RESTful API: How to model 'request new password'?

Question

I am designing a RESTful API for a booking application and was quite happy to see I could map all details of the application to the 4 HTTP methods.

/users - GET, POST
/users/({id}|myself) - GET, POST, PUT, DELETE
/users/({id}|myself)/bookings - GET, POST
/users/({id}|myself)/bookings/{id} - GET, POST, PUT, DELETE

Example: Updating my own user uses a PUT to /users/myself.

But now I found out that one thing is missing: The possibility to request a new password if I forgot my old one. Any idea how I could add this?

score 3 · Answer 1 · answered Apr 21 '10 at 14:12

Since the action is essentially an update -- a new password will generated -- I would use the POST verb. You'll have to figure out an alternative way of delivering the password unless you have already arranged some challenge/response protocol based on shared secrets that can be used to validate the requester in the absence of the password. The easiest way is probably to email the user at the account of record with a link that can be used to effect the change and display their new password.

POST - sounds good. The user will be sent an email and has to click a link to request a new password. — janpio, Apr 21 '10 at 14:22

score 2 · Answer 2 · answered Apr 21 '10 at 14:04

2

Assuming by requesting a new password, you are referring to the typical action of the system assigning a new temporary password and then allowing the user to reset it, I would do somethign along the lines of:

POST : /users/myself/resetPassword

and then return the temporary password, send an email to the user or some other method of passing the new temp password back to the user.

answered Apr 21 '10 at 14:04

Mike Clark

11,769
6
39
43

You are violating the REST principles :) – Janus007 Jun 28 '13 at 08:34

score 1 · Accepted Answer · answered Apr 21 '10 at 14:02

1

/users/({id}|myself)/forgottenpassword/, GET or PUT

or just implement some way of telling the user to go to the website.

answered Apr 21 '10 at 14:02

UnkwnTech

88,102
65
184
229

Sending the user to the website was the alternative, yes. – janpio Apr 21 '10 at 14:22
That is likely to be the best option. – UnkwnTech Apr 21 '10 at 14:37
This doesn't look rest full at all, you have a RPC call. It looks like you can PUT a forgottenpassword to a user... weird :) Imho it would be better to GET /password/{id} if id is your key that the user is supposed to remember. You would then depending on you security logic either just return the password or maybe send a new password to users email. If you insist in using your user route, you could: GET /users/{id}/password – Janus007 Jun 28 '13 at 08:32

RESTful API: How to model 'request new password'?

3 Answers3

Linked