I want to make a reset password feature on a Kuzzle stack but I don't know where to put extra data (like a token for reset password) in the user document.
Furthermore, the user should not be able to change the data itself.
Should I use security.updateUser endpoint and prevent user access with a hook or a pipe ?
Yes you can use the security.updateUser endpoint to add extra data to your user.
What you can do to prevent the user itself to change his data is either create a role which forbid access to the controller security and action updateUser (see https://docs.kuzzle.io/guide/1/essentials/security) or make a pipe plugin on before:updateUser which will remove the extra data from the query if present (see https://docs.kuzzle.io/plugins/1/essentials/pipes)
Full disclosure: I work at Kuzzle
