Change and forgot password for an app don't re-use the same code

Question

I implemented both a change password and forgot password functionality for an app, as follows:

1) Change password: the user need to be logged in and can change the password from the app.

2) Forgot password: The user click a button in the app and receive an email. He click a link in the email and change the password on the web.

Essentially in one case I change the password from the app and in the other on the web.

I would like to reuse the same code and not to have two different ways to change the password. What's the right approach?

Answer 1

The only way to do it with what you have is to have the 'change password' send the email and have them click the link to change the password on the web, or have that button take them to the web page to change their password.

To change the password they need to authenticate themselves to you. To authenticate to you they need to log in. They can't log in so by sending the e-mail to their given e-mail you are relying on the e-mail provider to authenticate the user for you. So you can't use the 'change password' function you have in place of the 'forgot password' function you have, so it has be the other way around.

If you wanted to let them change their forgotten password from the app you could add security questions and then if they answer those challenges correctly they can change their password from the app (their secret answers authenticate them in place of their password).