R – What’s the restful way to implement a forgotten password feature


I have the following restful structure:

  • My login page uses the session/new action
  • My signup page the users/new action
  • My logout page uses the session/destroy action
  • My register process uses the users/create action

I need 3 more actions for:

  • I forgot my password page
  • Start forgotten password action (send email)
  • Reset password based on token

Where do these 3 actions fit in a restful world?

To clarify:

I know I can create whatever actions on my existing session and user controllers (eg. a reset_password get action or a start_reset_password post action) it just doesn't really sit right, it seems I am trying to make these controllers do too much work.

Best Solution

REST is not black magic. Figure out what your technical goals are for these pages, then pick the right verbs to go with them.

I forgot my password page: essentially a static form, right? You want this to be cachable. GET on any URL you want.

Send email: costly action which you don't want repeated and you DO want executed every time the user requests it: POST or PUT on any URL you want. Heck, you could make it the same as the above URL if you wanted to, but I don't see a particularly pressing need to.

Reset password based on token: I'd consider implementing this as a login-via-token instead, but if you're going to do it your way, then it has server-side consequences and hence should probably be a POST or PUT.