RS: Fixed outdated password rotation and authorize user docs (#1564)

rrelledge · web-flow · commit cc9dfb11fb53 · 2025-05-16T16:04:15.000-05:00
* DOC-5248 RS: Fixed outdated password rotation docs * Added breaking changes for /users/password and /users/authorize APIs to 7.8 release notes * DOC-5248 Feedback update to add 401 status codes back to API reference * Updated 401 status code links * Fixed /users/authorize breaking change description * Removed redundant wording * Fixed /users/authorize breaking change description on 7.8 release notes index * Updated outdated /users/authorize REST API reference * Added ttl default, min, and max values to /users/authorize API reference * Fixed another error in /users/authorize breaking changes description
diff --git a/content/operate/rs/references/rest-api/requests/users/authorize.md b/content/operate/rs/references/rest-api/requests/users/authorize.md
@@ -13,13 +13,13 @@ weight: $weight
 
 | Method | Path | Description |
 |--------|------|-------------|
-| [POST](#post-authorize) | `/v1/users/authorize` | Authorize a user |
+| [POST](#post-authorize) | `/v1/users/authorize` | Generate a token to authorize an authenticated user |
 
 ## Authorize user {#post-authorize}
 
     POST /v1/users/authorize
 
-Generate a JSON Web Token (JWT) for a user to use as authorization to access the REST API.
+Generates a JSON Web Token (JWT) for a user to use as authorization to access the REST API. The request authentication header must include the relevant username and password.
 
 ### Request {#post-request}
 
@@ -29,12 +29,13 @@ Generate a JSON Web Token (JWT) for a user to use as authorization to access the
 
 #### Example JSON body
 
-  ```json
-  {
-      "username": "user@redislabs.com",
-      "password": "my_password"
-  }
-  ```
+The request body is optional unless you want to specify the token's time to live:
+
+```json
+{
+  "ttl": <time_in_seconds>
+}
+```
 
 #### Request headers
 | Key    | Value            | Description         |
@@ -44,19 +45,19 @@ Generate a JSON Web Token (JWT) for a user to use as authorization to access the
 
 #### Request body
 
-Include a [JWT authorize object]({{< relref "/operate/rs/references/rest-api/objects/jwt_authorize" >}}) with a valid username and password in the request body.
+Optionally include a JSON object in the request body to specify the time to live (`ttl`), which determines the amount of time in seconds the token will be valid. The default `ttl` is `300` seconds. The minimum `ttl` is `1` second and the maximum `ttl` is `86400` seconds.
 
 ### Response {#post-response}
 
 Returns a JSON object that contains the generated access token.
 
 #### Example JSON body
 
-  ```json
-  {
-      "access_token": "eyJ5bGciOiKIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXViOjE0NjU0NzU0ODYsInVpZFI1IjEiLCJleHAiOjE0NjU0Nz30OTZ9.2xYXumd1rDoE0edFzcLElMOHsshaqQk2HUNgdsUKxMU"
-  }
-  ```
+```json
+{
+  "access_token": "eyJ5bGciOiKIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXViOjE0NjU0..."
+}
+```
 
 ### Error codes {#post-error-codes}
 
@@ -72,6 +73,6 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | The user is authorized. |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | The request could not be understood by the server due to malformed syntax. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | The user is authorized. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | The request could not be understood by the server due to malformed syntax. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
diff --git a/content/operate/rs/references/rest-api/requests/users/password.md b/content/operate/rs/references/rest-api/requests/users/password.md
@@ -13,15 +13,15 @@ weight: $weight
 
 | Method                     | Path                 | Description                 |
 |----------------------------|----------------------|-----------------------------|
-| [PUT](#update-password)    | `/v1/users/password` | Change an existing password |
-| [POST](#add-password)      | `/v1/users/password` | Add a new password          |
-| [DELETE](#delete-password) | `/v1/users/password` | Delete a password           |
+| [PUT](#update-password)    | `/v1/users/password` | Replace the password of the authenticated user |
+| [POST](#add-password)      | `/v1/users/password` | Add a new password for the authenticated user |
+| [DELETE](#delete-password) | `/v1/users/password` | Delete a password for the authenticated user |
 
 ## Update password {#update-password}
     
     PUT /v1/users/password
     
-Reset the password list of an internal user to include a new password.
+Replaces the password list of the user making this request with a single new password.
 
 ### Request {#put-request}
 
@@ -33,8 +33,6 @@ Reset the password list of an internal user to include a new password.
 
   ```json
   {
-      "username": "johnsmith",
-      "old_password": "a password that exists in the current list",
       "new_password": "the new (single) password"
   }
   ```
@@ -47,12 +45,10 @@ Reset the password list of an internal user to include a new password.
 
 #### Request body
 
-The request must contain a single JSON object with the following fields:
+The request must contain a JSON object with the following fields:
 
 | Field | Type | Description |
 |-------|------|-------------|
-| username     | string | Affected user (required) |
-| old_password | string | A password that exists in the current list (required) |
 | new_password | string | The new password (required) |
 
 ### Response {#put-response}
@@ -74,16 +70,15 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Success, password changed |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Bad or missing parameters. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Attempting to reset password to a non-existing user. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, password changed. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
 
 ## Add password {#add-password}
 
     POST /v1/users/password
 
-Add a new password to an internal user's passwords list.
+Adds a new password to the password list of the user making this request.
 
 ### Request {#post-request}
 
@@ -95,8 +90,6 @@ Add a new password to an internal user's passwords list.
 
   ```json
   {
-      "username": "johnsmith",
-      "old_password": "an existing password",
       "new_password": "a password to add"
   }
   ```
@@ -109,13 +102,11 @@ Add a new password to an internal user's passwords list.
 
 #### Request body
 
-The request must contain a single JSON object with the following fields:
+The request must contain a JSON object with the following fields:
 
 | Field | Type | Description |
 |-------|------|-------------|
-| username     | string | Affected user (required) |
-| old_password | string | A password that exists in the current list (required) |
-| new_password | string | The new (single) password (required) |
+| new_password | string | New password to add (required) |
 
 ### Response {#post-response}
 
@@ -136,15 +127,15 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Success, new password was added to the list of valid passwords. |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Bad or missing parameters. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Attempting to add a password to a non-existing user. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, new password was added to the list of valid passwords. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
 
 ## Delete password {#delete-password}
+
     DELETE /v1/users/password
 
-Delete a password from an internal user's passwords list.
+Deletes a password from the password list of the user making this request.
 
 ### Request {#delete-request}
 
@@ -156,7 +147,6 @@ Delete a password from an internal user's passwords list.
 
   ```json
   {
-      "username": "johnsmith",
       "old_password": "an existing password"
   }
   ```
@@ -169,11 +159,10 @@ Delete a password from an internal user's passwords list.
 
 #### Request body
 
-The request must contain a single JSON with the following fields:
+The request must contain a JSON object with the following fields:
 
 | Field | Type | Description |
 |-------|------|-------------|
-| username | string | Affected user (required) |
 | old_password | string | Existing password to be deleted (required) |
 
 ### Response {#delete-response}
@@ -192,7 +181,6 @@ The following are possible `error_code` values:
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Success, new password was deleted from the list of valid passwords. |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Bad or missing parameters. |
-| [401 Unauthorized](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2) | The user is unauthorized. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Attempting to delete a password to a non-existing user. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, new password was deleted from the list of valid passwords. |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters. |
+| [401 Unauthorized](https://www.rfc-editor.org/rfc/rfc9110.html#name-401-unauthorized) | The user is unauthorized. |
diff --git a/content/operate/rs/release-notes/rs-7-8-releases/_index.md b/content/operate/rs/release-notes/rs-7-8-releases/_index.md
@@ -65,6 +65,24 @@ Redis Software version 7.8.2 introduces the following breaking changes:
 
     - When you [upgrade a database]({{<relref "/operate/rs/references/rest-api/requests/bdbs/upgrade#post-bdbs-upgrade">}}) using the REST API, you can set `"latest_with_modules": false` in the request body to prevent module upgrades.
 
+- Authentication method changes for [`/v1/users/password`]({{<relref "/operate/rs/references/rest-api/requests/users/password">}}) REST API requests.
+
+    - `PUT`, `POST`, and `DELETE` methods require users to include their usernames and a current password in the authentication header to change their password lists. If the authentication header is not provided, the response status will be `401 Unauthorized`.
+
+    - `/v1/users/password` requests change the password list of the user who provides their credentials in the authorization header when sending the requests.
+
+    - `PUT` and `POST` requests will ignore `username` and `old_password` parameters provided in the request body.
+
+    - `DELETE` requests will ignore the `username` parameter provided in the request body.
+
+- Authentication method changes for [`POST /v1/users/authorize`]({{<relref "/operate/rs/references/rest-api/requests/users/authorize">}}) REST API requests.
+
+    - The `POST` method requires users to include their usernames and a current password in the authentication header to generate a JSON Web Token.
+
+    - `POST /v1/users/authorize` generates a token for the user who provides their credentials in the authorization header when sending the requests.
+
+    - `POST` requests will ignore `username` and `password` parameters provided in the request body.
+
 #### Redis database version 7.4 breaking changes {#redis-74-breaking-changes}
 
 When new major versions of Redis Community Edition change existing commands, upgrading your database to a new version can potentially break some functionality. Before you upgrade, read the provided list of breaking changes that affect Redis Software and update any applications that connect to your database to handle these changes.
diff --git a/content/operate/rs/release-notes/rs-7-8-releases/rs-7-8-2-34.md b/content/operate/rs/release-notes/rs-7-8-releases/rs-7-8-2-34.md
@@ -246,6 +246,24 @@ Redis Software version 7.8.2 introduces the following breaking changes:
 
     - When you [upgrade a database]({{<relref "/operate/rs/references/rest-api/requests/bdbs/upgrade#post-bdbs-upgrade">}}) using the REST API, you can set `"latest_with_modules": false` in the request body to prevent module upgrades.
 
+- Authentication method changes for [`/v1/users/password`]({{<relref "/operate/rs/references/rest-api/requests/users/password">}}) REST API requests.
+
+    - `PUT`, `POST`, and `DELETE` methods require users to include their usernames and a current password in the authentication header to change their password lists. If the authentication header is not provided, the response status will be `401 Unauthorized`.
+
+    - `/v1/users/password` requests change the password list of the user who provides their credentials in the authorization header when sending the requests.
+
+    - `PUT` and `POST` requests will ignore `username` and `old_password` parameters provided in the request body.
+
+    - `DELETE` requests will ignore the `username` parameter provided in the request body.
+
+- Authentication method changes for [`POST /v1/users/authorize`]({{<relref "/operate/rs/references/rest-api/requests/users/authorize">}}) REST API requests.
+
+    - The `POST` method requires users to include their usernames and a current password in the authentication header to generate a JSON Web Token.
+
+    - `POST /v1/users/authorize` generates a token for the user who provides their credentials in the authorization header when sending the requests.
+
+    - `POST` requests will ignore `username` and `password` parameters provided in the request body.
+
 ### Redis database version 7.4 breaking changes {#redis-74-breaking-changes}
 
 When new major versions of Redis Community Edition change existing commands, upgrading your database to a new version can potentially break some functionality. Before you upgrade, read the provided list of breaking changes that affect Redis Software and update any applications that connect to your database to handle these changes.
diff --git a/content/operate/rs/security/access-control/manage-passwords/rotate-passwords.md b/content/operate/rs/security/access-control/manage-passwords/rotate-passwords.md
@@ -13,7 +13,7 @@ weight: 70
 
 Redis Enterprise Software lets you implement password rotation policies using the [REST API]({{< relref "/operate/rs/references/rest-api" >}}).
 
-You can add a new password for a database user without immediately invalidating the old one (which might cause authentication errors in production).
+You can add a new password for a database user without immediately invalidating the old one to prevent possible authentication errors in production.
 
 {{< note >}}
 Password rotation does not work for the default user. [Add additional users]({{< relref "/operate/rs/security/access-control/create-users" >}}) to enable password rotation.
@@ -27,7 +27,7 @@ you can set a [password expiration policy]({{< relref "/operate/rs/security/acce
 However, for database connections that rely on password authentication,
 you need to allow for authentication with the existing password while you roll out the new password to your systems.
 
-With the Redis Enterprise Software REST API, you can add additional passwords to a user account for authentication to the database or the Cluster Manager UI and API.
+With the Redis Enterprise Software REST API, you can add additional passwords to your user account for authentication to the database or the Cluster Manager UI and API.
 
 After the old password is replaced in the database connections, you can delete the old password to finish the password rotation process.
 
@@ -41,13 +41,13 @@ The new password cannot already exist as a password for the user and must meet t
 
 ## Rotate password
 
-To rotate the password of a user account:
+To rotate your password:
 
-1. Add an additional password to a user account with [`POST /v1/users/password`]({{< relref "/operate/rs/references/rest-api/requests/users/password#add-password" >}}):
+1. Add an additional password to your password list with [`POST /v1/users/password`]({{< relref "/operate/rs/references/rest-api/requests/users/password#add-password" >}}). You must provide the relevant username and current password for [basic authentication]({{<relref "/operate/rs/references/rest-api#authentication">}}) credentials when you send the request.
 
     ```sh
-    POST https://[host][:port]/v1/users/password
-         '{"username":"<username>", "old_password":"<an_existing_password>", "new_password":"<a_new_password>"}'
+    POST https://<host>:<port>/v1/users/password
+    { "new_password": "<a_new_password>" }
     ```
 
     After you send this request, you can authenticate with both the old and the new password.
@@ -56,26 +56,22 @@ To rotate the password of a user account:
 1. Delete the original password with [`DELETE /v1/users/password`]({{< relref "/operate/rs/references/rest-api/requests/users/password#update-password" >}}):
 
     ```sh
-    DELETE https://[host][:port]/v1/users/password
-           '{"username":"<username>", "old_password":"<an_existing_password>"}'
+    DELETE https://<host>:<port>/v1/users/password
+    { "old_password": "<an_existing_password>" }
     ```
 
     If there is only one valid password for a user account, you cannot delete that password.
 
 ## Replace all passwords
 
-You can also replace all existing passwords for a user account with a single password that does not match any existing passwords.
+You can also replace all existing passwords for your user account with a single password that does not match any existing passwords.
 This can be helpful if you suspect that your passwords are compromised and you want to quickly resecure the account.
 
-To replace all existing passwords for a user account with a single new password, use [`PUT /v1/users/password`]({{< relref "/operate/rs/references/rest-api/requests/users/password#delete-password" >}}):
+To replace your passwords, use [`PUT /v1/users/password`]({{< relref "/operate/rs/references/rest-api/requests/users/password#delete-password" >}}). You must provide the relevant username and current password for [basic authentication]({{<relref "/operate/rs/references/rest-api#authentication">}}) credentials when you send the request.
 
 ```sh
-PUT https://[host][:port]/v1/users/password
-    '{"username":"<username>", "old_password":"<an_existing_password>", "new_password":"<a_new_password>"}'
+PUT https://<host>:<port>/v1/users/password
+{ "new_password": "<a_new_password>" }
 ```
 
-All of the existing passwords are deleted and only the new password is valid.
-
-{{<note>}}
-If you send the above request without specifying it is a `PUT` request, the new password is added to the list of existing passwords.
-{{</note>}}
+After this request, all of your existing passwords are deleted and only the new password is valid.
