rest_password

604 sites No security coverage

New Rest Plugins to use REST for forgot / change password.
and Email template.

This provides a way to for people gone the headless route.
a few things 1) creates a new email template (see below)
which you can edit at /admin/config/people/accounts

that contains a custom token:
[user:rest-temp-password]

this is triggered via

ENABLE THESE WITH RESTUI

https://www.drupal.org/project/restui

ENDPOINT: Lost password
Content-Type: application/json
Method: POST

SITE + /user/lost-password?_format=json
{
  "mail": "[email protected]"
}

This token can ONLY be used in 2 ways....

1) USED to reset the user password to a new password VIA

ENDPOINT: Reset Lost password Via Temp password
Content-Type: application/json
Method: POST
SITE + /user/lost-password-reset?_format=json
{
  "name": "DRUPALUSERNAME",
  "temp_pass":"TEMP_PASSWORD_SENT_IN_EMAIL"
  "new_pass":"NEW_PASS_WORD"
}

or by logging in via "user/login?_format=json"
(but you will get an extra key in user_data: called "temp_password")

{
  "name":"admin", 
  "pass":"TEMPSENTPASS",
  "temp_pass": "TEMPSENTPASS"
}

which you should then redirect the user to reset there real password..

The temp password can not be used to log in to the "normal" Drupal front end
The temp password will expire in 7days
The temp password is no longer valid once a user resets their password.

Big Note on why you need to clear your Drupal cache, because this module ships with a route subscriber that removes all permissions ect from the use of the end point. So you may see a custom permission but you don't need to tick it as the subscriber alters this.

UPDATE 3 Jan 20 If using the email registration module then ... use the [user:mail] token, and {"name": "[email protected]" ...

Version	Type	Release date
2.0.1	Stable	Mar 20, 2025
2.x-dev	Dev	Mar 20, 2025

Version

Type

Release date

2.0.1

Stable

Mar 20, 2025

2.x-dev

Dev

Mar 20, 2025

rest_password

ENABLE THESE WITH RESTUI

Activity

Releases