What's the restful way to implement a forgotten password feature?

Question

I have the following restful structure:

• My login page uses the session/new action
• My signup page the users/new action
• My logout page uses the session/destroy action
• My register process uses the users/create action

I need 3 more actions for:

• I forgot my password page
• Start forgotten password action (send email)
• Reset password based on token

Where do these 3 actions fit in a restful world?

To clarify:

I know I can create whatever actions on my existing session and user controllers (eg. a reset_password get action or a start_reset_password post action) it just doesn't really sit right, it seems I am trying to make these controllers do too much work.

Answer 1

I ended up creating a new controller called forgotten_passwords, to control the process

• forgotten_passwords - new : maps to I forgot my password page
• forgotten_passwords - create : maps to start forgotten password action (send email with token)
• forgotten_passwords - show : maps to the end of the process (a page where the user sees her new password)

I am pretty happy with this design. I think it called for a new controller.

Answer 2

REST is not black magic. Figure out what your technical goals are for these pages, then pick the right verbs to go with them.

I forgot my password page: essentially a static form, right? You want this to be cachable. GET on any URL you want.

Send email: costly action which you don't want repeated and you DO want executed every time the user requests it: POST or PUT on any URL you want. Heck, you could make it the same as the above URL if you wanted to, but I don't see a particularly pressing need to.

Reset password based on token: I'd consider implementing this as a login-via-token instead, but if you're going to do it your way, then it has server-side consequences and hence should probably be a POST or PUT.