It is common for login forms to have a reset password link for users that have forgotten their password. This enables users to reset their password themselves without needing to contact the system administrator or support.
There have been several topics about this feature:
The design should be similar to that implemented in the
web_user module and follow these guidelines: Forgot Password - OWASP Cheat Sheet Series
A new anonymous RPC method
common.db.reset_password will allow a user who is not logged in to request a password reset. A configuration setting will allow this to be deactivated if required.
When a password reset is started, the
User.reset_password method will generate a temporary password and send it to the user via email. This password will expire after a set (configurable) amount of time. Any attempt to reset the password again before the temporary password expires is ignored.
Until a new password is set the user’s existing password continues to work. As soon as a new password is set any temporary passwords are cleared and will no longer work.
It seems like it only makes sense to allow “password” resets for the
session.authentications method. If other/additional authentication methods are in use then resetting the user’s “password” (or other login details) should probably be left to the administrator to do manually once they have verified the user’s identity.