Hi Alex,
No, the issues are still there. The blacklisting exist on change passwords requests, sending in X-DreamFactory-Session-Token, X-DreamFactory-Api-Ke, Content-Type 'old_password' and 'new_password' will instantly blacklist the token. However, when I send this though Postman, it works.
And sending in a password reset POST with 'email', 'code', and 'new_password' (without session). This works the first time, and sometimes a couple of times, but it will always get blacklisted in the end which basically makes the user password "locked". No one can change it after the token has been blacklisted, not even from the admin panel. However, the user can still log in with the old password. Since it works the first time(s) with a user, and using the exact same code to do it multiple times, I'm pretty sure this is a bug within Dreamfactory that needs to be investigated. Both the password reset and password changes are done in the browser using React and Superagent for making the API calls. I have tried swapping out Superagent for Axios and Fetch, and still getting the same results. I have logged everything to the console to validate every field of data and I'm sending in the same data as with Postman. At least those three header properties and the body. Since it works in Postman, there has to be some issues with how Dreamfactory handles API calls from browsers. I can also see that you have no code examples for resetting or changing passwords in your repos. Have you got any working code samples that handle both password reset and password change from a browser based application, preferably React?