I'm in the process of designing and building an API that will be used by multiple consumer platforms - web clients, native mobile apps, other servers.
One of the things I'll need is a robust method for handling forgotten passwords.
I'm thinking the RESTfullest way to to do this on the server side is by adding a pseudo field to the /users resource and accepting a PUT/PATCH request on it, something like 'password_reset' => TRUE .
On the server side I can generate a one-time login hash, but what should I do with that code? If I email it to the user, how should the login link behave, considering they could have requested the link via any number of mobile apps?
I just want to make sure I'm designing this properly, so I would welcome any thoughts.