Skip to content

Reset Password Flow

Jump to bottom Edit New page
Ben Babics edited this page Aug 4, 2016 · 2 revisions

This is the overall workflow for a User to reset their password:

  • user goes to a page on the front end site which contains a form with a single text field, they type their email address into this field and click a button to submit the form

  • that form submission sends a request to the API: POST /auth/password with some parameters: email (the email supplied in the field) & redirect_url (a page in the front end site that will contain a form with password and password_confirmation fields)

  • the API responds to this request by generating a reset_password_token and sending an email (the reset_password_instructions.html.erb file from devise) to the email address provided within the email parameter

    • we need to modify the reset_password_instructions.html.erb file to point to the API: GET /auth/password/edit
    • for example, if you have your API under the api/v1 namespaces: <%= link_to 'Change my password', edit_api_v1_user_password_url(reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s) %> (I came up with this link_to by referring to this line)

  • the user clicks the link in the email, which brings them to the 'Verify user by password reset token' endpoint (GET /password/edit)

  • this endpoint verifies the user and redirects them to the redirect_url if they are who they claim to be (if their reset_password_token matches a User record)

  • this redirect_url is a page on the frontend which contains a password and password_confirmation field

  • the user submits the form on this frontend page, which sends a request to API: PUT /auth/password with the password and password_confirmation parameters. In addition headers need to be included from the url params. A side note, ensure that the header names follow the convention outlined in config/initializers/devise_token_auth.rb; at this time of writing it is: uid, client and access-token.

  • the API changes the user's password and responds back with a success message

  • the front end needs to manually redirect the user to its login page after receiving this success response

  • the user logs in

Add a custom footer
Add a custom sidebar

Clone this wiki locally