The WordPress REST API is a fantastic tool that has transformed the way developers can user WordPress and introduced a huge number of possibilities. One of the possible use cases is using WordPress as a back end for apps. Whether they are progressive web applications, single page applications, mobile apps or even desktop apps.
This is often referred to as “Headless WordPress”, the head referring to the front end of the site, or even the admin area, as it means you just use what is under the hood. You can then use whatever your favourite front end framework is for a site or app.
A simple use of the API could simply be to load publicly available blog posts. But if you need to go further than this and your users need to be logged in to WordPress via a non-WordPress interface, you will need to add some extra tools or plugins to help manage this. There’s a few options for registering and logging in, but that’s not what this post is about.
Specifically here we’re looking at methods of resetting a user’s password.
Password Reset – why does it need special attention?
If you consider the normal password reset process in WordPress, as user will:
- Click the forgotten password link
- Receive an email with a unique link to the password reset screen
- Follow the link back to the WordPress website
- Set a new password
- Login
There’s an issue using this process when using an alternative front end, since you won’t want users redirected back to your WordPress install. This will take them out of the flow of your app, and then, how do you get them back to the app again? This is especially an issue for mobile apps, since while you can set up deep links for your app to open based on a URL, the set up is quite involved, especially since it’s different for each platform.
All these considerations aside, let’s take a look at our options.
WP REST User Plugin
https://wordpress.org/plugins/wp-rest-user/
This plugin offers the ability to create users and reset their passwords. The main drawback for the password reset is what is explained above, since it will trigger the normal WordPress password reset email. As if the user had requested a password reset. If this isn’t an issue for you, this plugin works well. If it is, you’ll need to figure out how to get the user back into your flow.
Create a Custom Password Reset Process
After not getting what we needed from WP REST User Plugin, we initially coded our own custom solution which involved the following:
- Creating a new REST Endpoint for a password reset
- Sending a new custom email with a link back to our web app with a custom code parameter in the URL
- Creating a new REST Endpoint to set a new password, ensuring that we validated the code that came with the request
This worked fine for browser based apps but fell short for mobile apps. Since we had no other case to use deep links for our app, the amount of work required to implement it seemed disproportionately high.
It was this scenario that inspired the development of…
Password Reset with Code for WordPress REST API
So yes, this is our plugin. When the previous process fell short, we took a step back and thought – what other password reset processes are there? One that jumped out as being simple to implement was the sending of a 4-digit code via email that the user could enter into an app. This code would then be sent with the reset request and validated when setting a new password.
At present, although there are many action hooks and filters in the plugin to customise the experience for your app. But, there’s scope to take this further. Codes could be sent via SMS or we could make use of an authenticator app like Google Auth.
Roundup
As we know the password reset process requires a little extra thought when using the WordPress REST API. But we do have a couple of good options available.
Using another method for password resets? Use the comments to share your experience.
Credits
Featured image courtesy of NeONBRAND@Unsplash