...
- User logs in via the
POST /loginAPI with a username/password - Check that the user's password is not in our list of known, common passwords.
- If it is, still return with HTTP 401 Unauthorized and respond with an
ErrorResponseobject that contains anerrorCode. - Clients, upon seeing the
errorCode, should redirect to page for changing password.
Resets should be done via the EmailResetChangePassword option instead of oldpassword/newpassword so that the old, weak password can't be used to change the account password
API Changes
Currently, our POST /user/password takes
...