Can a user update their password using only secret key without provide the password?

and how can i get the role of the secret key?

A secret is the password-equivalent that is derived from a key or a token. Keys are for identity-less authentication, whereas tokens represent authenticated identities.

If you are using the secret for a key that has either the admin or server role, yes, you can change the password for an identity document in the database without knowing the current password.

If you authenticate with a token, you can use the CurrentIdentity function to determine which identity document has been authenticated. Whether you can change the identity document’s credentials depends on the ABAC role privileges.

There is no straightforward way to determine which role granted a specific privilege (as there might be one role that grants read privileges, and another that grants write privileges).

Typically, authenticated identities do not have access to roles to investigate the membership and privileges. If they did have access, they might use that information to attempt to gain privileges that they might not otherwise have.

For more information, see: Tokens | Fauna Documentation

1 Like