Forgot password flow with OTP in React Native
Hi guys!
I have a forgot password flow as follows:
1. User inputs email
2. OTP is send to the users email
3. User inputs OTP and is redirected to reset the password
4. User updates email
When using the verifyOtp method in step 3, the user session is set and the user is logged in - this is expected and makes sense.
However my issue is, that If the user decides to kill the app after verifying with the OTP in step 3, but before actually updating the password in step 4, then the user will be logged into the app again without resetting the password.
I'm not sure what the typical behaviour is, but I would assume that if the user kills the app before updating the password, then they shouldn't just be automatically logged in again.
How would you guys approach this in the best way? Is it even needed, or am I overthinking it? I guess it is a slight edge case, but I could still see this happening. Maybe it is not that bad after all?
My initial though to "fix" this, was to have a flag on the user
Then if this is false, the user session would automatically be terminated the next time the user opens the app.
Would love to hear your ideas, or if anyone dealt with this issue before.
Thanks in advance and happy holidays!
I have a forgot password flow as follows:
1. User inputs email
2. OTP is send to the users email
3. User inputs OTP and is redirected to reset the password
4. User updates email
When using the verifyOtp method in step 3, the user session is set and the user is logged in - this is expected and makes sense.
However my issue is, that If the user decides to kill the app after verifying with the OTP in step 3, but before actually updating the password in step 4, then the user will be logged into the app again without resetting the password.
I'm not sure what the typical behaviour is, but I would assume that if the user kills the app before updating the password, then they shouldn't just be automatically logged in again.
How would you guys approach this in the best way? Is it even needed, or am I overthinking it? I guess it is a slight edge case, but I could still see this happening. Maybe it is not that bad after all?
My initial though to "fix" this, was to have a flag on the user
hasResetPasswordThen if this is false, the user session would automatically be terminated the next time the user opens the app.
Would love to hear your ideas, or if anyone dealt with this issue before.
Thanks in advance and happy holidays!
