RS: Authentication header is required for /users/password API (#1598)

rrelledge · web-flow · commit ecd0b4c34e75 · 2025-05-21T15:04:14.000-05:00
* Copied fixes for outdated password rotation and authorize user docs to RS 7.8 version * DOC-5270 RS: Authentication header is required for /users/password API
diff --git a/content/operate/rs/7.8/references/rest-api/requests/users/authorize.md b/content/operate/rs/7.8/references/rest-api/requests/users/authorize.md
@@ -14,13 +14,13 @@ url: '/operate/rs/7.8/references/rest-api/requests/users/authorize/'
 
 | Method | Path | Description |
 |--------|------|-------------|
-| [POST](#post-authorize) | `/v1/users/authorize` | Authorize a user |
+| [POST](#post-authorize) | `/v1/users/authorize` | Generate a token to authorize an authenticated user |
 
 ## Authorize user {#post-authorize}
 
     POST /v1/users/authorize
 
-Generate a JSON Web Token (JWT) for a user to use as authorization to access the REST API.
+Generates a JSON Web Token (JWT) for a user to use as authorization to access the REST API. The request authentication header must include the relevant username and password.
 
 ### Request {#post-request}
 
@@ -30,12 +30,13 @@ Generate a JSON Web Token (JWT) for a user to use as authorization to access the
 
 #### Example JSON body
 
-  ```json
-  {
-      "username": "user@redislabs.com",
-      "password": "my_password"
-  }
-  ```
+The request body is optional unless you want to specify the token's time to live:
+
+```json
+{
+  "ttl": <time_in_seconds>
+}
+```
 
 #### Request headers
 | Key    | Value            | Description         |
@@ -45,19 +46,19 @@ Generate a JSON Web Token (JWT) for a user to use as authorization to access the
 
 #### Request body
 
-Include a [JWT authorize object]({{< relref "/operate/rs/7.8/references/rest-api/objects/jwt_authorize" >}}) with a valid username and password in the request body.
+Optionally include a JSON object in the request body to specify the time to live (`ttl`), which determines the amount of time in seconds the token will be valid. The default `ttl` is `300` seconds. The minimum `ttl` is `1` second and the maximum `ttl` is `86400` seconds.
 
 ### Response {#post-response}
 
 Returns a JSON object that contains the generated access token.
 
 #### Example JSON body
 
-  ```json
-  {
-      "access_token": "eyJ5bGciOiKIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXViOjE0NjU0NzU0ODYsInVpZFI1IjEiLCJleHAiOjE0NjU0Nz30OTZ9.2xYXumd1rDoE0edFzcLElMOHsshaqQk2HUNgdsUKxMU"
-  }
-  ```
+```json
+{
+  "access_token": "eyJ5bGciOiKIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXViOjE0NjU0..."
+}
+```
 
 ### Error codes {#post-error-codes}
 
@@ -73,6 +74,6 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | The user is authorized. |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | The request could not be understood by the server due to malformed syntax. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | The user is authorized. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | The request could not be understood by the server due to malformed syntax. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
diff --git a/content/operate/rs/7.8/references/rest-api/requests/users/password.md b/content/operate/rs/7.8/references/rest-api/requests/users/password.md
@@ -14,15 +14,15 @@ url: '/operate/rs/7.8/references/rest-api/requests/users/password/'
 
 | Method                     | Path                 | Description                 |
 |----------------------------|----------------------|-----------------------------|
-| [PUT](#update-password)    | `/v1/users/password` | Change an existing password |
-| [POST](#add-password)      | `/v1/users/password` | Add a new password          |
-| [DELETE](#delete-password) | `/v1/users/password` | Delete a password           |
+| [PUT](#update-password)    | `/v1/users/password` | Replace the password of the authenticated user |
+| [POST](#add-password)      | `/v1/users/password` | Add a new password for the authenticated user |
+| [DELETE](#delete-password) | `/v1/users/password` | Delete a password for the authenticated user |
 
 ## Update password {#update-password}
     
     PUT /v1/users/password
     
-Reset the password list of an internal user to include a new password.
+Replaces the password list of the user making this request with a single new password. The request authentication header must include the relevant username and password.
 
 ### Request {#put-request}
 
@@ -34,8 +34,6 @@ Reset the password list of an internal user to include a new password.
 
   ```json
   {
-      "username": "johnsmith",
-      "old_password": "a password that exists in the current list",
       "new_password": "the new (single) password"
   }
   ```
@@ -48,12 +46,10 @@ Reset the password list of an internal user to include a new password.
 
 #### Request body
 
-The request must contain a single JSON object with the following fields:
+The request must contain a JSON object with the following fields:
 
 | Field | Type | Description |
 |-------|------|-------------|
-| username     | string | Affected user (required) |
-| old_password | string | A password that exists in the current list (required) |
 | new_password | string | The new password (required) |
 
 ### Response {#put-response}
@@ -75,16 +71,15 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Success, password changed |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Bad or missing parameters. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Attempting to reset password to a non-existing user. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, password changed. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
 
 ## Add password {#add-password}
 
     POST /v1/users/password
 
-Add a new password to an internal user's passwords list.
+Adds a new password to the password list of the user making this request. The request authentication header must include the relevant username and password.
 
 ### Request {#post-request}
 
@@ -96,8 +91,6 @@ Add a new password to an internal user's passwords list.
 
   ```json
   {
-      "username": "johnsmith",
-      "old_password": "an existing password",
       "new_password": "a password to add"
   }
   ```
@@ -110,13 +103,11 @@ Add a new password to an internal user's passwords list.
 
 #### Request body
 
-The request must contain a single JSON object with the following fields:
+The request must contain a JSON object with the following fields:
 
 | Field | Type | Description |
 |-------|------|-------------|
-| username     | string | Affected user (required) |
-| old_password | string | A password that exists in the current list (required) |
-| new_password | string | The new (single) password (required) |
+| new_password | string | New password to add (required) |
 
 ### Response {#post-response}
 
@@ -137,15 +128,15 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Success, new password was added to the list of valid passwords. |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Bad or missing parameters. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Attempting to add a password to a non-existing user. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, new password was added to the list of valid passwords. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
 
 ## Delete password {#delete-password}
+
     DELETE /v1/users/password
 
-Delete a password from an internal user's passwords list.
+Deletes a password from the password list of the user making this request. The request authentication header must include the relevant username and password.
 
 ### Request {#delete-request}
 
@@ -157,7 +148,6 @@ Delete a password from an internal user's passwords list.
 
   ```json
   {
-      "username": "johnsmith",
       "old_password": "an existing password"
   }
   ```
@@ -170,11 +160,10 @@ Delete a password from an internal user's passwords list.
 
 #### Request body
 
-The request must contain a single JSON with the following fields:
+The request must contain a JSON object with the following fields:
 
 | Field | Type | Description |
 |-------|------|-------------|
-| username | string | Affected user (required) |
 | old_password | string | Existing password to be deleted (required) |
 
 ### Response {#delete-response}
@@ -193,7 +182,6 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Success, new password was deleted from the list of valid passwords. |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Bad or missing parameters. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Attempting to delete a password to a non-existing user. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, new password was deleted from the list of valid passwords. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
diff --git a/content/operate/rs/7.8/security/access-control/manage-passwords/rotate-passwords.md b/content/operate/rs/7.8/security/access-control/manage-passwords/rotate-passwords.md
@@ -14,7 +14,7 @@ url: '/operate/rs/7.8/security/access-control/manage-passwords/rotate-passwords/
 
 Redis Enterprise Software lets you implement password rotation policies using the [REST API]({{< relref "/operate/rs/7.8/references/rest-api" >}}).
 
-You can add a new password for a database user without immediately invalidating the old one (which might cause authentication errors in production).
+You can add a new password for a database user without immediately invalidating the old one to prevent possible authentication errors in production.
 
 {{< note >}}
 Password rotation does not work for the default user. [Add additional users]({{< relref "/operate/rs/7.8/security/access-control/create-users" >}}) to enable password rotation.
@@ -28,7 +28,7 @@ you can set a [password expiration policy]({{< relref "/operate/rs/7.8/security/
 However, for database connections that rely on password authentication,
 you need to allow for authentication with the existing password while you roll out the new password to your systems.
 
-With the Redis Enterprise Software REST API, you can add additional passwords to a user account for authentication to the database or the Cluster Manager UI and API.
+With the Redis Enterprise Software REST API, you can add additional passwords to your user account for authentication to the database or the Cluster Manager UI and API.
 
 After the old password is replaced in the database connections, you can delete the old password to finish the password rotation process.
 
@@ -42,13 +42,13 @@ The new password cannot already exist as a password for the user and must meet t
 
 ## Rotate password
 
-To rotate the password of a user account:
+To rotate your password:
 
-1. Add an additional password to a user account with [`POST /v1/users/password`]({{< relref "/operate/rs/7.8/references/rest-api/requests/users/password#add-password" >}}):
+1. Add an additional password to your password list with [`POST /v1/users/password`]({{< relref "/operate/rs/7.8/references/rest-api/requests/users/password#add-password" >}}). You must provide the relevant username and current password for [basic authentication]({{<relref "/operate/rs/7.8/references/rest-api#authentication">}}) credentials when you send the request.
 
     ```sh
-    POST https://[host][:port]/v1/users/password
-         '{"username":"<username>", "old_password":"<an_existing_password>", "new_password":"<a_new_password>"}'
+    POST https://<host>:<port>/v1/users/password
+    { "new_password": "<a_new_password>" }
     ```
 
     After you send this request, you can authenticate with both the old and the new password.
@@ -57,26 +57,22 @@ To rotate the password of a user account:
 1. Delete the original password with [`DELETE /v1/users/password`]({{< relref "/operate/rs/7.8/references/rest-api/requests/users/password#update-password" >}}):
 
     ```sh
-    DELETE https://[host][:port]/v1/users/password
-           '{"username":"<username>", "old_password":"<an_existing_password>"}'
+    DELETE https://<host>:<port>/v1/users/password
+    { "old_password": "<an_existing_password>" }
     ```
 
     If there is only one valid password for a user account, you cannot delete that password.
 
 ## Replace all passwords
 
-You can also replace all existing passwords for a user account with a single password that does not match any existing passwords.
+You can also replace all existing passwords for your user account with a single password that does not match any existing passwords.
 This can be helpful if you suspect that your passwords are compromised and you want to quickly resecure the account.
 
-To replace all existing passwords for a user account with a single new password, use [`PUT /v1/users/password`]({{< relref "/operate/rs/7.8/references/rest-api/requests/users/password#delete-password" >}}):
+To replace your passwords, use [`PUT /v1/users/password`]({{< relref "/operate/rs/7.8/references/rest-api/requests/users/password#delete-password" >}}). You must provide the relevant username and current password for [basic authentication]({{<relref "/operate/rs/7.8/references/rest-api#authentication">}}) credentials when you send the request.
 
 ```sh
-PUT https://[host][:port]/v1/users/password
-    '{"username":"<username>", "old_password":"<an_existing_password>", "new_password":"<a_new_password>"}'
+PUT https://<host>:<port>/v1/users/password
+{ "new_password": "<a_new_password>" }
 ```
 
-All of the existing passwords are deleted and only the new password is valid.
-
-{{<note>}}
-If you send the above request without specifying it is a `PUT` request, the new password is added to the list of existing passwords.
-{{</note>}}
+After this request, all of your existing passwords are deleted and only the new password is valid.
diff --git a/content/operate/rs/references/rest-api/requests/users/password.md b/content/operate/rs/references/rest-api/requests/users/password.md
@@ -21,7 +21,7 @@ weight: $weight
     
     PUT /v1/users/password
     
-Replaces the password list of the user making this request with a single new password.
+Replaces the password list of the user making this request with a single new password. The request authentication header must include the relevant username and password.
 
 ### Request {#put-request}
 
@@ -78,7 +78,7 @@ The following are possible `error_code` values:
 
     POST /v1/users/password
 
-Adds a new password to the password list of the user making this request.
+Adds a new password to the password list of the user making this request. The request authentication header must include the relevant username and password.
 
 ### Request {#post-request}
 
@@ -135,7 +135,7 @@ The following are possible `error_code` values:
 
     DELETE /v1/users/password
 
-Deletes a password from the password list of the user making this request.
+Deletes a password from the password list of the user making this request. The request authentication header must include the relevant username and password.
 
 ### Request {#delete-request}
 
