API for setting password #2197

hughns · 2023-12-08T10:20:22Z

GraphQL mutation to set/change password.

For a regular user require existing password to be provided (as well as new password).

For an admin no existing password is needed.

hughns · 2023-12-08T10:27:28Z

Assume for now that we don't need to offer the capability to sign out all sessions/devices as part of calling this mutation.

i.e. no need for a replacement for the logout_devices option of POST /_matrix/client/v3/account/password

sandhose · 2024-05-15T09:14:01Z

API should look like this:

mutation {
  setPassword(input: { userId: "ID", currentPassword: "pwd", newPassword: "pwd" }) {
    status,
    user { .. }
  }
}

Where currentPassword is needed when the requested doesn't have admin capabilities.

To implement this, one would need to:

put the PasswordManager in the mas_graphql::State. This is particularly annoying, as this currently lives in the mas_handler crate, which isn't accessible from the mas_graphql crate because else there would be a dependency loop
add a mutation in crates/graphql/src/user.rs
it should check if the requester is admin or is accessing their own user
if the requester is not admin:
- it should check that the SiteConfig allows password change
- it should check that the currentPassword was provided and validate it

hughns added A-GraphQL Changes to the GraphQL API A-Local-Password Related to the local password database labels Dec 8, 2023

hughns mentioned this issue Dec 8, 2023

Better UI for self-served password change #2148

Closed

sandhose mentioned this issue Apr 3, 2024

Feature: disable user registration #2241

Closed

reivilibre self-assigned this May 23, 2024

reivilibre mentioned this issue Jun 4, 2024

Add a setPassword GraphQL mutation for setting a user's password #2820

Merged

reivilibre closed this as completed in #2820 Jun 5, 2024

matrixbot mentioned this issue Sep 10, 2024

API for setting password element-hq/matrix-authentication-service#2197

Closed

Provide feedback