...
EmailResetChangePassword for changing passwords via email. This would use a signed token to authorize the password change.
OWASP recommends that the token be invalid after immediately after being used, therefore we would need a database store for the tokens.
Another important note from the OWASP cheat sheet is that during the password reset process, we should not indicate for which account the token will perform a password reset.
Also, only the hash of the password reset tokens should be stored
| Code Block |
|---|
{
"authorization" : {
"username": "AzureDiamond"
"expiresOn": 12345678,
"signature": "<HMAC signature>"
}<TOKEN>,
"newPassword": "hunter3"
} |
...