Implementing custom password reset flow with mongodb realm and third-party email provider

Hi everyone,

I’m working on a project that uses MongoDB Realm for authentication, and I’ve encountered a need to customize the password reset flow more than what’s provided out of the box. Specifically, I want to intercept the password reset token and tokenId generated by MongoDB Realm, so I can send a custom password reset email using a third-party service like sendgrid. This approach is intended to allow for a more branded and controlled user experience, particularly around the password reset emails and landing page.

The default behavior in MongoDB Realm sends the password reset email directly to the user, including a link with the token and tokenId as parameters. However, for our use case, we need to construct and send this email ourselves, customizing both the content and the URL to which the user is directed for resetting their password.

Here’s what I’m aiming to achieve:

  1. Trigger a password reset in MongoDB Realm without automatically sending the email.
  2. Capture the password reset token and tokenId that MongoDB Realm generates.
  3. Use these tokens to construct a custom email with a password reset link, sending it through sendgrid.
  4. Direct the user to our custom reset page, which captures the new password and uses the tokens to complete the reset process securely.

I understand this involves handling sensitive information securely and ensuring a seamless user experience. If anyone has tackled a similar challenge or has insights into how to securely intercept or generate these tokens within MongoDB Realm’s framework, your advice would be greatly appreciated. Additionally, any tips on using the Realm Admin API for this purpose or examples of custom functions that could facilitate this process would be incredibly helpful.

Thank you in advance for your help and suggestions!