Skip to content

Feature/forgot and reset password flow #1551

Open
Ankit9997verma wants to merge 4 commits into
aryandas2911:mainfrom
Ankit9997verma:feature/forgot-password-flow
Open

Feature/forgot and reset password flow #1551
Ankit9997verma wants to merge 4 commits into
aryandas2911:mainfrom
Ankit9997verma:feature/forgot-password-flow

Conversation

@Ankit9997verma

Copy link
Copy Markdown
Contributor

📌 Description

This PR implements the Forgot Password and Reset Password flows to allow users to securely recover their accounts.

On requesting a password reset, a secure, short-lived (1-hour expiry) token is generated on the backend and hashed via SHA-256 before database storage. The raw token is sent to the user's email via a custom Nodemailer SMTP transporter. The user can then navigate to the reset page using the emailed link, specify a new password that conforms to security criteria (8+ chars, uppercase, digit, special symbol), and submit it to reset their credentials.

🔗 Related Issue

Closes #1526

🛠 Changes Made

🖥️ Backend

  • User Model (backend/src/models/User.js):
    • Added resetPasswordToken (String) and resetPasswordExpires (Date) schema fields to track password reset states.
  • Auth Routes (backend/routes/authRoutes.js):
    • Registered public POST endpoints: /api/auth/forgot-password and /api/auth/reset-password.
  • Auth Controller (backend/controllers/authController.js):
    • forgotPassword:
      • Verifies the user email.
      • Generates a cryptographically secure 32-byte hex token (crypto.randomBytes(32)).
      • Hashes the token using SHA-256 and saves it along with an expiration time of 1 hour.
      • Dispatches an email containing the reset link to the user's registered email.
      • Returns a generic status message to prevent email enumeration vulnerabilities.
    • resetPassword:
      • Validates password complexity constraints (minimum 8 characters, at least 1 uppercase letter, 1 digit, and 1 special character).
      • Matches the SHA-256 hash of the incoming token.
      • Verifies token validity and expiration.
      • Hashes the new password using bcrypt (salt rounds: 10) and clears token fields.
  • Mailer Configuration (backend/utils/mail.js):
    • Configured Nodemailer with dynamic SMTP environment variables (SMTP_HOST, SMTP_PORT, SMTP_SECURE, SMTP_USER, and SMTP_PASS).
    • Added sendEmail wrapper method.
  • Environment Example (backend/.env.example):
    • Documented necessary SMTP variables and setup steps for Google App Passwords.

🎨 Frontend

  • Routing (frontend/src/App.jsx):
    • Registered /forgot-password and /reset-password routes under the public routes collection.
    • Restructured routes into an <AnimatedRoutes /> wrapper.
  • Login Screen (frontend/src/pages/Login.jsx):
    • Embedded a "Forgot password?" helper link navigating to /forgot-password.
  • Forgot Password Page (frontend/src/pages/ForgotPassword.jsx):
    • Created a sleek dark-themed interface with interactive 3D hover effects (utilizing mouse moves to skew perspective).
    • Handles email validation and form submission to send the reset link.
  • Reset Password Page (frontend/src/pages/ResetPassword.jsx):
    • Extracts the token from query parameters.
    • Form validations and submission of the new password.
    • Automatically redirects users back to /login upon success.
  • ScrollToTop (frontend/src/components/ScrollToTop.jsx):
    • Fixed a duplicated className attribute syntax warning.

📸 Screenshots (if applicable)

image image image image

✅ Checklist

  • Code runs locally
  • Followed project structure
  • No console errors
  • Properly tested changes
  • Linked the issue

🚀 Notes for Reviewers

  • Environment variables for SMTP must be defined in the backend .env to test email sending locally (a guide is provided in the updated backend/.env.example).
  • Password validation uses a strict regex to enforce strong user passwords.
  • The reset token is hashed before storing it in the database to prevent database-compromise token reuse.

@aryandas2911

Copy link
Copy Markdown
Owner

resolve conflicts

@Ankit9997verma

Copy link
Copy Markdown
Contributor Author

hello @aryandas2911 ,
Conflicts have been resolved and all CI checks are passing. Could you please re-review and approve the PR?
just let me know if there is any issue ...

@Ankit9997verma

Ankit9997verma commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@aryandas2911 can you please review it .

@Ankit9997verma Ankit9997verma force-pushed the feature/forgot-password-flow branch from 831606c to 4bd4d85 Compare June 23, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feature: implement forgot password and reset password flows

2 participants