inner dove
Hey there,
I'm dealing with an issue with password reset flow and wondering how you handle this.
Right now, when someone clicks an expired/already-used reset link, I still show them the "enter new password" form. They don't find out it's broken until after they fill it out and click update button, which is not so good.
I can check the expire timestamp client-side to catch expired links easily. But how can I do validating the actual secret token before they waste time filling out the form?
Is there a clean way to verify the userId and secret from the reset URL when the page loads, before they even see the form? Like a validation-only endpoint or something? Or is the standard approach just to validate everything when they submit account.updateRecovery()?