AngularJS $resource Custom Action for Requesting a Password Reset

Question

I'm just starting to use ngResource in a project to consume my RESTful endpoints. Is this how you would implement a user password reset using $resource? Looks weird passing the email address as a URL parameter.

.factory('User', ['$resource', function ($resource) {

    var paramDefaults = {id: '@id'}

    var actions = {
        passwordReset: {
            method: 'GET',
            params: {email: '@email'},
            url: '/api/user/reset/:email'
        }
    }

    return $resource('/api/user/:id', paramDefaults, actions);
}])

Answer 1

yes, looks a little bit weird. Instead of GET I will use POST request to reset the password and pass the email param in request body

Answer 2

As long as you make sure you invoke the service over HTTPS (i.e. an encrypted connection), there is nothing to object imho (of course, REST purists might argue here).

As far as security is concerned, the behavior of GET requests (passing data as request parameters) and POST requests (passing data in the request body) is the same: If not encrypted, the data can be eavesdropped by attackers having access to line data. Other than that, accepting a GET request might be - depending on the server side REST framework - slightly more light weight than POST requests.

As the password itself is not passed as part of the request, one might think that no encryption is necessary. However, it is still strongly advisable to encrypt the request, as alone the knowledge of someone resetting the password might allow attacks, and typically a token allowing to reset the password is returned in the response.