Simplify the password reset flow

[andresgarza]

If I'm not mistaken, the current flow for resetting a password is as follow:

1. POST /requestPasswordReset
   internally generates a token and sends an email with a link to /apps/:appId/request_password_reset
2. GET /apps/:appId/request_password_reset
   validates token and redirects to /apps/choose_password
3. POST /apps/:appId/request_password_reset
   validates token and updates user password

From what I can tell, step #2 is not really needed. Only things I think it does is validate that the token is still valid (which is still done in step #3) and redirects to choose_password.

In my opinion, it would be simpler/cleaner if step #1 sent a link directly to choose_password and skip step #2 altogether. This will in turn get rid of an extra validation and avoid a redirect altogether.

As an added bonus for those of us with custom pages, the password reset email would in turn contain a link to a "pretty" URL instead of having to go through the parse-server URL first.

[drew-gross]

That seems reasonable to me. Want to help out?

[andresgarza]

Sure, I'll take a stab at it.

[andresgarza]

Only downside to this would be that if the token is indeed invalid, the user wouldn't know until actually submitting the form to reset the password. Personally, I'm okay with this since the chances of the token being invalid are slim.

Are we okay with this tradeoff?

[flovilmart]

Can we keep the validation AND add a custom choose_password page?

[drew-gross]

I'm fine with the user not seeing an invalid token until they submit. Having the custom choose_password page is important though.

[flovilmart]

You can already specify a custom choose password page by passing it in the customPages options.
The flow is as is I believe so we can redirect to your custom page. customPages.choosePassword.

[andresgarza]

Correct, you can already specify a custom page. This proposal is to remove that redirect (email could contain link to your custom page from the start). I have this working I just haven't had time to clean up tests.

[flovilmart]

@andresgarza are you working on it?

[montymxb]

Closing this out as it seems to have stalled out. That, and the current password reset flow is functional as is, but this would be nice to have. If there is still an interest let us know so we can reopen this and look into it with the intent to push along a PR.