Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Varbase FAQs 9.2.1 Minor update available for module varbase_faqs (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

REST Password Request

543 sites No security coverage
View on drupal.org

This project adds REST API endpoints for forgotten and changed passwords, enabling headless Drupal setups. It allows users to reset their passwords via API calls using a temporary password sent via email.

New Rest Plugins to use REST for forgot / change password.
and Email template.

This provides a way to for people gone the headless route.
a few things 1) creates a new email template (see below)
which you can edit at /admin/config/people/accounts

that contains a custom token:
[user:rest-temp-password]

this is triggered via

ENABLE THESE WITH RESTUI

https://www.drupal.org/project/restui

ENDPOINT: Lost password
Content-Type: application/json
Method: POST

SITE + /user/lost-password?_format=json
{
  "mail": "[email protected]"
}

This token can ONLY be used in 2 ways....

1) USED to reset the user password to a new password VIA

ENDPOINT: Reset Lost password Via Temp password
Content-Type: application/json
Method: POST
SITE + /user/lost-password-reset?_format=json
{
  "name": "DRUPALUSERNAME",
  "temp_pass":"TEMP_PASSWORD_SENT_IN_EMAIL"
  "new_pass":"NEW_PASS_WORD"
}

or by logging in via "user/login?_format=json"
(but you will get an extra key in user_data: called "temp_password")

{
  "name":"admin", 
  "pass":"TEMPSENTPASS",
  "temp_pass": "TEMPSENTPASS"
}

which you should then redirect the user to reset there real password..

The temp password can not be used to log in to the "normal" Drupal front end
The temp password will expire in 7days
The temp password is no longer valid once a user resets their password.



Big Note on why you need to clear your Drupal cache, because this module ships with a route subscriber that removes all permissions ect from the use of the end point. So you may see a custom permission but you don't need to tick it as the subscriber alters this.

UPDATE 3 Jan 20 If using the email registration module then ... use the [user:mail] token, and {"name": "[email protected]" ...

Activity

Total releases
2
First release
Mar 2025
Latest release
1 year ago
Releases (12 mo)
0 ▼ from 2
Maintenance
Dormant

Releases

Version Type Release date
2.0.1 Stable Mar 20, 2025
2.x-dev Dev Mar 20, 2025