Reputation: 7046
RESTful - reset password
My question is similar to the following to existing questions
Except where they differ from mine is that I won't have the user Id at the time of requesting the reset, just their email address. E.g. my existing API is:
GET /users
POST /users
GET /users/{userId}
PUT /users/{userId}
userId in these examples are auto generated Ids.
Now I want to model an API where a password reset email can be requested. At this point the userId will not be known. So I was thinking of a few options and wondered if there was an established best practice.
My gut feeling is that this is the most appropriate approach.
PUT /users/password-reset/{emailAddress}
However, I could also expect that a user search could be conducted first to get the correct Id, but it feels unnecessarily chatty to me.
Any feedback is appreciated.
Upvotes: 1
Views: 265
Answers (1)
Reputation: 612
Not sure about the best practices but I would certainly like to experiment with the "Code-on-Demand" part of RESTful style here; so that the email ID is not visible in the HTTP traffic.
Keep a set of simple public-private key encryption algorithms on server side. And randomly send one algorithm on request to "forgot-password" page. Use this algorithm and public key to encrypt the email-ID and
PUT /users/password-reset/{encryptedEmailAddress}
Upvotes: 2
Related Questions
- Django Rest Auth custom reset password confirm url
- RESTful password reset
- Wordpress REST API - send reset password link
- Customized Password Reset URL for Django Rest API Password Reset
- Django password reset with email using REST APIs
- Force a password change over RESTful API
- Django Password Reset using Rest API
- Best practices for forgot password function via REST API
- RESTful reset password and confirm email
- RESTful API: How to model 'request new password'?