Misterblue
commented
3 years ago Since the reset password request will normally be done from a dashboard page, the initiating request could be a POST. Thus a "POST /api/v1/account/password/reset" would accept a "{"email": "account@email.example.com"}". This would cause sending an email to that email address (if it exists for an account) that would contain the verification link. This would additionally create a request entity so the password reset request is remembered and can timeout. The verification request must be a GET as it will be clicked on in the email. It should be a "GET /api/v1/account/password/reset?a=accountId&v=verificationCode". This would redirect the user to a dashboard page for changing the password. This redirect would pass the accountId and verificationCode (or possibly create a new verification code for security). The dashboard page would confirm the verification code and the fact that a password reset request was outstanding before accepting the new password.
GET/ap1/v1/account/{{accountId}}/password/resetParameters:This request will submit a message to the email specified on the account's file if the passed in parameter of the email matches. This email will contain a clickable link with a verification code as a query parameter. This verification code will have a configurable expiration (configuration is done via iamus.json), it will default to 24 hours.
POST/api/v1/account/{accountId}/password/resetParameters:If the verification code is correct, this request will reset the user's password to a randomly generated one. It will then submit a message to the email specified on the account's file with the newly generated password. The verification code will be deleted from the server now that it has been used.