I'm setting up custom account management for my Simperium app, based on the recommendation from the answer in Simperium - Can a user recover a forgotten password ..?, and referencing the API documentation.
This all in PHP, handling the form creation and submission.
I've created the curl request as follows, a format which I've already tested for password resets, using the "reset_password" url.
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_HTTPHEADER => array('X-Simperium-API-Key: <my_admin_API_key>'),
CURLOPT_POSTFIELDS => '{"username": "'.$username.'", "password" :"'.$password.'", "new_username":"'.$newusername.'"}',
CURLOPT_POST => TRUE,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_URL => 'https://auth.simperium.com/1/<my_app_id>/update/'
));
The problem I'm having, is that during testing, I've found that it will take any password I enter, and return:
{"status": "success"}
Further testing showed that the username was, in fact, changed.
I realize this isn't a "question", per se, but Simperium support seems to be most responsive to Stackoverflow posts.
When using the an API key with admin privileges, password is not needed. For inclusion in client apps, use a non-admin privileged API key - then password will be checked. The admin functionality is intended for use on your own servers where you are sure the key will not be leaked.