@jersey

Who will receive that forgot pwd email?  That reset pwd email user, so i don't think need that to pass barer key for security purppse.

Well, we have modified the email so that it sends an email with a link to our Angular application since we are not using Magento 2 for it's frontend experience. When the customer clicks the link in the email, the Angular application verifies the token using the /V1/customers/{customerId}/password/resetLinkToken/{resetPasswordLinkToken} REST api route. This returns a "true" body response, but what can we do next? It does not look like there is an api route to create a new password for this verified (yet not authorized) customer.

We want to keep all frontend activity that a customer makes within the Angular app, but i'm not seeing a way using the REST api to fully complete the "forgot password" -> "check email" -> "reset password" flow using only REST. Am I missing a part of this?

@jersey

you need to check below API

 <route url="/V1/customers/password" method="PUT">
        <service class="Magento\Customer\Api\AccountManagementInterface" method="initiatePasswordReset"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>

Hi @Sunil Patel,

We are using the PUT /V1/customers/password api route. This is not the route that actually performs the password update though. These are the body parameters which that route accepts:

{
  "email":"customers@email.com",
  "template":"email_template_to_use",
  "websiteId":"store_id_number"
}

This is the call that is initially made when the customer has forgotten their password and enters their email in the "forgot password" form. This api call causes the email to be sent to the customer with the link to reset the password. That part is working fine. Here is the exact description of that api route from the swagger docs:

Send an email to the customer with a password reset link.

This is the current flow that a user takes in our Angular app:

• Customer clicks "Forgot Password" link
• Customer enters email in "Forgot Password" form
  • When submitted, /V1/customers/password PUT is called and Magento sends them an email with reset link.
• Customer opens email and clicks reset link
• Customer is taken to the website (Angular app, not Magento)
  • Angular performs GET on /V1/customers/{customerId}/password/resetLinkToken/{resetPasswordLinkToken} to make sure the token/user is legit
• If token/user returns true, ...now what? 

The only way I am seeing to actually let the customer change their password is using the /V1/customers/me/password api route, but that only works for users who know their password and are logged in.

So, I ended up creating a Magento module that exposes the 

Magento\Customer\Api\AccountManagementInterface::resetPassword

method as a POST endpoint in my webapi.xml and i'm now able to complete the password reset with the new api endpoint.

This method just needs to be supplied the users email, reset token and new password, and it then updates the password. This is the method that Magento already uses to complete the process, so I just opened it up to the REST api. I don't know if there is a reason it is not part of the api, but its working great for me now.

Hey Jersey, care to share the module you're talking about, please?

I developed Moagento controller and use as API call to action of it with the code:

//validation

$this->_accountManagement->validateResetPasswordLinkToken($params['customer_id'], $params['reset_token']);



$customerId = (int) $params['customer_id'];
$customer = $this->_customerRepository->getById($customerId);

$this->_customerRepository->save($customer, $this->_encryptor->getHash($params['password'], true));