I'm building an app with ruby and hanami, however I think my question is probably not framework dependent. The users of the app will sign in to book an appointment for a meeting. The passwords for the users will be encrypted with bcrypt.
My question is about the user creation. Users will not signup, but they will be created beforehand by the admin. All the user data is already in csv format and could be imported directly into the db w/o the admin having to create each one separately.
Is it possible to do so and also have the passwords generated afterwards (like an initial password) for all users once the rest of the data is imported?
Regards
seba
The best practice here is to have both a password hash field, and a signup confirmation token field that are different. The signup token is generated as a random string, something sufficiently unguessable, and is sent to the user that's created. Typically this is done via email, but it could be anything that allows you to send a link.
These links would look something like:
http://example.com/confirm/IVfltNx18MEgU57pvtRGg2lx
That last bit is your confirmation token.
You look up any user record with that confirmation token and then ask that user for their initial password. That's what you save in the database. At that point it's your call as to disabling this URL permanently. Sometimes this is important for security, and sometimes it's extremely inconvenient as users will complain their signup link no longer works. You'll have to evaluate the risks and benefits of keeping it active.
Generally this signup system can be coupled with or an extension of the "reset password" feature you'll need anyway. For invitations it's a good idea to explain what the user is setting a password for when creating their password the first time, you may need to explain what the service is so they're not confused, whereas with a reset request they already know what to expect.