Hi, I still do not understand completely. It seems easy enough to create a separate record in a separate table.
So far, I have logged in as special admin account
I set token in local storage
I send email to user from email address entered
I thought I would be safe mailing a simple static link with fixed query string value (user cannot see link until receiving email to know code. The type of data they post is not very sensitive anyway)
On return to app from link, query string code gets confirmed.
Here is where I am stuck, because I have no database id of user to update their password.
Step 6 is basically my question. How is the password updated? Does the admin account need the ACL rights to all user accounts so that this admin account can update the user in table? If so, how do you get the password requester's user id from database to do this?
If I change my validation method from static link with query string code to use database record as in your step 3, what account creates this initial record...is it this special admin account mentioned in Marina's post? If so, then this same admin account would need to check the table again when the password requester verifies info right?
In other words, special admin token is still set in local storage from original login and creation of RecoveryPass record, so record can be verified and then password requester's database record can be updated, provided I know how to retrieve their database user id.