@delopay/sdk 0.3.1 → 0.3.3

package/dist/index.cjs

@@ -2070,19 +2070,30 @@ var Users = class {
     return this.request("POST", "/user/forgot_password", { body: params });
   }
   /**
-   * Reset a user's password using the single-purpose JWT delivered by the
-   * forgot-password email.
+   * Reset a user's password using the email link token.
    *
-   * The backend's `SinglePurposeJWTAuth` reads the token from the
-   * `Authorization: Bearer …` header, not from the request body, so the
-   * SDK lifts the `token` field out of `params` and sends it as the header.
-   * Callers still pass `{ password, token }` — the shape is unchanged.
+   * The email link delivers an `EmailToken`, but `/user/reset_password` is
+   * gated by `SinglePurposeJWTAuth` which expects a different JWT type
+   * (`SinglePurposeToken`). The SDK hides this two-step dance:
+   *
+   * 1. Exchange the EmailToken for a SinglePurposeToken at `/user/from_email`
+   *    (`crates/router/src/core/user.rs:2773`, no auth required).
+   * 2. Call `/user/reset_password` with the SinglePurposeToken as
+   *    `Authorization: Bearer` and the original EmailToken in the body —
+   *    the handler decodes body.token as an EmailToken to look up the user
+   *    (`crates/router/src/core/user.rs:687`).
+   *
+   * Callers just pass `{ password, token }` (the token from the URL).
    */
   async resetPassword(params) {
-    const { token, password } = params;
+    const exchange = await this.request(
+      "POST",
+      "/user/from_email",
+      { body: { token: params.token } }
+    );
     return this.request("POST", "/user/reset_password", {
-      body: { password },
-      headers: { Authorization: `Bearer ${token}` }
+      body: { token: params.token, password: params.password },
+      headers: { Authorization: `Bearer ${exchange.token}` }
     });
   }
   async verifyEmail(params) {