Password reset does not work for customer accounts

[rlysens]

The current password reset logic in the Device Setup Library does not work for customer accounts, i.e. accounts created through the Device Setup Library.

The PasswordResetActivity calls the cloudSDK's requestPasswordReset() function to reset a customer account password:

https://github.com/particle-iot/particle-android/blob/7bbf20f713fe2d6b1f11615721d5199bf06fedd0/devicesetup/src/main/java/io/particle/android/sdk/accountsetup/PasswordResetActivity.java#L87

However, cloudSDK function requestPasswordReset() can only be used for Particle user accounts, not customer accounts. For Particle user accounts, requestPasswordReset() results in an e-mail being sent to the account's e-mail address. For customer accounts no e-mail will be sent.

[jensck]

Thanks for reporting this! I'll look into it sometime this week.

[gusgonnet]

Hi @jensck , I think I hit this issue too, has there been any progress on this? thanks!

[bloukingfisher]

@gusgonnet I'm sure this is related to Particle retiring the functionality for customer product accounts. See the message below that was sent out in April to accounts that were using the functionality. I am myself facing the same issue and have not transitioned to two-legged authentication and would need to figure out building my own user flow. I'm not sure if it would be possible, but since the recommendation is oAuth that the alternative would be to build in the flow and switch to use the recommended approach (with your own keys, etc.) for customer product accounts.

==== From: Jeff Eiden jeff@particle.io Sent: Tuesday, April 16, 2019 10:01 AM Subject: [Action Required] Deprecation of Sending Password Reset Emails

Hello there, My name is Jeff Eiden — I'm a Product Manager here at Particle. I'm reaching out to you because you are part of a product team that has configured SMTP settings for Particle to send Customer Password Reset Emails on your behalf. We have decided to end support for sending password reset emails moving forward, and want to give you advance notice to make any changes required to avoid interruption to your IoT deployment. The planned end-of-life date for this feature is June 11, 2019. After the end-of-life, we will stop sending password reset emails on your behalf (POST https://api.particle.io/v1/password will cease to exist). We will also stop displaying SMTP configuration in our Console interface as well as in our APIs. This means that if you currently rely on this behavior, you must make the recommended changes described below before June 11th to avoid disruption. Migration paths

1. Switch to two-legged authentication (preferred): Our recommendation is that you begin storing & managing accounts of your customers in your own back-end system. This is referred to as the two-legged auth approach, which you can learn about how to implement in our docs. As part of this transition, you'd create your own flow for resetting customer passwords that interacts with your database of users.
2. Update customer passwords directly using our REST API: If you are not ready to move to managing credentials for your customers and use two-legged auth, there is a second option. Particle exposes an API endpoint to directly update a customer password. In this scenario, you would still implement your own "forgot password" flow yourself to verify a user's identity and collect a new password. But instead of updating the password on your back-end, you could make a request to this API endpoint to store the new password in Particle's system. In either migration path, you will need to take on some or all of the interactions needed to reset a customer password. We recommended this article for best practices of implementing such a flow. If you have any questions, you can reply to this email and I will get back to you. Thanks, Jeff Eiden

[gusgonnet]

ouch! that would be pretty painful... Thank you for the info. Gustavo.

[gusgonnet]

we are talking about this bug on this thread: https://community.particle.io/t/stop-using-the-simple-authentication-method-for-particle-products/51705

[jensck]

This method is no longer supported by Particle's cloud API, so the corresponding method, requestPasswordResetForCustomer() has been removed from the latest releases of the mobile SDKs.