Skip to main content

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Reset Password should verify email and link accounts

rishabhpoddar, bhumilsarvaiya
Proposed by:

Context and Problem Statement#

From a flow point of view, if a password reset is successful, it is also proof that the user has verified their email. If the email is verified, then it should be account linked.

The question is should the password reset API implicitly verify the email and link accounts?

Considered Options#

  • Password reset API should do both
  • Password reset API should do neither
  • Password reset API should only verify email

Decision Outcome#

Option chosen: Password reset API should do both

Pros and Cons of the Options#

Password reset API should do both#

  • Better end user experience - they have unified data + no need to do extra email verification as well
  • Password reset can be done at any time, so linking accounts might lead to loss of data - unless the dev has implemented postAccounLink callback properly. We are Ok with this as the same scenario can happen with OPTIONAL email verification flow, or during manual account linking.
  • Password reset API should do neither#

  • Poorer user experience
  • Password reset should only be concerned with changing the password and nothing else - so this maintains separation of concern principle.
  • Implement this using canLinkAccount and canCreatePrimaryUser functions#

  • One lesse configutation param
  • The dev needs to write the same logic in two places if they want to provide this implementation.
  • Password reset API should only verify email#

  • Good user experience since they do not also have to go through email verification flow.
  • No scope for loss of data as user ID doesn't change
  • If no account linking is done here, then there is no in built flow that the user can do after this in which their accounts would be automatically linked - leading to duplicate users.