#[SOLVED] sending secrets to the function from client code

how do i send secrets for example passwords for resetting or some other secrets to the function from client sdk (flutter).
right now i am sending it through the body.

how are you doing password reset 🧐

i created a custom verification with TOTP code and after the user gives the correct TOTP code i then call a function which then resets the password with the given email address.

actually i am waiting for this pull request to be merged thats why i created my own custom way for now.

https://github.com/appwrite/appwrite/pull/3912

Soooo if you're not going to use Appwrite's password reset and you're generating your own code, you would need to send that to the user (probably by using some sms or mail provider).

Then, you should have a function that takes the code and new password and the function can update the password if the code is correct

yes exactly but i am handling the generating/verifying the code and sending it to the users email from my client code. At last i then call the function that takes the new password which then just resets the password.

Sending from client code? Sorry I don't understand

i mean sending the email with the generated code to the user from my flutter app

You're generating the code from your client app??

yes

That is not secure

oh ok so you suggest to do all the logic like generating the code, sending it to the users email and then verify it in a function. for this i will need then 2 functions like one for generating and sending the TOTP code and then one for verifying the code and resetting the password

Yes. Or one function that does both depending on the request

one function depending on the request?

ooh i see yes now i understand what you mean

you mean by differenciating through sending something in header or body to know what the function should do?

Yes something in the body

Ok then i will definitely implement the whole logic to my function. Thanks for the suggestion

Now how do i send then the secrets. In the body is not a good idea in header as well i think. Then how?

email or something of the sort. the point is you should not be sending it to the client who initiated the request because that may not be the actual owner of the account. the whole point of password recovery is validating the user is who they say they are even if they don't have their password

i am sending the secret TOTP code in the email already the user should then copy paste the code in the app and then give his/her new password to be resettet and i meant this new password. how do i give this to the function for resetting it.

the function that validates the code should also take the new password. if the code is correct, updae the password. if not, don't update the password and return an error

Yes right, but where do i put then the code and the new password to give the function

you can pass data to a function..

yes this is my question where is the best place to pass data like in header in body or where?

the opportunity to pass data when i am executing it from client is i think headers or body

up to you, but, generally, it's done in the body

Oh ok i already giving data to functions through body but i had a security concern thats why i asked.
So doing so will be safe then?

If that question was due to encryption, HTTPS (TLS) encrypts both head and body

ok then its perfect. I think i got my answer. You guys are very helpful thank you @tight plank and @cloud acorn.