Password Recovery Request

POST 
/company/auth/recovery

Endpoint for requesting password recovery for company users.
Performs the following operations:

1. Validates the email format
2. Searches for the user in the database
3. Generates a unique recovery token
4. Sends an email with a password reset link

Detailed flow:

1. Client sends email in JSON format
2. Server validates email format (401 if invalid)
3. Searches for user by email
4. Generates a random token
5. Stores token in the database associated with the user
6. Sends an email with a link containing the token
7. The link redirects to a new password form

Security:

• For security, always returns 200 OK to avoid revealing registered emails
• Tokens have limited validity
• Each token is single-use
• Requires HTTPS
• Also checks disabled users (soft delete)

Special behavior:

• If the email does not exist: returns 200 with USER_NOT_FOUND
• If the user is disabled: returns 200 with USER_DISABLED
• Demo users (cia@testing.com, ciamu@testing.com): return 200 without sending an email

Example request:

{
  email: user@company.com
}

Example responses:

Valid email found:

{
  op: recovery,
  message: RECOVERY_EMAIL_SENT,
  email: user@company.com
}

Email not found (returns 200 for security):

{
  op: recovery,
  message: USER_NOT_FOUND,
  email: nonexistent@company.com
}

Disabled user:

{
  op: recovery,
  message: USER_DISABLED,
  email: user@company.com
}

Error codes:

• 401: Email not provided
• 500: Internal server error

Request

Responses

200

Processed (always returns 200 for safety)

Response Headers

401

Email not provided or invalid format

Response Headers