Resolve "Alternative change password api to use email backup code instead of old password"
requested to merge 19-alternative-change-password-api-to-use-email-backup-code-instead-of-old-password into master
Closes #19 (closed)
Review can be me explaining it.
The normal change password api requires the old password. This is just a variant of that which uses the backup email token instead.
If an attacker gained access to a user's email AND an auth token - they could change the user's data (but not decrypt unless they also had a private key somehow).
This includes some tests in the "Test the API, not the entire thing" style.
Edited by David Burke