Skip to content

Latest commit

 

History

History
39 lines (27 loc) · 868 Bytes

forgot-password.md

File metadata and controls

39 lines (27 loc) · 868 Bytes
Raw

Forgot Password Flow

Step 1. Trigger flow (POST /v1/forgot-password)

User POSTS to /v1/forgot-password with body:

{
  email: String
}

A random 32-byte email-verification nonce is created and saved the user record. The user record indicates:

forgotPasswordNonce|passwordHash|passwordSalt

XXX|old|old

Server sends an email to the user with the forgotPasswordNonce.

Server responds 200 with JSON indicating to check email.

Step 2. Update password (POST /v1/account/password)

User POSTS /v1/account/password with body:

{
  username: String, username of the account
  nonce: String, verification nonce
  newPassword: String, new password
}

Server updates user record to indicate:

forgotPasswordNonce|passwordHash|passwordSalt

null|new|new