### Blocked by
- [ ] https://github.com/leaderboardsgg/leaderboard-backend/issues/147
Endpoint: POST /account/recover
The server may impose a limit on how often a client can call this endpoint. If the client calls this endpoint too many times within a given timespan, the server may respond with a 429 TOO MANY REQUESTS status code.
Request body fields:
email: string
username: string
[ ] The server must respond with a 200 OK status code, even if the specified username and email do not correspond to an existing user account. This is to prevent malicious users from determining another user's email and username.
[ ] If the email and username specified belong to the same existent user whose role is CONFIRMED or ADMIN, the server must initiate the account recovery link generation procedure. (See below.)
Procedure
Inputs:
email: string
username: string
[ ] If the email and username supplied to this procedure do not both correspond to the same existent user in the database, the procedure must terminate without performing any further actions.
[ ] If the corresponding user has a role of BANNED or REGISTERED, the procedure must terminate without performing any further actions.
[ ] A new recovery record must be created in the database.
[ ] The new recovery record's UserId field must be the ID corresponding to the user with the specified email and username.
[ ] An email must be sent to the supplied email address,
TODO: Determine the exact contents of the email.
[ ] The email must contain a link to the password reset page.
[ ] The password reset page link must have the path /reset-password?code={id} where {id} is the newly-created recovery's ID in Base64 encoding.
Parent issue: https://github.com/leaderboardsgg/leaderboard-backend/issues/159
Endpoint:
POST /account/recoverThe server may impose a limit on how often a client can call this endpoint. If the client calls this endpoint too many times within a given timespan, the server may respond with a
429 TOO MANY REQUESTSstatus code.Request body fields:
email: string
username: string
[ ] The server must respond with a
200 OKstatus code, even if the specified username and email do not correspond to an existing user account. This is to prevent malicious users from determining another user's email and username.[ ] If the email and username specified belong to the same existent user whose role is
CONFIRMEDorADMIN, the server must initiate the account recovery link generation procedure. (See below.)Procedure
Inputs:
email: string
username: string
[ ] If the email and username supplied to this procedure do not both correspond to the same existent user in the database, the procedure must terminate without performing any further actions.
[ ] If the corresponding user has a role of
BANNEDorREGISTERED, the procedure must terminate without performing any further actions.[ ] A new recovery record must be created in the database.
UserIdfield must be the ID corresponding to the user with the specified email and username.[ ] An email must be sent to the supplied email address,
/reset-password?code={id}where{id}is the newly-created recovery's ID in Base64 encoding.