Implement POST /api/auth/request-password-reset Endpoint #22

Closed
opened 2025-10-17 22:48:59 +00:00 by Rodrigo2003-PT · 1 comment
Rodrigo2003-PT commented 2025-10-17 22:48:59 +00:00 (Migrated from github.com)

Allows a user to initiate the password reset process by providing their email.

Tasks:

  • Create the route for POST /api/auth/request-password-reset.
  • Expect email in the request body.
  • Security: To prevent user enumeration attacks, this endpoint must always return a 200 OK response, regardless of whether the email exists in the database.
  • If the user exists:
    • Generate a cryptographically secure, URL-safe token (e.g., secrets.token_urlsafe()).
    • Hash the token and store its hash in the password_reset_tokens table with a 1-hour expiry.
    • Trigger the send_password_reset_email service with the user's email and the plaintext token.
Allows a user to initiate the password reset process by providing their email. ### Tasks: - Create the route for `POST /api/auth/request-password-reset`. - Expect `email` in the request body. - **Security:** To prevent user enumeration attacks, this endpoint must *always* return a `200 OK` response, regardless of whether the email exists in the database. - *If* the user exists: - Generate a cryptographically secure, URL-safe token (e.g., `secrets.token_urlsafe()`). - Hash the token and store its hash in the `password_reset_tokens` table with a 1-hour expiry. - Trigger the `send_password_reset_email` service with the user's email and the *plaintext* token.
Cordeir01 commented 2025-10-23 15:56:49 +00:00 (Migrated from github.com)

No need for password reset service because the credentials management will be centralized.

No need for password reset service because the credentials management will be centralized.
Sign in to join this conversation.
No description provided.