0

I have a small app with a working LoginActivity. I now want to develop a Fragment for this activity that will handle helping the user to create a new password if it has been forgotten. I have seen some people using PHP/MySQL for this, but I was wondering if it is possible to use Java/SQLite to accomplish the same goal?

Expected functionality:

  1. User clicks forgot password link
  2. Sent to ForgotPass_Fragment which asks/verifies a user's email.
  3. If it is a valid email, email the user the code/new temp password

I guess the real question is if I can use Java to send an email to the user with the newly generated info rather than using PHP or some other language? Would something like this be the best practice?

Community
  • 1
  • 1
Jonathan Scialpi
  • 771
  • 2
  • 11
  • 32
  • 1
    It is the responsibility of whom you are logging in to on the backend/server side to send the email. – EpicPandaForce Mar 25 '17 at 14:36
  • @EpicPandaForce so would it be considered best practice to handle this sending of the email from intent like in this post? http://stackoverflow.com/questions/28546703/how-to-code-using-android-studio-to-send-an-email – Jonathan Scialpi Mar 25 '17 at 14:37
  • 1
    You should call the server side with a REST API call that for example `api/user/forgotPassword` with a JSON like `{ 'email': 'blah@blah.com' }` and the server side should send the recovery email to the user – EpicPandaForce Mar 25 '17 at 14:40

1 Answers1

0

Assuming your password recovery information is stored on a server, you will need to use some sort of server-side (PHP, or Java, or whatever) webservice to server the "recovery email".

If for some reason you already have the users password information on the phone (which would be a really bad idea) you could use a local Android Java call to respond with the information.

Bottom line, you will need a webservice to provide the password info the user.

Booger
  • 18,579
  • 7
  • 55
  • 72
  • I am storing in SQLite database for now since we are still in early stages of development. The only time I have the users password/username on the phone is for the SharedPreferences portion to assist the user in staying logged in. Is this ok? If not, what would you recommend? – Jonathan Scialpi Mar 25 '17 at 14:41
  • 1
    SharedPreferences can be easily read by anyone (so is completely un-secure). Outside the scope of this question, but for sure DON'T store secure info in SharedPreferences. – Booger Mar 25 '17 at 14:44
  • Okay thanks @Booger . Do you have a suggestion for best practice for staying logged in? ... Also, is it still an issue if I encrypt the info? – Jonathan Scialpi Mar 25 '17 at 14:46
  • 1
    Here is a blog about it: http://www.androidauthority.com/use-android-keystore-store-passwords-sensitive-information-623779/ – Booger Mar 25 '17 at 14:52