Open MaxiSanchez600 opened 5 months ago
I think you can do this currently.
If you make a GET
request to /api/user/change-password
this API will let you know if the current value is valid and if you will require additional trust (2FA) to complete a change password flow. A response of 404
would mean the changePasswordId
is invalid, or has expired.
Perhaps the API doc is missing for this behavior.
If you are using a client library, the method is checkChangePasswordUsingId
or depending upon your client library that name may be a variation of that name.
Internal:
GET
method on the /api/user/change-password
API. I think you can do this currently.
If you make a
GET
request to/api/user/change-password
this API will let you know if the current value is valid and if you will require additional trust (2FA) to complete a change password flow. A response of404
would mean thechangePasswordId
is invalid, or has expired.Perhaps the API doc is missing for this behavior.
If you are using a client library, the method is
checkChangePasswordUsingId
, or depending upon your client library that name may be a variation of that name.
Hi @robotdan, thanks for the reply, and sorry for not responding in time. I'm currently using the library, and when using checkChangePasswordUsingId
providing the changePassworId, I'm only getting a 200 response, not the state. And I can neither provide the state nor validate it. What I would need, is to retrieve the state sent when starting the forgotPassword
flow, with the forgotPassword
method. In order to validate it before actually resetting the password, and not after.
Looks like the GET
only tells you if the changePasswordId
is valid, but does not return state if it was provided on the Forgot Password request.
I suppose this should be safe since it will be returned upon completion.
Internal:
GET
method in the API. GET
method - any reason we can't return state
if it was provided on the request that created the changePasswordId
? If not, we should consider adding it, and review other APIs that have this same behavior to see if we need to add it elsewhere.
Add an endpoint to check the provided State in the forgotPassword endpoint
Problem
Currently, there is not an endpoint to check the state provided in the forgotPassword endpoint. This would be useful to verify the state before actually using the changePassword endpoint, and not after, because the password would be already updated.
So the flow would be:
Solution
Add a new endpoint to get the state, or add it to the endpoint to check the validation of a changePasswordId,