goors · November 7, 2024 17:53
diff --git a/ory_reset_password.txt b/ory_reset_password.txt
 POST `https://PROJECT_URL/admin/recovery/code`
 ```
 --header 'Content-Type: application/json' 
 --header 'Authorization: YOUR_ORI_ADMIN_ACCESS_TOKEN'
 body=
 {
    "expires_in": "5m",
    "identity_id": "SOME_USER_ID_GUID", 
    "flow_type": "api"
 }
 ```

 this will give you response:
 ```
 {
    "recovery_link": "https://PROJECT_URL/ui/recovery?flow=GUID_CODE",
    "recovery_code": "CODE",
    "expires_at": "2024-11-07T17:30:09.37370597Z"
 }
 ```
 POST `https://PROJECT_URL/self-service/recovery?flow=GUID_CODE (GUID_CODE from pervious response)`

 this will give you something like
 ```
 "continue_with": [
        {
            "action": "set_ory_session_token",
            "ory_session_token": "SESSION_TOKEN"
        },
        {
            "action": "show_settings_ui",
            "flow": {
                "id": "FLOW_ID_GUID",
                "url": "https://PROJECT_URL/ui/settings?flow=SETTINGS_FLOW_GUID"
            }
        }
    ],
 ```
 GET https://PROJECT_URL/self-service/settings/flows?id=SETTINGS_FLOW_GUID
 --header 'X-Session-Token: SESSION_TOKEN'

 this will give you response in nodes property

 "attributes": {
                    "name": "csrf_token",
                    "type": "hidden",
                    "value": "", // sometimes this is show and sometimes it is not
                    "required": true,
                    "disabled": false,
                    "node_type": "input"
                },
                
 also you will get header cookie like csrf_token_SOME_ID=TOKEN_HERE; Path=/; Domain=; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax    

 Finally:

 POST https://PROJECT_URL/self-service/settings?flow=SETTINGS_FLOW_GUID
 {
    "password": "",
    "csrf_token": "EITHER_USE_TOKEN_FROM_HEADER ONLY TOKEN_HERE PART OR TOKEN FROM RESPONSE",
    "method": "password"
 }
 --header 'X-Session-Token: SESSION_TOKEN'

 In all honesty, i think ory.sh is by far worst service and they are forcing you to use either their html templates or to have your docker thing kratos etc. I do not want to use their html templates and all of that magical things.

 Why is that freaking hard to do simple thing? Idiotism is that you can, as admin via ory api, reset user password via patch identity so all of this reset password nonsense does not make any sense.
	POST `https://PROJECT_URL/admin/recovery/code`
	```
	--header 'Content-Type: application/json'
	--header 'Authorization: YOUR_ORI_ADMIN_ACCESS_TOKEN'
	body=
	{
	"expires_in": "5m",
	"identity_id": "SOME_USER_ID_GUID",
	"flow_type": "api"
	}
	```

	this will give you response:
	```
	{
	"recovery_link": "https://PROJECT_URL/ui/recovery?flow=GUID_CODE",
	"recovery_code": "CODE",
	"expires_at": "2024-11-07T17:30:09.37370597Z"
	}
	```
	POST `https://PROJECT_URL/self-service/recovery?flow=GUID_CODE (GUID_CODE from pervious response)`

	this will give you something like
	```
	"continue_with": [
	{
	"action": "set_ory_session_token",
	"ory_session_token": "SESSION_TOKEN"
	},
	{
	"action": "show_settings_ui",
	"flow": {
	"id": "FLOW_ID_GUID",
	"url": "https://PROJECT_URL/ui/settings?flow=SETTINGS_FLOW_GUID"
	}
	}
	],
	```
	GET https://PROJECT_URL/self-service/settings/flows?id=SETTINGS_FLOW_GUID
	--header 'X-Session-Token: SESSION_TOKEN'

	this will give you response in nodes property

	"attributes": {
	"name": "csrf_token",
	"type": "hidden",
	"value": "", // sometimes this is show and sometimes it is not
	"required": true,
	"disabled": false,
	"node_type": "input"
	},

	also you will get header cookie like csrf_token_SOME_ID=TOKEN_HERE; Path=/; Domain=; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax

	Finally:

	POST https://PROJECT_URL/self-service/settings?flow=SETTINGS_FLOW_GUID
	{
	"password": "",
	"csrf_token": "EITHER_USE_TOKEN_FROM_HEADER ONLY TOKEN_HERE PART OR TOKEN FROM RESPONSE",
	"method": "password"
	}
	--header 'X-Session-Token: SESSION_TOKEN'

	In all honesty, i think ory.sh is by far worst service and they are forcing you to use either their html templates or to have your docker thing kratos etc. I do not want to use their html templates and all of that magical things.

	Why is that freaking hard to do simple thing? Idiotism is that you can, as admin via ory api, reset user password via patch identity so all of this reset password nonsense does not make any sense.