-
Couldn't load subscription status.
- Fork 16
Reset Password
merlosy edited this page Oct 1, 2014
·
1 revision
Yes, it can happen that a user needs to reset his password. Memory is not the most reliable thing on Earth and it happens to a lot of people to forget these tiny, yet important, passwords. This page describes how a user can reset his password in a secure way, at least how it has been implemented here.
It assumes the API communicates with a mobile app.
- Set the API name in app/config/app.php
- You mobile app should be able to recognize a custom protocol and open the application when it is called. It will be defined by default as the slug of the app name. (For example: "Merlosy API" gives the slug "merlosy-api")
- When the user is logged out, he enters his email address and submit his reset request.
- The API generates a reset key with a default validity of 12 hours. The key is set in a link placed in the email.
- When then user click on the link from his device, the link redirects to the API (http protocol) which redirects back to your app (app-name-slug protocol). Why not redirecting to the app directly? Because some webmails do not allow it.
- The app opens with a form so the user can input his new password. This new password is sent along with the reset key to authorize the modification.
- The API manage the request: if the key exists, is not expired and matches the user, the password is reset.