Reset Password security fix

Hello all,

Today we released a new way of allowing users to reset their passwords. The old way present in versions of Canvas from late December 2020 until February 3, 2021, didn’t work if logged out users were not able to search for a list of users, a privacy rule that should be present on every app. To illustrate that:

Good privacy rules (where the old reset password flow doesn’t work):

Bad privacy rules on logged-out users (necessary for the old reset password flow to work):

Here’s a screen recording describing how to change an app to use this more secure approach. Loom | Free Screen & Video Recording Software

Thank you,