Feat :Feature password reset(Create Forgot Password Page & Integrate Password Reset Flow)[Issue #58]

[Rohanrathod7]

Password Reset Data Flow

---

Closes #58

⚠️⚠️⚠️ IMPORTANT: This PR is built on top of the Sign Up feature. ⚠️⚠️⚠️
Please review and merge PR #81 first.

🔐 Password Reset Implementation

Description

This PR implements the secure password reset flow, including:

• Backend: /forgot-password and /reset-password endpoints.
• Frontend: ForgotPassword and ResetPassword UI pages.
• Validation: Zod schemas for password complexity.
• Testing: Comprehensive Jest and Vitest suites.

Related PRs

• Depends on #PR_NUMBER (Sign Up Feature)

Process Flow Explained

Phase 1: Requesting a Reset Link (Forgot Password)

1. User Action: User enters their email in ForgotPassword.tsx and clicks "Send Reset Link".
2. API Call: Frontend calls forgotPassword(email) in auth.service.ts.
3. Endpoint: POST /api/v1/user/auth/forgot-password
4. Backend Logic (user.service.ts):
   • Find User: Checks if a user with that email exists.
   • Generate Token: Creates a random 32-byte hex string (token).
   • Hash Token: Creates a simple sha256 hash of that token.
   • Save to DB: Updates the user document with:
     • resetPasswordToken: The hashed version.
     • resetPasswordExpire: Expiration time (10 minutes).
   • Send Email: Sends an email containing the raw (unhashed) token in the link:
     http://localhost:5173/reset-password/${resetToken}

Security Note: We store the hash in the DB but send the raw token to the user. This ensures that if the DB is compromised, the attacker cannot generate valid reset links.

Phase 2: Resetting the Password

1. User Action: User clicks the link in their email.
2. Frontend Route: Opens ResetPassword.tsx. The token is extracted from the URL (useParams).
3. User Input: User enters and confirms their new password.
4. API Call: Frontend calls resetPassword(token, password) in auth.service.ts.
5. Endpoint: POST /api/v1/user/auth/reset-password/:token
6. Backend Logic (user.service.ts):
   • Hash Input Token: Hashes the token received from the URL using sha256.
   • Verify: Searches the database for a user where:
     • resetPasswordToken matches the hashed token.
     • resetPasswordExpire is greater than Date.now() (not expired).
   • Update:
     • Hashes the new password.
     • Updates password field.
     • Sets resetPasswordToken and resetPasswordExpire to null (consumes the token).
7. Response: Returns success, and frontend redirects user to Login.

---

🔑 Key Security Features

• Token Hashing: The reset token is never stored in plain text in the database.
• Expiration: Tokens are valid for only 10 minutes.
• Enumeration Protection: The "Forgot Password" endpoint always returns "success" (200 OK) even if the email doesn't exist, preventing attackers from checking which emails are registered.

Previous Screens

---- ### Updated Screens

[gemini-code-assist]

Summary of Changes

Hello @Rohanrathod7, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a robust and secure password reset system for the LocalMind application. It encompasses new user interfaces for initiating and completing password resets, corresponding backend API endpoints with strong validation, and critical security measures to protect user accounts. The changes are thoroughly tested and documented to ensure reliability and maintainability.

Highlights

• Password Reset Feature: Implemented a complete password reset flow, including 'Forgot Password' and 'Reset Password' functionalities on both the frontend and backend.
• Frontend UI & Logic: Introduced new React components for 'ForgotPassword' and 'ResetPassword' pages, integrated with new authentication services and client-side validation using Zod.
• Backend API Endpoints: Added /auth/forgot-password and /auth/reset-password/:token endpoints to handle password reset requests, token generation, and password updates.
• Enhanced Security: Incorporated secure practices such as hashing reset tokens before storing them in the database, setting a 10-minute expiration for tokens, and preventing email enumeration by always returning a success message for 'Forgot Password' requests.
• Comprehensive Testing: Expanded test coverage with new Jest tests for backend password validation, input edge cases, login, and password reset flows. Added Vitest tests for frontend components and Zod schemas.
• Dependency Updates & Utilities: Updated backend dependencies including bcrypt and added cors middleware. Introduced a new email utility for sending password reset links and several new scripts for testing email sending and API flows.
• Documentation: Added detailed Markdown documentation files (signup_dataflow.md and password_reset_dataflow.md) explaining the data flow and architecture of the authentication features.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive password reset feature, complete with backend endpoints, frontend UI, and extensive tests. The implementation demonstrates strong security practices, such as hashing the reset token and preventing email enumeration. The addition of detailed tests for validation and API flows is commendable. My review focuses on further improving security, error handling, and maintainability. Key suggestions include tightening the CORS policy for production, ensuring proper error propagation from the email service, and improving type safety by removing as any casts. Overall, this is a well-executed feature that significantly enhances the application's authentication capabilities.

[gemini-code-assist]

The current CORS configuration origin: true is too permissive for a production environment as it reflects any origin from the request header. This can pose a security risk. It's highly recommended to use a whitelist of allowed origins, which can be loaded from environment variables.

Suggested change

	app.use(cors({ origin: true, credentials: true }))
	app.use(cors({ origin: ['http://localhost:5173', 'https://your-production-domain.com'], credentials: true }))

[gemini-code-assist]

The catch block in sendEmail swallows the error and does not re-throw it. This prevents the calling service (userService.forgotPassword) from handling the email sending failure. The catch block in userService.forgotPassword which is supposed to clean up the reset token is currently unreachable. The error should be re-thrown to ensure failures are handled correctly.

  } catch (error) {
    console.error('❌ Error sending email:', error)
    // Fallback to console log if sending fails
    console.log('⚠️ Fallback: Logging email to console due to send failure.')
    console.log(`Reset Link: ${options.message}`)
    // Re-throw the error so the caller can handle it.
    throw error;
  }

[gemini-code-assist]

This test case for a successful login is not robust because it depends on a user existing from a previous test suite. If the user doesn't exist, it catches the error and considers the test passed, which can hide real issues. It's better to make tests independent by creating the necessary user in a beforeAll or beforeEach hook for this test suite to ensure a consistent and reliable test environment.

[gemini-code-assist]

The as any cast here, and also on line 73 in the login method, hides potential type mismatches between the Zod schema's inferred type and the type expected by the service methods. To improve type safety, consider adjusting the IUser interface or the service method signatures to be compatible with the Zod-inferred types, removing the need for these casts.

[gemini-code-assist]

Returning a generic 500 Internal Server Error for client-side issues like an invalid token is not ideal. It's better to catch specific, expected errors and return a more appropriate 4xx status code, like 400 Bad Request. This provides clearer feedback to the client.

    } catch (err: any) {
      if (err.message === UserConstant.INVALID_TOKEN) {
        return SendResponse.error(res, err.message, StatusConstant.BAD_REQUEST, err)
      }
      SendResponse.error(res, err.message || UserConstant.PASSWORD_RESET_FAILED, 500, err)
    }

[gemini-code-assist]

Hardcoding a fallback URL for FRONTEND_URL can lead to incorrect links in different environments (e.g., staging, production). It's better to ensure this environment variable is always set and fail fast if it's missing in production environments.

    const frontendUrl = process.env.FRONTEND_URL
    if (!frontendUrl) {
      throw new Error('FRONTEND_URL environment variable is not set.');
    }

[gemini-code-assist]

The bio field has a min(5) validation, but it's optional on the backend. This creates an inconsistency where the user is forced to enter a bio of at least 5 characters. To align with the backend, you should remove the minimum length requirement, which will still allow empty strings.

  bio: z.string().max(50, 'Bio must be less than 50 characters'),

[gemini-code-assist]

The Zod schema is duplicated from SignUp.tsx. It's better to export the schema from SignUp.tsx and import it here to avoid inconsistencies and ensure you're testing the exact schema used in the component. This prevents the test from becoming out of sync with the implementation.

[abhishek-nexgen-dev]

@Rohanrathod7 Please improve this Ui

[abhishek-nexgen-dev]

The Forgot Password page is not Looking good make sure the Ui looks good and Attrect Others

[abhishek-nexgen-dev]

Reference login Page

[Rohanrathod7]

Just Updated Feature: Password Reset please review it

[abhishek-nexgen-dev]

@Rohanrathod7 add screenshot

[Rohanrathod7]

resolved margin and responsiveness

A screenshots are added in PR's description
Please review it

[Rohanrathod7]

Whenever you are ready to merge, remind me