Some headless ambiguity

[leadrobot]

Getting a 401 when completing a password reset is tripping quite a few dev's up. It makes sense after considering the need to redirect on the frontend but perhaps there should be a success message inside the 401 response or the API docs could be more explicit here.

When authenticating with a provider token, the docs suggest you need to provide a session token for "app". Of course, you don't have one if the user is signing up. It took a while for the front end guys to figure out that they had the wrong value for client_id because the 400 was returning "invalid token" and they just assumed it was because they weren't providing a session token. When SocialApp does not exist (in ProviderTokenInput.clean) would be helpful to return that as an error instead of "invalid token". Also maybe indicate in the API docs that the session token isn't required (I assume it is if you are connecting accounts?)

Other than that been really smooth sailing!

[pennersr]

docs could be more explicit here.

PRs to improve the documentation are always welcome. Given that your developers experienced these ambiguities first hand, it would be beneficial if they themselves could reword things such that likely minded developers won't fall in the same trap.

Also maybe indicate in the API docs that the session token isn't required (I assume it is if you are connecting accounts?)

Note that required fields are all marked in red and labeled as "required". The X-Session-Token is not marked as such.

[engin-can]

@pennersr - Your example app is returning the response below after password reset. How do we know if it was successful?

Request URL: https://react.demo.allauth.org/_allauth/browser/v1/auth/password/reset
Request Method: POST
Status Code: 401 Unauthorized

{
    "status": 401,
    "data": {
        "flows": [
            {
                "id": "login"
            },
            {
                "id": "login_by_code"
            },
            {
                "id": "signup"
            },
            {
                "id": "provider_redirect",
                "providers": [
                    "facebook",
                    "google",
                    "lichess"
                ]
            },
            {
                "id": "provider_token",
                "providers": [
                    "facebook",
                    "google"
                ]
            }
        ]
    },
    "meta": {
        "is_authenticated": false
    }
}

[pennersr]

That is indeed short on documentation, but a 400 is an error, and both 200 and 401 are success responses. You can get a 200 if settings.ACCOUNT_LOGIN_ON_PASSWORD_RESET = True, and a 401 when False.

[engin-can]

Yeah, I found your unit tests, I will just consider that logic the truth from now on.. :)

[pennersr]

Cleared up password reset: 5e46229