Forgot Password Flow — Super Agent, Agent, Shop
This document describes the forgot password flow for three portals:
| Portal | Role |
|---|---|
| Super Agent Portal | Super Agent |
| Agent Portal | Agent |
| Shop Portal | Shop |
All three portals use the same password reset flow. The differences are the entry point and the account role validated for each portal.
Main Flow
User opens the Login screen
│
▼
Click "Forgot Password"
│
▼
Enter registered email / phone
│
▼
Click "Get OTP"
│
▼
System checks whether the account exists and matches the portal role
│
├── Invalid → show an error and do not send OTP
│
▼
System sends OTP to the account email / phone
│
▼
User enters OTP + New Password + Confirm Password
│
▼
Click "Confirm"
│
▼
System checks OTP and validates the password
│
├── Incorrect / expired OTP → show an error
├── Invalid password → show an error
├── Confirm Password mismatch → show an error
│
▼
System resets the password
│
▼
User is redirected to Login and signs in with the new password
Step Detail
1. Forgot Password
The user is on the Login screen of the corresponding portal:
| Role | Entry point |
|---|---|
| Super Agent | Super Agent Portal Login |
| Agent | Agent Portal Login |
| Shop | Shop Portal Login |
The user clicks Forgot Password to open the password reset screen.
2. Get OTP
The user enters account identification information, for example:
- Phone number
Then the user clicks Get OTP.
The system must check:
| Check | Expected behavior |
|---|---|
| Account exists | Allow sending OTP |
| Account role matches the portal | Allow sending OTP |
| Account does not exist | Do not send OTP, show an error |
| Account role does not match the portal | Do not send OTP, show an error |
| Account is disabled / inactive | Do not send OTP, show an error |
The Super Agent Portal only resets passwords for Super Agent accounts. The Agent Portal only resets passwords for Agent accounts. The Shop Portal only resets passwords for Shop accounts.
3. Input OTP And New Password
After receiving the OTP, the user enters:
| Field | Required | Validation |
|---|---|---|
| OTP | Yes | OTP must be correct and not expired |
| New Password | Yes | Must satisfy the current system password rules |
| Confirm Password | Yes | Must match New Password |
4. Confirm Reset
The user clicks Confirm.
The system performs the following steps:
- Check OTP.
- Check that OTP is still valid.
- Validate New Password.
- Validate Confirm Password.
- Reset the account password.
- Invalidate the OTP after a successful reset.
- Redirect the user to the Login screen.
Role Flows
Super Agent Forgot Password
Super Agent Login
│
▼
Forgot Password
│
▼
Get OTP using the Super Agent email / phone
│
▼
Input OTP + New Password + Confirm Password
│
▼
Confirm
│
▼
Reset password for the Super Agent account
Agent Forgot Password
Agent Login
│
▼
Forgot Password
│
▼
Get OTP using the Agent email / phone
│
▼
Input OTP + New Password + Confirm Password
│
▼
Confirm
│
▼
Reset password for the Agent account
Shop Forgot Password
Shop Login
│
▼
Forgot Password
│
▼
Get OTP using the Shop email / phone
│
▼
Input OTP + New Password + Confirm Password
│
▼
Confirm
│
▼
Reset password for the Shop account
Error Cases
| Case | Expected message / behavior |
|---|---|
| Account not found | Do not send OTP; show that the account does not exist or the information is invalid |
| Wrong portal role | Do not send OTP; show invalid information |
| Account inactive | Do not send OTP; ask the user to contact an admin / manager |
| OTP incorrect | Do not reset the password; allow the user to enter OTP again |
| OTP expired | Do not reset the password; ask the user to get a new OTP |
| Password too weak | Do not reset the password; show the password rules |
| Confirm Password mismatch | Do not reset the password; ask the user to enter Confirm Password again |
| OTP already used | Do not reset the password; ask the user to get a new OTP |
Success Criteria
Password reset succeeds when:
- The account exists.
- The account role matches the portal being used.
- OTP is correct and still valid.
- New Password is valid.
- Confirm Password matches New Password.
- The new password is saved successfully.
- The used OTP cannot be reused.
- The user can sign in with the new password.