mooreds
commented
3 years ago Thanks for the (additional) PR @Eitan1112 !
This looks good to me @robotdan, can you give it a once over?
Closed Eitan1112 closed 3 years ago
mooreds
commented
3 years ago Thanks for the (additional) PR @Eitan1112 !
This looks good to me @robotdan, can you give it a once over?
robotdan
commented
3 years ago I think this would be ok, we should maybe audit this one further. If you use a changePasswordId - you don't need an API key, but I think we will also not use anything in the request body. So should this API even take a request object if we are taking a changePasswordId?
Eitan1112
commented
3 years ago Actually, you need to provide the new password in the request body, according to the docs @robotdan
robotdan
commented
3 years ago Ha, oops, I'm an idiot. Thanks @Eitan1112 you are correct.
Per the request in the PR in fusionauth-typescript-client, I created a PR here.
Currently, the changePassword function (/src/FusionAuthClient.ts) uses the start function, which sends an Authorization header in the request with the api key. However, according to the fusionauth docs, if a changePasswordId is sent, there is no need to send an api key.
In internal tests, it seems that this function is broken and fusionauth cannot accept an api key along with changePasswordId (fusionauth version 1.20.0). When using this function, it sends the api key along with the changePasswordId, and the HTTP response status code was 401, which implies invalid Authorization header. When sending the exact same request without the Authorization header, the response status code was 200 and the password was successfully reset.
The fix is to use startAnonymous instead of start, to prevent sending the api key in the Authorization header, and instead only send the changePasswordId.