Trying to do a makeshift Forgot Password feature by having the user confirm certain user information and if that information is valid, they can reset their password.
How do I allow the user to enter a new password on the user interface and reset their current password in the database?
This is perfect. What we have been doing is in every service we request a localSessionToken and send it to X-Appery-Session-Token. Where do I access that in the PUT to update the user password?
Hello! You can create some account to restore password. When you need to change password you can login under that account to get X-Appery-Session-Token
The idea is to be able to offer the end user a way to update their password if they've forgotten it. From the login screen, the user selected "Forgot Password". The user is then asked to confirm their email, DOB and mobile phone. If their info matches that in the database, the are prompted to create a new password. That is where I am hoping to use the PUT service Max suggested to update their password.
To do the actions you listed (The user is then asked to confirm their email, DOB and mobile phone. If their info matches that in the database, the are prompted to create a new password...) you should have X-Appery-Session-Token. The only one way to get it is to invoke login service (on click on "Forgot Password" link) for some admin user. After you receive X-Appery-Session-Token you can do anything else.
Hi- I must be missing something very basic on creating a password reset mechanism. I have created an admin account in database by giving each app user's acl the setting of read and write for the admin id.
I have logged in and received the admin account token. To update the user account to set a new password I will need the reset requester's users id. How do I get that when I do not know it?
There appears to be no documentation on how to query users- just list all, update, and delete that I can see.
The link to query or update:
https://api.appery.io/rest/1/db/users...
Hi Sean,
This is a standard problem of web development. You need to make sure that the account for which you are trying to change the password belongs to this person.
You register a user with some authorization data. There can be email among them. So you need to send email to this address, in which you can write some unique number, or any other unique sequence that can prove that it is the user.
Possible scenario:
Hi, I still do not understand completely. It seems easy enough to create a separate record in a separate table.
So far, I have logged in as special admin account
I set token in local storage
I send email to user from email address entered
I thought I would be safe mailing a simple static link with fixed query string value (user cannot see link until receiving email to know code. The type of data they post is not very sensitive anyway)
On return to app from link, query string code gets confirmed.
Here is where I am stuck, because I have no database id of user to update their password.
Step 6 is basically my question. How is the password updated? Does the admin account need the ACL rights to all user accounts so that this admin account can update the user in table? If so, how do you get the password requester's user id from database to do this?
If I change my validation method from static link with query string code to use database record as in your step 3, what account creates this initial record...is it this special admin account mentioned in Marina's post? If so, then this same admin account would need to check the table again when the password requester verifies info right?
In other words, special admin token is still set in local storage from original login and creation of RecoveryPass record, so record can be verified and then password requester's database record can be updated, provided I know how to retrieve their database user id.
Hello!
[quote:]Does the admin account need the ACL rights to all user accounts[/quote] by default in Users table for all collections ACL is empty - so any logged in user can see and edit records of all users and all records in all Collections (ACL is not empty by default only for downloaded files). That's why admin acount has all needed rights to make changes (if you didn't set ACL manually)