RESTful reset password and confirm email

Question

im thinking what is the best RESTful way how confirm email and request reseting password. Im only aiming to find correct URI...

confirm email

PUT /users/{u

Answer 1

Considering that he said a reset service for someone who forgot her password, and not a change password service for someone already logged in...

I would use 2 services. 1st to request the reset password mail, and 2nd to set the new password with the token received in the received mail.

For the 1st:
POST baseUrl/passwordReset
Request body

{
   "email" : "my@self.com"
}

This could be POST or PUT, but since a mail delivery is not a resource subject to CRUD anyway, let's not be pedantic and use the old POST that was always used in html forms.

Obviously I would control that the same client (ip? browser? ...) doesn't make me send 20K mails in a minute.

Sending the mail to the user doesn't imply that the old password is not valid. That will only happen later in the second request when the new one updates it.

Response 204 (perhaps you should do it even if you don't know that email, because if you return error that means that when you don't return error you are confirming to a stranger that the given email is registered)

For the 2nd:
POST baseUrl/password
Request body

{
    "token" : "3D21BA...4F",
    "newPassword" : "m%4pW1!O"
}

Where the token is received in the mail. So the mail could have a link to a page including the token, when the page is loaded, the form is filled and submitted, being the token a hidden field that some javascript reads from the URL and puts here.

This is really a resource that you update, so POST. And I don't think it makes sense to have the same URI with 2 verbs for both, because they are not the same resource/entity at all.

Add By the way, I would make both HTTPS only, and that's why I put all the sensitive information in the body, not URL parameters.