ResetPassword in .net core web api

Question

Hi, I'm currently working on a .NET core web API project and writing ResetPassword. The user wrote the email and front-end sent it to my ForgotPassword Endpoint, I checked the database and send the url with email and token in it to the user's email. This url is my ResetPassword(HttpGet) action's url and when user clicks on it it is going to my method . The ResetPassword(HttpGet) returns mail and token. I aslo have ResetPassword(HttpPost) action which requires NewPassword from UI and email and token from my ResetPassword(HttpGet) action. If everythink right the pasword will change. I think, The API part is right and as a back-end developer I dod everythink correct(according to the many tutorials and articles in the internet) but I can't understand the period between ResetPassword(HttpGet) and ResetPassword(HttpPost) actions. I mean, after clicking the link which were sent to the user's email, doesn't user have to go to the page where he will write his new password? And if User can go there and write new password , how front-end developer will get token and email from my ResetPassword(HttpGet) for sending me after user will click to the submit. Can anybody explain me, please? Because I'm working on it, almost 8 hours and haven't get any conclusion yet.

Answer 1

Certainly! Here’s a concise explanation of the process between the ResetPassword(HttpGet) and ResetPassword(HttpPost) actions in your .NET Core Web API project:

ResetPassword(HttpGet):

• Generates a unique token (e.g., GUID) and saves it in a database table along with the user's email.
  • Constructs a URL with the token as a query parameter (https://yourdomain.com/reset-password?email=user@example.com&token=generatedToken).
    • Sends this URL in an email to the user.
    User Interaction:

    - User clicks on the link in the email, which directs them to your front-end UI with the email and token in the URL.
    
       - Front-end captures the email and token from the URL parameters.
    
       **ResetPassword(HttpPost)**:
    
          - Front-end presents a form where the user can enter their new password.
    
             - Upon form submission, front-end sends a `POST` request to the `ResetPassword(HttpPost)` endpoint.
    
                - Endpoint receives the new password, email, and token in the request body.
    
                   - Validates the token against the email in the database.
    
                      - Updates the user's password if validation is successful.
    

Tips:

• Ensure token security and validity checks are implemented.
• Communicate clearly with your front-end developer about the structure of the URLs and the expected flow of data.

This setup ensures a secure and seamless password reset process for your users. If you need further assistance with specific code examples or details, feel free to ask!Certainly! Here’s a concise explanation of the process between the ResetPassword(HttpGet) and ResetPassword(HttpPost) actions in your .NET Core Web API project:

ResetPassword(HttpGet):

• Generates a unique token (e.g., GUID) and saves it in a database table along with the user's email.
  • Constructs a URL with the token as a query parameter (https://yourdomain.com/reset-password?email=user@example.com&token=generatedToken).
    • Sends this URL in an email to the user.
    User Interaction:

    - User clicks on the link in the email, which directs them to your front-end UI with the email and token in the URL.
    
       - Front-end captures the email and token from the URL parameters.
    
       **ResetPassword(HttpPost)**:
    
          - Front-end presents a form where the user can enter their new password.
    
             - Upon form submission, front-end sends a `POST` request to the `ResetPassword(HttpPost)` endpoint.
    
                - Endpoint receives the new password, email, and token in the request body.
    
                   - Validates the token against the email in the database.
    
                      - Updates the user's password if validation is successful.
    

Tips:

• Ensure token security and validity checks are implemented.
• Communicate clearly with your front-end developer about the structure of the URLs and the expected flow of data.

This setup ensures a secure and seamless password reset process for your users. If you need further assistance with specific code examples or details, feel free to ask!

Answer 2

the email link should include the token value (typically base64url encrypted value). this is passed to the reset get. the get should render the token to a hidden field that will be included on the reset post. the post verifies the token value and if password meets complexity updates.

typically the token contains the userid (so you know which user to update) and an expiration time, so the email link is valid for short amount of time.

Answer 3

Ok, but after clicking to the link, it will go to my api's httpget method.

No, the link should go to the Web application not Web API. If the browser is redirected to a Web API HTTP GET action, then the user we see a JSON response in browser not HTML.