allow_password_change
field for any flow. There are 2 flows for reseting the password, one more web focused and other more mobile focused:POST /auth/password
with some parameters: email
(the email supplied in the field) & redirect_url
(a page in the front end site that will contain a form with password
and password_confirmation
fields)reset_password_token
and sending an email (the reset_password_instructions.html.erb
file from devise) to the email address provided within the email
parameterreset_password_instructions.html.erb
file to point to the API: GET /auth/password/edit
api/v1
namespaces: <%= link_to 'Change my password', edit_api_v1_user_password_url(reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s) %>
(I came up with this link_to
by referring to this line)GET /password/edit
)redirect_url
(or the one you set in an initializer as default_password_reset_url) with the auth headers if they are who they claim to be (if their reset_password_token
matches a User record)redirect_url
is a page on the frontend which contains a password
and password_confirmation
fieldPUT /auth/password
with the password
and password_confirmation
parameters. In addition headers need to be included from the url params (you get these from the url as query params). A side note, ensure that the header names follow the convention outlined in config/initializers/devise_token_auth.rb
; at this time of writing it is: uid
, client
and access-token
.uid
sent in the headers is not URL-escaped. e.g. it should be [email protected], not bob%40example.comrequire_client_password_reset_token
(by default is false), it is also useful for webs. This flow was done because the main one doesn't support deep linking (if you want to reset the password in the mobile app). It works like the main one but instead of receiving and sending the auth headers, you need to send the reset_password_token
, but just in case, we can explain it step by step:/auth/password
)/auth/password/edit
)redirect_url
(instead of the API) with a reset_password_token
/auth/password
)