ResetPassword in .net core web api

Atilla Rüstəmli 20 Reputation points
2024-05-31T18:45:26.5333333+00:00

Hi, I'm currently working on a .NET core web API project and writing ResetPassword. The user wrote the email and front-end sent it to my ForgotPassword Endpoint, I checked the database and send the url with email and token in it to the user's email. This url is my ResetPassword(HttpGet) action's url and when user clicks on it it is going to my method . The ResetPassword(HttpGet) returns mail and token. I aslo have ResetPassword(HttpPost) action which requires NewPassword from UI and email and token from my ResetPassword(HttpGet) action. If everythink right the pasword will change. I think, The API part is right and as a back-end developer I dod everythink correct(according to the many tutorials and articles in the internet) but I can't understand the period between ResetPassword(HttpGet) and ResetPassword(HttpPost) actions. I mean, after clicking the link which were sent to the user's email, doesn't user have to go to the page where he will write his new password? And if User can go there and write new password , how front-end developer will get token and email from my ResetPassword(HttpGet) for sending me after user will click to the submit. Can anybody explain me, please? Because I'm working on it, almost 8 hours and haven't get any conclusion yet.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,344 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,573 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
314 questions
0 comments
Accepted answer
  1. Ahmad Mughal 150 Reputation points
    2024-06-01T08:46:52.4666667+00:00

    Certainly! Here’s a concise explanation of the process between the ResetPassword(HttpGet) and ResetPassword(HttpPost) actions in your .NET Core Web API project:

    ResetPassword(HttpGet):

    • Generates a unique token (e.g., GUID) and saves it in a database table along with the user's email.
      • Constructs a URL with the token as a query parameter (https://yourdomain.com/reset-password?email=user@example.com&token=generatedToken).
        • Sends this URL in an email to the user.
        User Interaction: 
        - User clicks on the link in the email, which directs them to your front-end UI with the email and token in the URL.

   - Front-end captures the email and token from the URL parameters.

   **ResetPassword(HttpPost)**:

      - Front-end presents a form where the user can enter their new password.

         - Upon form submission, front-end sends a `POST` request to the `ResetPassword(HttpPost)` endpoint.

            - Endpoint receives the new password, email, and token in the request body.

               - Validates the token against the email in the database.

                  - Updates the user's password if validation is successful.

    Tips:

    • Ensure token security and validity checks are implemented.
    • Communicate clearly with your front-end developer about the structure of the URLs and the expected flow of data.

    This setup ensures a secure and seamless password reset process for your users. If you need further assistance with specific code examples or details, feel free to ask!Certainly! Here’s a concise explanation of the process between the ResetPassword(HttpGet) and ResetPassword(HttpPost) actions in your .NET Core Web API project:

    ResetPassword(HttpGet):

    • Generates a unique token (e.g., GUID) and saves it in a database table along with the user's email.
      • Constructs a URL with the token as a query parameter (https://yourdomain.com/reset-password?email=user@example.com&token=generatedToken).
        • Sends this URL in an email to the user.
        User Interaction: 
        - User clicks on the link in the email, which directs them to your front-end UI with the email and token in the URL.

   - Front-end captures the email and token from the URL parameters.

   **ResetPassword(HttpPost)**:

      - Front-end presents a form where the user can enter their new password.

         - Upon form submission, front-end sends a `POST` request to the `ResetPassword(HttpPost)` endpoint.

            - Endpoint receives the new password, email, and token in the request body.

               - Validates the token against the email in the database.

                  - Updates the user's password if validation is successful.

    Tips:

    • Ensure token security and validity checks are implemented.
    • Communicate clearly with your front-end developer about the structure of the URLs and the expected flow of data.

    This setup ensures a secure and seamless password reset process for your users. If you need further assistance with specific code examples or details, feel free to ask!

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 60,361 Reputation points
    2024-05-31T20:23:48.54+00:00

    the email link should include the token value (typically base64url encrypted value). this is passed to the reset get. the get should render the token to a hidden field that will be included on the reset post. the post verifies the token value and if password meets complexity updates.

    typically the token contains the userid (so you know which user to update) and an expiration time, so the email link is valid for short amount of time.

  2. AgaveJoe 27,421 Reputation points
    2024-06-01T01:50:20.0833333+00:00

    Ok, but after clicking to the link, it will go to my api's httpget method.

    No, the link should go to the Web application not Web API. If the browser is redirected to a Web API HTTP GET action, then the user we see a JSON response in browser not HTML.