feature request: password reset link in email rather than temp password #873
Description
A big user complaint is having to copy/paste the temp password that gets sent in order to log in again. It is a bit awkward and novice users have trouble with this action. It's a much more common procedure to send a one-time password reset link that, if clicked during the short window, will allow the user to set a new password. Current and proposed flows below:
Current flow:
- user forgets password
- user enters username and email and client sends request to
user/reset_password - (assuming user exists) server generates password, marks account as
new_accountand sends password to user via email - user copies password from email and logs in with this user/pw combo
- since
new_accountis set, user is forced to change password
Proposed flow:
- user forgets password
- user enters username and email and client sends request to
user/reset_password - (assuming user exists) server generates a password reset code (which expires in 30 minutes) and sends link to user.
- user clicks link in email and is directed to client to set a new password.
- this should work similarly to the
user/activateapi -- the generated link allows the frontend to query an endpoint to see if the request was successful and if so, prompt user to set a new password.
- this should work similarly to the
- Once reset the user will need to log in again, as the process wont contain the user's username
Thoughts?