Skip to content

feat: implement password management system (#314)#460

Merged
devEunicee merged 2 commits into
devEunicee:mainfrom
elenajoyce:feature/314-password-management
Jul 1, 2026
Merged

feat: implement password management system (#314)#460
devEunicee merged 2 commits into
devEunicee:mainfrom
elenajoyce:feature/314-password-management

Conversation

@elenajoyce

Copy link
Copy Markdown
Contributor

Summary

Implements a secure password management system with hashing, reset flows, and strength enforcement.

Changes

  • Migration 0005_password_management.sqluser_credentials, password_history, password_reset_tokens, password_reset_attempts
  • api/src/services/passwordManager.js:
    • bcrypt hashing at cost factor 12
    • validateStrength() — 12+ chars, uppercase, lowercase, digit, special char
    • isPasswordReused() / recordPasswordHistory() — prevents reuse of last 5 passwords
    • generateResetToken() — 32-byte secure random, only SHA-256 hash stored
    • validateResetToken() / consumeResetToken() — 30-minute expiry, single-use
    • checkResetRateLimit() — max 5 reset attempts per identifier per hour
  • api/src/routes/auth.jsPOST /reset-request, /reset, /change
  • api/src/server.js — registers /api/auth/password router

Acceptance criteria

  • Bcrypt/Argon2 password hashing (bcrypt, 12 rounds)
  • Password strength requirements (12+ chars, complexity)
  • Password reset via email token
  • Token expiration (30 minutes)
  • Password history (prevent reuse of last 5)
  • Session invalidation on reset
  • Secure reset link generation
  • Rate limiting on reset attempts

Closes #314

- Migration 0005: user_credentials, password_history, password_reset_tokens,
  password_reset_attempts tables
- passwordManager.js: bcrypt hashing (12 rounds), strength validation (12+
  chars, upper/lower/digit/special), password history check (last 5),
  secure reset tokens (SHA-256 stored, raw sent via email), 30-min expiry,
  rate limiting (5 attempts / hour per identifier)
- auth.js routes: POST /reset-request, /reset, /change
- Session invalidation on reset (callers drop active sessions)
- User enumeration prevented on reset-request (always 202)

Closes devEunicee#314
@drips-wave

drips-wave Bot commented Jun 29, 2026

Copy link
Copy Markdown

@elenajoyce Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@devEunicee devEunicee merged commit 70b277a into devEunicee:main Jul 1, 2026
2 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

#314 - Create Password Management System

2 participants