RESTful API: How to model 'request new password'?

Question

I am designing a RESTful API for a booking application and was quite happy to see I could map all details of the application to the 4 HTTP methods.

/users - GET, POST
/users/({id}|myself) - GET, POST, PUT, DELETE
/users/({id}|myself)/bookings - GET, POST
/users/({id}|myself)/bookings/{id} - GET, POST, PUT, DELETE

Example: Updating my own user uses a PUT to /users/myself.

But now I found out that one thing is missing: The possibility to request a new password if I forgot my old one. Any idea how I could add this?

Answer 1

/users/({id}|myself)/forgottenpassword/, GET or PUT

or just implement some way of telling the user to go to the website.

Answer 2

Assuming by requesting a new password, you are referring to the typical action of the system assigning a new temporary password and then allowing the user to reset it, I would do somethign along the lines of:

POST : /users/myself/resetPassword

and then return the temporary password, send an email to the user or some other method of passing the new temp password back to the user.

Answer 3

Since the action is essentially an update -- a new password will generated -- I would use the POST verb. You'll have to figure out an alternative way of delivering the password unless you have already arranged some challenge/response protocol based on shared secrets that can be used to validate the requester in the absence of the password. The easiest way is probably to email the user at the account of record with a link that can be used to effect the change and display their new password.