API - Reset users password

Hello,

I’d love to be able to reset a users password via the API.
I was hoping that I could use Edit User for this, but it doesn’t work.
I can only set the password, but not reset (and trigger a mail) it.

Or is there a way I can send the “forgot password” mail to a user via API?

Our usecase is the following: After a set amount of months we need to make sure that the nextcloud user is still part of the company and we could easily do so by resetting their password and sending a mail to their registered E-Mail since they can only access that mail as long as they’re working for the company.

Unfortunately I haven’t found a way to do so, without deleting the user and creating a new one which obviously would be overkill.

Cheers,
Tobi

maybe the NC API is limited but why don’t you split the procedure into 2 different steps?

  • reset password using API (or occ)
  • send an email with new password to the user

BTW: I think the method doesn’t help you. In NC (and lot of other application) changing user password only affects new logins and does not remove active sessions. In other words if the fired employee has NC app running on his private PC/mobile/browser the session remains authorized even if user’s password changes.

You have to cycle through active sessions and invalidate all of them to accomplish your mission. If lot of your users are using multiple devices I have the feeling they will dislike what you are looking for… my advice is to perform such aggressive clean-up for definitely disabled users only (ideally as part of off-boarding process).

If you know which users left the company user:disable might be a better choice?

Since NC 17 there is a “remote wipe” feature Nextcloud 17 brings remote wipe, collaborative text editor and next generation secure watermarking and you probably have to use it to remove content from the users devices when user left.

Changing password will also not affect “Apps Passwords” If I create them, they will remain.

Also if you have company with access controlling to the E-Mails, could be a good idea to use IAM System of them. In this case if user left company - E-Mail account disabled/blocked will automatically drive to user block on NC.

I was trying to not send a password via Mail, that’s not very secure.

Actually a lot of applications DO remove active sessions and invalidate session tokens on pw change. Everything else would be a security risk.

Unfortunately I don’t know which users left the company, as we have lot’s of different users from different companies accessing the Nextcloud. Hence the whole password reset thing in the first place.

We’ll probably change their password to a random one and send them a mail that they should reset their pw via “forgot password”.

no it is not. There is no reason to kill active sessions when PW changes as all this session already provided the proof they are valid… only in case one suspects illegitimate access it makes sense to review active sessions (each user can do in settings > security) and revoke sessions you don’t recognize.

If the application is accessed from multiple devices like Nextcloud (desktop client, mobile client, browser, calendar sync) it causes lot of trouble if the user need to login on every device each time the password changes (and think about app passwords - thy don’t change as well as @gas85 already pointed out).

In your initial post you stated

does it mean the email service knows when the user leaves? maybe you can pull the information from there?

still doesn’t address your issue - if the user has setup a client app or use a browser session they remain online if actively used even if the password changes.

I might’ve expressed myself unclearly. The active sessions are not killed, you’re right. But the refresh token gets invalidated. That’s security best practise and basically everywhere the case.

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#user-resets-password

All major business apps do this. Change your outlook password and tell me if you can still use your outlook app on your phone the next day.

With an invalid refresh token it’s only a matter of time (usually not that long) until the whole session is invalid.

The problem is that we use Nextcloud to distribute documentation to our customers. We have 50+ customers using this and we have no access to any of their services.
The customers are told to notify us of employees leaving or closing the accounts themselves, but this doesn’t always happen.

This is why we’re thinking about forcing users to change passwords every x months, because they can only change passwords if they still have access to their work email (when using “forgot password”).

I see your pain but I have no good idea how you can address the issue. For me the pain to force all valid users to change their passwords on every device (maybe in your case only one is used) is much bigger then to keep active sessions running.

You try to workaround a problem of not knowing if the user is still valid by adding some organizational process. This is fine for your problem but I don’t think this is worth to change for everybody… Maybe you should review other possibilities? maybe Flow or Polls gives you a chance to detect good enough if the user becomes disabled on the partners side…

Checking out Flow is actually a great idea!

Thanks for your help anyways, if I ever find a solutions, I’ll comment it here.