A big user complaint is having to copy/paste the temp password that gets sent in order to log in again. It is a bit awkward and novice users have trouble with this action. It's a much more common procedure to send a one-time password reset link that, if clicked during the short window, will allow the user to set a new password. Current and proposed flows below:
Current flow:
user forgets password
user enters username and email and client sends request to user/reset_password
(assuming user exists) server generates password, marks account as new_account and sends password to user via email
user copies password from email and logs in with this user/pw combo
since new_account is set, user is forced to change password
Proposed flow:
user forgets password
user enters username and email and client sends request to user/reset_password
(assuming user exists) server generates a password reset code (which expires in 30 minutes) and sends link to user.
user clicks link in email and is directed to client to set a new password.
this should work similarly to the user/activate api -- the generated link allows the frontend to query an endpoint to see if the request was successful and if so, prompt user to set a new password.
Once reset the user will need to log in again, as the process wont contain the user's username
A big user complaint is having to copy/paste the temp password that gets sent in order to log in again. It is a bit awkward and novice users have trouble with this action. It's a much more common procedure to send a one-time password reset link that, if clicked during the short window, will allow the user to set a new password. Current and proposed flows below:
Current flow:
user/reset_passwordnew_accountand sends password to user via emailnew_accountis set, user is forced to change passwordProposed flow:
user/reset_passworduser/activateapi -- the generated link allows the frontend to query an endpoint to see if the request was successful and if so, prompt user to set a new password.Thoughts?