feature request: Password policies when updating user password

[jschill]

Problem To update a user password, we have to use the management API (PATCH /api/users/{userId}/password). But doing so will not use the password policies, so you can set it to anything you like. This means we have to roll our own password validation and try to sync it with the Logto settings.

Solution(s) proposal Make it possible to optionally enable the policies using the management API. This would be beneficial both for user managers and for users.

Another solution could be to make use of the "Forgot password" function, if it would be possible to trigger that email to be sent from the management API. Ie when a user is signed in and click "Change my password", that "forgot password"-email is triggered. This would not be very efficient for user managers, but it would likely be good for users and i personally like the fact that we (we as in the service provider using logto) won't have to host any change password-form and "see" the password.

[darcyYe]

This is a solid case, will discuss with the team.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[jschill]

Another idea would be to extend the first screen parameter with a resetPassword value on top of the existing signIn and register