Reset Password Emails
Context
When a user needs to reset their password, they can request a Reset Password email. We are going to allow them to do this in one of two ways - either use the "Forgot password?" link on the Universal Login page, or speak to someone from Customer Services and they can trigger the email via Dixa. We have decided to implement these emails using an integration directly with Auth0, rather than via our middleware.
Decision
Ideally, we do not want to implement any point to point integrations. A point to point integration is when two systems talk to eachother directly, and so are tightly coupled. Instead we want to utilise middleware as a centralised platform that connects multiple applications, decoupling our architecture and making it more scalable.
We have implemented Auth0 with Universal Login, which is hosted by Auth0 and limits us from making any significant changes to the login/register widget itself. This means that when we implemented the "Forgot password?" link on the login page, we had no choice but to set up an Email Provider in our Auth0 tenant in order to send the emails directly from there. We were unable to make any changes to the link address or behaviour, so we had to implement a point to point integration. Given this was already set up, we decided that we would use the same mechanism to send reset password emails when they are requested by Customer Services via Dixa. This will provide some level of consistency, if all reset password emails are being sent via Auth0 instead of Exponea. You can see all of the other emails that are sent via Exponea here.
Consequences and limitations
Having these point to point integrations are not ideal, and as mentioned are something that we want to avoid. However when we committed to the Auth0 Universal Login we knew it came with some limitations. In the long term, we will implement our own embedded login which would mean we have control over the "Forgot password?" link and could implement it using middleware instead.
For the Dixa implementation, if we were using middleware we could request a magic link from Auth0 and then pass that value into an email template to be executed and sent from Exponea. Instead we will trigger an interactive password flow that will send an email to the user for them to reset their password themselves.