Important to note, however, is that the Storefront API is rate-limited by IP address and also seems to have some undocumented logic which limits the number of recovery requests by IP. Which means that if you are initiating this recovery from your server, you can quickly exhaust the limits and effectively block all users from resetting their passwords. If this recovery process is user-driven (clicking a button on your app which is proxied to your server), this exposes a Denial-Of-Service security hole. (We are hitting this issue ourselves and wish there were an Admin API way of doing this.)
2 Likes