Users who can't access their account are left alone. For they to recover their accounts/passwords, it's going to take publicly-accessible API resources; that don't require usual auth measures.
Suggested resources
POST /recovery - User indicates the account they wish to recover. A special short-lived token, whose only use is resetting that specific pair of credentials, is generated and sent to them through the account's contact information. They must use it with the next API resource.
POST /recovery/reset - Accepts said special token along with the new credentials to reset to.
Users who can't access their account are left alone. For they to recover their accounts/passwords, it's going to take publicly-accessible API resources; that don't require usual auth measures.
Suggested resources
POST /recovery
- User indicates the account they wish to recover. A special short-lived token, whose only use is resetting that specific pair of credentials, is generated and sent to them through the account's contact information. They must use it with the next API resource.POST /recovery/reset
- Accepts said special token along with the new credentials to reset to.Originally posted by @bglamadrid in https://github.com/trebol-ecommerce/trebol-api/issues/16#issuecomment-922115379