Reset Password should verify email and link accounts
Context and Problem Statement
From a flow point of view, if a password reset is successful, it is also proof that the user has verified their email. If the email is verified, then it should be account linked.
The question is should the password reset API implicitly verify the email and link accounts?
- Password reset API should do both
- Password reset API should do neither
- Password reset API should only verify email
Option chosen: Password reset API should do both
Pros and Cons of the Options
Password reset API should do both Better end user experience - they have unified data + no need to do extra email verification as well Password reset can be done at any time, so linking accounts might lead to loss of data - unless the dev has implemented postAccounLink callback properly. We are Ok with this as the same scenario can happen with OPTIONAL email verification flow, or during manual account linking.
Password reset API should do neither Poorer user experience Password reset should only be concerned with changing the password and nothing else - so this maintains separation of concern principle.
Implement this using canLinkAccount and canCreatePrimaryUser functions One lesse configutation param The dev needs to write the same logic in two places if they want to provide this implementation.
Password reset API should only verify email Good user experience since they do not also have to go through email verification flow. No scope for loss of data as user ID doesn't change If no account linking is done here, then there is no in built flow that the user can do after this in which their accounts would be automatically linked - leading to duplicate users.