userCheckPasswordToken return Type

[creed20]

Question

Would it, or is it, possible to return the CredentialType for query userCheckPasswordToken? I realize the new token is in the header, but it would be advantageous for the new credential to be returned via graphQL and then utilized for the userUpdatePassword mutation.

Thank You!

[mcelicalderon]

Hey @creed20 ! Unfortunately this is a tricky query and I don't think we could do that. This query in particular won't return a regular GQL response, but redirect to a success_url instead. So the response to this request is actually a redirect that will take you to the url you provided on the send reset password mutation and add the required credentials so you can then call the updatePassword mutation. Let me know if that makes sense or if you still think there's something we can do to improve this.

[creed20]

Hmm, I'm using React + Apollo for the frontend and Rails API on the backend, and maybe I'm misunderstanding the Redirect use, but I don't think it will work in this use case. I noticed in the below there is an alternate if the redirect_url is not provided.

graphql_devise/lib/graphql_devise/resolvers/check_password_token.rb

Lines 29 to 33 in 2df04b4

	if redirect_url.present?
	controller.redirect_to(resource.build_auth_url(redirect_url, built_redirect_headers))
	else
	set_auth_headers(resource)
	end

Would another query be possible, maybe userCheckPasswordTokenInline that doesn't redirect but just returns the credentials inline in the gql response?

[mcelicalderon]

Right, I guess you could do that somehow, but not sure it makes sense as in theory you hit this query by clicking on an email link that points to the backend (why we need to redirect).

BUT, there is something DTA implemented not so long ago, another way to reset the password. What we could actually do is send the reset password email with a link the client app must provide and include the reset token. We would then change the updatePassword mutation to receive the token and allow you to change the password without hitting the checkPasswordToken query first. And that's a mutation where we can defitiviely add the credentials field.

This is the PR in DTA. I'll take a look as soon as possible, but if you are up for it, we would be happy to take a PR on this.

[aarona]

I have to say that the way I would handle this (I haven't tried this yet but plan on it in the future) is put the reset token in the email and let the SPA do the graphql request instead of making the reset link have a URL encoded graphql request. I think its cleaner that way.

[creed20]

@mcelicalderon, I think that PR hit the nail on the head! With what you are describing, the updatePassword mutation would validate the token and then proceed or deny the password change without the use of headers?

@aarona, with what @mcelicalderon is describing it should work in your case as well.

[mcelicalderon]

Correct @creed20, updatePassword would allow to update the password without credentials if you pass the correct token. In DTA they handle both scenarios in a single endpoint, but I'm thinking we might split both reset password flows into different mutations so you can implement one of the two flows. As the one we are discussing seems cleaner, we might deprecate the current flow. What do you think, @00dav00 ?

[00dav00]

I agree, I think it would be a very nice feature to have in a new mutation

[creed20]

Hey @mcelicalderon ! Has there been any progress on the new mutation flows 😀?

[mcelicalderon]

Hey @creed20! Sorry we haven't been able to work on this yet. We'll try to do it as soon as we get some time on our hands. Also, prs are welcome if that's something you'd be interested in.

[mcelicalderon]

Hey @creed20 we just released v0.14.0 which contains the new discussed flow. We'll add documentation for both reset password flows as soon as possible, but now what you need to know is there are 2 new mutations:

• sendPasswordResetWithToken: Takes email and redirectUrl. Sends an email with a reset link that simply uses that redirectUrl and adds a reset password token as query params. On you frontend application you will use that token to call the second mutation.
• updatePasswordWithToken: Takes the resetPasswordToken, password and passwordConfirmation. Simply allow you to update the password of a user by sending the token. You can do this if you want to return authentication credentials after the password is changed, it won't return those by default.

[creed20]

@mcelicalderon , this worked great! Thank you for your time and effort creating this! 👏🎉👍