Add an endpoint to check the provided State in the forgotPassword endpoint

MaxiSanchez600 commented 5 months ago

Add an endpoint to check the provided State in the forgotPassword endpoint

Problem

Currently, there is not an endpoint to check the state provided in the forgotPassword endpoint. This would be useful to verify the state before actually using the changePassword endpoint, and not after, because the password would be already updated.

So the flow would be:

Start the forgotPassword process by hitting the forgotPassword endpoint with a custom state
Once the user has the changePasswordId, check the state against fusionAuth in order to verify the provided one, also by the user
Use the changePassword endpoint to update the password

Solution

Add a new endpoint to get the state, or add it to the endpoint to check the validation of a changePasswordId,

robotdan commented 4 months ago

I think you can do this currently.

If you make a GET request to /api/user/change-password this API will let you know if the current value is valid and if you will require additional trust (2FA) to complete a change password flow. A response of 404 would mean the changePasswordId is invalid, or has expired.

Perhaps the API doc is missing for this behavior.

https://fusionauth.io/docs/apis/users

If you are using a client library, the method is checkChangePasswordUsingId or depending upon your client library that name may be a variation of that name.

robotdan commented 4 months ago

Internal:

Review the API doc, I think we are missing doc for the GET method on the /api/user/change-password API.

MaxiSanchez600 commented 3 months ago

I think you can do this currently.

If you make a GET request to /api/user/change-password this API will let you know if the current value is valid and if you will require additional trust (2FA) to complete a change password flow. A response of 404 would mean the changePasswordId is invalid, or has expired.

Perhaps the API doc is missing for this behavior.

https://fusionauth.io/docs/apis/users

If you are using a client library, the method is checkChangePasswordUsingId, or depending upon your client library that name may be a variation of that name.

Hi @robotdan, thanks for the reply, and sorry for not responding in time. I'm currently using the library, and when using checkChangePasswordUsingId providing the changePassworId, I'm only getting a 200 response, not the state. And I can neither provide the state nor validate it. What I would need, is to retrieve the state sent when starting the forgotPassword flow, with the forgotPassword method. In order to validate it before actually resetting the password, and not after.

robotdan commented 2 weeks ago

Looks like the GET only tells you if the changePasswordId is valid, but does not return state if it was provided on the Forgot Password request.

I suppose this should be safe since it will be returned upon completion.

Internal:

Need to verify we are documenting the GET method in the API.
Review the GET method - any reason we can't return state if it was provided on the request that created the changePasswordId? If not, we should consider adding it, and review other APIs that have this same behavior to see if we need to add it elsewhere.

FusionAuth / fusionauth-issues