Skip to content

feat: implement forgot password endpoint#40

Merged
ayshadogo merged 4 commits intoDfunder:mainfrom
JamesVictor-O:feat/implement-forgot-password-endpoint
Mar 5, 2026
Merged

feat: implement forgot password endpoint#40
ayshadogo merged 4 commits intoDfunder:mainfrom
JamesVictor-O:feat/implement-forgot-password-endpoint

Conversation

@JamesVictor-O
Copy link
Contributor

@JamesVictor-O JamesVictor-O commented Mar 5, 2026

Summary

  • Implements POST /api/auth/forgot-password endpoint that allows users to request a password reset via email (resolves Implement Forgot Password Endpoint #25)
  • Generates a cryptographically secure reset token (SHA-256 hashed) with a 1-hour expiry, stored on the user document
  • Sends a password reset email using the existing sendEmail service and passwordResetTemplate
  • Always returns HTTP 200 with a generic message regardless of whether the email exists, preventing user enumeration attacks
  • Adds FRONTEND_URL to .env.example for constructing the reset link

Changes

File Change
src/controllers/auth.controller.js Added forgotPassword controller with token generation, hashing, and email dispatch
src/routes/auth.routes.js Registered POST /forgot-password route with validation
src/validators/auth.validators.js Added forgotPasswordSchema (validates email in request body)
.env.example Added FRONTEND_URL environment variable

Test plan

  • Send POST /api/auth/forgot-password with a registered email — verify 200 response and email received with valid reset link
  • Send POST /api/auth/forgot-password with a non-existent email — verify 200 response with same generic message (no user enumeration)
  • Send POST /api/auth/forgot-password with invalid email format — verify 400 validation error
  • Verify the reset token in the database is SHA-256 hashed (not plaintext)
  • Verify the token expires after 1 hour
  • Use the token from the email with PATCH /api/auth/reset-password/:token to confirm the full flow works end-to-end

Closes #25

@JamesVictor-O
feat: implement forgot password endpoint
282b67a 
Add POST /api/auth/forgot-password to allow users to request a password
reset via email. The endpoint finds the user by email, generates a
secure SHA-256 hashed reset token with 1-hour expiry, and sends a
password reset email using the existing email service and template.
Always returns HTTP 200 regardless of whether the email exists to
prevent user enumeration.

Closes Dfunder#25

Made-with: Cursor
@JamesVictor-O
fix: add logger info and error methods
4f814bd 
Made-with: Cursor
@ayshadogo
Copy link
Contributor

ayshadogo commented Mar 5, 2026

@JamesVictor-O

Please resolve conflicts

@JamesVictor-O
Copy link
Contributor Author

JamesVictor-O commented Mar 5, 2026

@ayshadogo done, please check it out

@ayshadogo ayshadogo merged commit d87d7ee into Dfunder:main Mar 5, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement Forgot Password Endpoint

2 participants

@JamesVictor-O @ayshadogo