Password Reset Link params without POST /password

[wmlutz]

I am running a Rails API, doing a lot of email branding with SendGrid, and am trying to not use ActionMailer. Therefore I want to do the password reset 'manually.' I.e. not using the POST /password endpoint which uses ActionMailer.

To do it manually a couple of things need to happen: I want to generate a url with query params to pass to my SendGrid API. This will be a link to the page that takes password and password_confirmation. That link needs to have query params with the proper authentication info which will then be put in the header the password and confirmation are sent.

A password reset token seems to not be a problem with @resource.reset_password_token which will be in the PUT header at access-token. Uid is fine too. But client and expiry for that token, I can't figure out how to get in @resource's controller.

Help appreciated.

[zachfeldman]

@wmlutz I don't think you need a client and expiry token, just a password reset token, to reset the password. That token services as authentication.

[wmlutz]

@zachfeldman I'm still having troubles. Going into console I grab a password reset token and tested with this curl req:

curl -X PUT -H "access-token: 5552bf8e986f87420267080de6d16b845a8a52750fa07e04d2dc6e76b3dc9d33" http://localhost:3001/api/v1/auth/password?password=newpass&password_confirmation=newpass

But am getting {"success":false,"errors":["Unauthorized"]} in response

I admittedly am not the best or most experienced guy in the room - can you tell what I'm missing?

[zachfeldman]

I'm using the jToker implementation for my app:

[zachfeldman]

https://github.com/lynndylanhurley/j-toker/blob/master/src/j-toker.js#L1033

Looks like I need to send password, password confirmation, email, and reset_password_token.

[lynndylanhurley]

@wmlutz

1. start by sending a POST request to the /auth/password endpoint containing the email address for the account and a redirect_url to which the user should be redirected to after the API validates the password reset token.

2. The API will send a link to the email address used for signup that contains a link with the auth creds as querystring params. Once the client visits that link, they will be confirmed by the API using the reset_password_token and redirected to the client at the redirect_url provided in step 1.

3. Once the user is authenticated by the API, they can then reset their password from the client using the PUT /auth/password endpoint and the creds that were passed to the client by the API redirect.

[wmlutz]

@lynndylanhurley What I'm trying to do is skip this part:

The API will send a link to the email address
So I can use my own email API to manage all the app's communications.

I figured out what I need to do though to do this manually. It's basically following build_auth_header from https://github.com/lynndylanhurley/devise_token_auth#model-concerns at my own API endpoint. Got it working via curl now.