in a Bloomreach Commerce Accelerator application should be compliant to the following points:
- Use the ForgotCredentialsComponent in order to precess the forgot credentials request
- Use the custom requestCredentialsReset commerce connector implementation to send a token over a side channel
- Use the ResetCredentialsComponent to process the new credentials
- Use the credentialsReset commerce connector implementation to propagate the new credentials and log accordingly
As a general practice, sensible data (e.g. tokens) should not be stored in the Bloomreach Commerce Accelerator application.
At the moment, the Bloomreach Commerce Accelerator Boot applications provide two templates for the Reset Credential components:
- starterstore-forgot-form.ftl displaying the forgot password form.
- starterstore-productlist-atc.ftl displaying the reset password form.