Closed randomouscrap98 closed 2 years ago
Or just keep them in memory and don't worry about it. Also, the password reset endpoint will need an excessive retry timer, something like 30 seconds
You must ensure that users can't be "locked out" of their password reset by someone who knows their email spamming the endpoint. Should the system track multiple codes or just refresh the current one? Doesn't matter to much I guess, but multiple codes might be a bit more complex if you want to expire all of them afterwards.
The underlying system is implemented, it needs to be tested and then an endpoint in some controller needs to be added AND the builtin frontend needs to support it.
With an Instant strategy, password resets cannot be performed. With standard, the code is sent to the user directly. With restricted, the email is sent to a third party who then sends the original user their password reset code.
There IS no password reset code table or anything, so... this will require quite a bit of additional work. Where will the code go, too... probably either an extra column in the user table or another table and will be accessed from the user service. Additional table is more form compliant, extra column is a bit easier... but is it??