Currently, when requesting a password reset, the reset token is included in the response:
{
"message": "An email has been sent to your email address with a link to reset your password. It will be valid for 15 minutes.",
"token": "6c68c09bfbe4442194482904ec6768c3"
}
Obviously, the whole point of a password reset request is that the user has to get the token from their email. A user shouldn't be able to see the reset token in the network response.
Requirements
Remove token from request response
Tests
Update tests that were expecting this to instead validate the token through some other means.
Context
Currently, when requesting a password reset, the reset token is included in the response:
Obviously, the whole point of a password reset request is that the user has to get the token from their email. A user shouldn't be able to see the reset token in the network response.
Requirements
Tests
Docs
Open questions