Progress will discontinue Telerik Platform on May 10th, 2018. Learn more

Changing a User Account Password

When it comes to changing a user password you have two options:

Let the User Change Their Own Password

A user can easily change their own password. You need to simply ask them for their current password and their new password and then pass the values to the changepassword endpoint along with the username. If you pass keepTokens=false as a URL parameter, all access tokens issued to the user become invalid.

Here is an example of changing the password for a user:

var object = {
    "Username": "<username>", //pass the username
    "Password": "<old_pass>", //pass the user's current password
    "NewPassword": "<new_pass>" //pass the user's new password
};

$.ajax({
    type: "POST",
    url: 'https://api.everlive.com/v1/your-app-id/Users/changepassword',
    contentType: "application/json",
    data: JSON.stringify(object),
    success: function(data){
        alert("User password successfully changed");
    },
    error: function(error){
        alert(JSON.stringify(error));
    }
});
Request:
    POST https://api.everlive.com/v1/your-app-id/Users/changepassword
Payload - raw:
    {
        "Username": "<username>",
        "Password": "<old_pass>",
        "NewPassword": "<new_pass>"
    }
Response:
    Status: 200 OK
    Content-Type: application/json

On success, the response is "{"Result":null}".

Reset the User Password Administratively

If you need to change the password for a user account without the owner's participation (for example if the user has forgotten their password), you can do so by combining the changepassword endpoint with master key authentication. Because storing the master key in the client application is not safe, you are not advised to place this code in your client app.

var masterKeyHeader = {
    "Authorization": "MasterKey your-master-key" //pass your master key
};


$.ajax({
    type: "POST",
    url: 'https://api.everlive.com/v1/your-app-id/Users/changepassword?keepTokens=false',
    contentType: "application/json",
    data: JSON.stringify(object),
    headers: masterKeyHeader,
    success: function(data) {
        alert("User password successfully changed");
    },
    error: function(error) {
        alert(JSON.stringify(error));
    }
});

Request:
    POST https://api.everlive.com/v1/your-app-id/Users/changepassword?keepTokens=false
Headers:
    Authorization  Masterkey your-master-key
Payload - raw:
    {
        "Username": "<username>",
        "NewPassword": "<new_pass>"
    }
Response:
    Status: 200 OK
    Content-Type: application/json

A suitable place for placing this code is in a Cloud Function that can be called from the client app by authorized users such as administrators. You can find out more about Cloud Functions, including information on how to call them, in Implementing Cloud Functions. This is what the same example looks like using the Cloud Code JavaScript SDK to make the same RESTful request:

Everlive.CloudFunction.onRequest(function(request, response, done) {
    var parameters = Everlive.Parameters;
    var appId = parameters.apiKey;
    var masterKey = parameters.masterKey;
    var baseUrl = parameters.apiBaseUrlSecure;
    var apiVersionNumber = parameters.apiVersion;

    var url = baseUrl + "/v" + apiVersionNumber + "/" + appId + '/Users/changepassword?keepTokens=false';

    var options = {};
    var username = "username"; //specify the user's username
    var newPassword = "new-password"; //specify the user's new password

    options.body = {
        "Username": username,
        "NewPassword": newPassword
    };
    options.headers = {
        "Authorization": "MasterKey" + " " + masterKey
    };
    options.contentType = "application/json";


    Everlive.Http.request('POST', url, options, function(err, data) {
        if (err) {
            response.body = err;
            done();

        } else {
            response.body = "Success";
            done();

        }
    });
});

When changing the password administratively it makes sense to invalidate all access tokens issued to the user in exchange for their previous credentials. This is why the code appends the keepTokens=false parameter to the URL.

You may also want to disable the automated reset password notification email from the portal.

See Also

Recover a User Account

Contact us: +1-888-365-2779
sales@telerik.com
Copyright © 2016-2017, Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.