In this guide, you’ll learn how to reset a user’s password in the Prowler App using the REST API and an admin account. This is useful when a user forgets their password and the GUI does not provide a reset option.
📌 Overview
Prowler’s API allows password updates through the /users/{id} endpoint. However, in most cases, changing a password requires authentication with the user’s current credentials. This guide demonstrates how an admin account can bypass that requirement and reset passwords for any user.
⸻
⚠️ Prerequisites
Before using the script:
• You must have an admin account with a valid email and password.
• You must know the email address of the user whose password needs to be reset.
• The Prowler API must be accessible via HTTP or HTTPS (adjust the base URL accordingly).
⸻
🧩 How the Script Works
1. Authenticate as an admin using your email and password to retrieve an access token.
2. Fetch all users from the system.
3. Match the user email to find the target user’s ID.
4. Send a PATCH request to update the user’s password using the admin’s access token.
⸻
import requests
import json
import urllib3
# Disable SSL verification warnings (for dev/test environments)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# === Configuration ===
apiBaseUrl = "http://localhost:8080/api/v1" # Replace with your actual API endpoint
adminEmail = "admin@example.com" # Admin account email
adminPassword = "ADMIN_PASSWORD" # Admin account password
targetUserEmail = "user-to-reset@example.com" # Target user's email
newUserPassword = "NEW_PASSWORD" # New password to set
# === Step 1: Get Token as Admin ===
apiTokenEndpoint = f"{apiBaseUrl}/tokens"
tokenPayload = json.dumps({
"data": {
"type": "tokens",
"attributes": {
"email": adminEmail,
"password": adminPassword
}
}
})
headers = {
'Content-Type': 'application/vnd.api+json',
'Accept': 'application/vnd.api+json'
}
response = requests.post(apiTokenEndpoint, headers=headers, data=tokenPayload, verify=False)
response.raise_for_status()
token = response.json()['data']['attributes']['access']
# === Step 2: Get All Users and Locate Target User ===
apiUsersEndpoint = f"{apiBaseUrl}/users?fields[users]=email"
headers['Authorization'] = f"Bearer {token}"
response = requests.get(apiUsersEndpoint, headers=headers, verify=False)
response.raise_for_status()
users = response.json()['data']
targetUserId = None
for user in users:
if user['attributes']['email'].lower() == targetUserEmail.lower():
targetUserId = user['id']
break
if not targetUserId:
print(f"❌ User with email {targetUserEmail} not found.")
exit(1)
# === Step 3: Reset the User's Password ===
apiTargetUserEndpoint = f"{apiBaseUrl}/users/{targetUserId}"
userPayload = json.dumps({
"data": {
"type": "users",
"id": targetUserId,
"attributes": {
"password": newUserPassword
}
}
})
response = requests.patch(apiTargetUserEndpoint, headers=headers, data=userPayload, verify=False)
# === Output Result ===
if response.status_code == 200:
print(f"✅ Password reset for {targetUserEmail} successfully.")
else:
print(f"❌ Failed to reset password. Status: {response.status_code}")
print(response.text)
🛡️ Security Notes
• Do not use verify=False in production environments. Always validate SSL certificates.
• Make sure the adminPassword and newUserPassword are stored securely (consider using environment variables or secrets management).
• Always log access to sensitive operations like password resets.
✅ Final Output
If successful, the script will return:
✅ Password reset for user-to-reset@example.com successfully.
If the user is not found or another error occurs, a detailed error message will be printed.
Top comments (0)