Skip to content

Password Reset Endpoints

Password Reset Endpoints define profiles for Mideye Server's self-service assisted password reset portal. Each profile generates a public URL where end users can initiate a password reset, receive approver validation, and set a new password — all without administrator intervention.

Navigate to External Endpoints → Password Reset Endpoints to manage profiles. Requires the Administrator role or above.

The list view displays all configured password reset profiles.

| Column | Description | |--------|-------------| | Name | Profile name. Default sort column (ascending). | | Assisted Login profile | The associated assisted login profile. Rendered as a clickable link to the profile editor for administrators. | | Password Reset Portal URL | The full public URL for the self-service portal (/password-reset/{id}). Includes a copy-to-clipboard button. | | Action | Edit and Delete buttons (administrator only). |

The editor uses a three-tab form.

| Field | Description | Default | Validation | |-------|-------------|---------|------------| | Name | Unique profile name. Validated asynchronously for uniqueness. | — | Required. Max 255 characters. | | reCAPTCHA site key | Google reCAPTCHA v2/v3 site key for bot protection on the public portal. | — | Optional. | | reCAPTCHA secret key | Corresponding reCAPTCHA secret key for server-side verification. | — | Optional. | | Password change help text | Instructions displayed to the user on the password change page. | Set your new password | Required. | | Client name for logs | Name recorded in authentication and accounting logs for password reset events. | Password reset | Required. | | OTP limit per minute | Maximum number of one-time passwords that can be sent per minute per session. | 5 | Required. 1–60. | | OTP limit per hour | Maximum number of one-time passwords that can be sent per hour per session. | 30 | Required. 1–3600. | | Permits per second | Global rate limit for API requests to this profile's portal endpoint. | 100 | Required. 1–1000. |

Configures the user repositories and approver workflow for this profile.

| Field | Description | Default | Validation | |-------|-------------|---------|------------| | Assisted Login profile | The assisted login profile that defines approvers and approval rules. | — | Required. | | Use Mideye database | When enabled, searches the local Mideye user database for the resetting user. | Disabled | — | | LDAP Profiles | Select one or more LDAP profiles as user repositories for locating the user account. | None | — |

The assisted login profile is mandatory — password reset requires an approver to validate the user's identity before the password change is permitted.

Controls the authentication flow behavior for the approver interaction.

| Field | Description | Default | Validation | |-------|-------------|---------|------------| | Mideye+ Touch title | Title displayed in the Mideye+ push notification sent to the approver. | Approve the assisted password reset request | Required. | | Mideye+ Touch display text template | Message body in the push notification. Use %s as a placeholder for the username. | User [%s] has requested approval to reset their password | Required. | | Non-plus approvers SMS | SMS text sent to approvers who do not have the Mideye+ app activated. | To approve a password reset request, activate the Mideye+ app. | Required. | | Session timeout in minutes | Maximum duration of a password reset session before it expires. | 10 | Required. 1–1440 (24 hours). | | OTP length | Number of digits in the one-time password sent to the user. | 8 | Required. 6–10. | | Touch delivery timeout in seconds | Maximum time to wait for the Mideye+ push notification to be delivered to the approver's device. | 10 | Required. 1–600. | | Touch approver response timeout in seconds | Maximum time the approver has to respond to the push notification. | 30 | Required. 1–30. |

The public portal at /password-reset/{profileId} guides end users through a multi-step workflow:

  1. Start — the user enters their username. If reCAPTCHA is configured, they must complete the challenge. The system locates the user in the configured repositories.
  2. OTP verification — a one-time password is sent to the user's registered phone number. The user enters the OTP to verify their identity.
  3. Approver validation — a push notification or SMS is sent to an authorized approver defined in the associated assisted login profile. The approver must approve the request.
  4. Password change — once approved, the user sets a new password.

Rate limiting is enforced per profile using the configured OTP limits and permits-per-second values.

| Action | Required Role | |--------|---------------| | View profiles | Operator or above | | Create, edit, or delete profiles | Administrator or above | | Access public portal | Unauthenticated (rate-limited) |