Hey there,
I'm dealing with an issue with password reset flow and wondering how you handle this.
Right now, when someone clicks an expired/already-used reset link, I still show them the "enter new password" form. They don't find out it's broken until after they fill it out and click update button, which is not so good.
I can check the expire timestamp client-side to catch expired links easily. But how can I do validating the actual secret token before they waste time filling out the form?
Is there a clean way to verify the userId and secret from the reset URL when the page loads, before they even see the form? Like a validation-only endpoint or something? Or is the standard approach just to validate everything when they submit account.updateRecovery()?
TL;DR
Developers are seeking a way to perform early validation of password reset tokens before users fill out the reset form. They want to know if there is a method to check the `userId` and `secret` from the reset URL when the page loads to prevent users from wasting time. One solution could be implementing a validation-only endpoint for this purpose.
