Is the password reset scheme correct?

T

triggerfinger2018-01-25 20:24:13

JSON Web Token

triggerfinger, 2018-01-25 20:24:13

There is a small NodeJS server with soap authorization + soap verification by link (at the same time, the backend and frontend client are completely separated, on different domains). I want to reset my password. I sketched the following scheme, please look and give your comments:
1. entering an email on the client, sending it to the server
2. checking if the email exists
3. if it does not exist - return an error to the client
4. if it exists - send an email with a token to the URL and send messages about the successful sending of the email and a request to check the email to the client
5. follow the link from the email, verify the token
6. if the token is in error - return the error to the client
7. if the token is without error - redirect to the client with the ability to enter a new password
8. sending a new password to the server, saving the hash in the database

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

ChEl, 2018-01-25
@h1l4nd0r

If it's all via https, then it's normal, but if not, then there's no point in bothering like that, you can immediately send the generated password to the post