User accounts in the OpenMRS Platform are secured with password hashes and salt; however, because OpenMRS did not historically include the ability to send email, the process for resetting password has been less than ideal. Currently, an administrator sets a temporary password or a user answers their "secret question" (a question and answer set the user previously provided). A medical record system should have a stronger approach to password security and not even an administrator should ever know a user's password (even temporarily). The current approach also puts an undue burden on administrators to reset passwords for users who have forgotten them.
Over the past few years, OpenMRS has been migrating toward use of web services (REST or FHIR), so any new functionality should be designed to work through these RESTful APIs.
The goal of this project is to introduce mail capability into the OpenMRS Platform along with the ability for a user to perform a self-service password reset. The primary goal for this project is to introduce the functionality such that it can be managed through the REST API. Only when this is completed and merged into master, will we proceed to build user interfaces for managing the functionality.
Incorporate JSR 919 mail capability into the OpenMRS Platform
userstable within the Platform along with the ability to set and retrieve a user's email address via the REST API
users.emailattribute within core.
user_reset_tokentable would be used to store user, timestamp, and one-way hashed UUID (max one per user).
user_reset_tokento reset some else's password).
Demonstrate use of the new password reset REST API endpoints using an OWA (open web app) web application in the OpenMRS Reference Application.