Skip to content

Add password reset feature with email-based token flow#9

Merged
jalexw merged 5 commits intomainfrom
feature/reset-password
Apr 1, 2026
Merged

Add password reset feature with email-based token flow#9
jalexw merged 5 commits intomainfrom
feature/reset-password

Conversation

@jalexw
Copy link
Copy Markdown
Contributor

@jalexw jalexw commented Mar 31, 2026
edited
Loading

Summary

  • Add complete password reset flow: request reset link via email, use tokenized link to set new password
  • Tokens are SHA-256 hashed before database storage to protect against DB compromise
  • Database migration 00012 adds PASSWORD_RESET_TOKENS table
  • New pages at /auth/reset-password with request and confirm forms
  • "Forgot password?" link added to the login page
  • Test-only API endpoint (GET /api/test/password-reset-token/:email) for E2E testing without email delivery
  • Comprehensive Cypress E2E test suite covering full reset flow, invalid tokens, token reuse prevention, and old password invalidation
  • auth-server: 0.21.2 → 0.22.0, e2e-auth-tests: 0.2.17 → 0.2.18

Test plan

  • Run bun run dev:migrate to apply migration 00012
  • Run bun run typecheck --filter @schemavaults/auth-server — passes
  • Navigate to /auth/login — "Forgot password?" link visible
  • Click through to /auth/reset-password — request form loads
  • Submit email — success toast appears (regardless of whether email exists)
  • Visit /auth/reset-password?token=<valid-token> — confirm form loads
  • Reset password and login with new credentials
  • Run E2E tests: bun run e2e:core

🤖 Generated with Claude Code

jalexw and others added 5 commits March 31, 2026 18:08
@jalexw
auth-server:0.21.1 - types for send-email-via-mail-server.ts, using @…
362a28d 
…schemavaults/send-email-api-options
@jalexw
auth-server:0.21.2 - utilities for spoofing mail server access token …
3d1bc04 
…and sending an email
@jalexw @claude
Add password reset feature with email-based token flow
3cc698b 
Implements a complete forgot/reset password flow: users request a reset
link via email, receive a time-limited token, and use it to set a new
password. Tokens are SHA-256 hashed before storage to protect against
database compromise.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jalexw @claude
Add E2E tests for password reset flow, bump versions
0f80203 
Adds a test-only API endpoint (GET /api/test/password-reset-token/:email)
that generates a reset token directly, bypassing email, so Cypress tests
can exercise the full reset flow. Tests cover: page loading, navigation,
request form submission, full reset + re-login, invalid tokens, token
reuse prevention, and old password invalidation.

auth-server: 0.21.2 → 0.22.0
e2e-auth-tests: 0.2.17 → 0.2.18

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jalexw @claude
Document helper commands build step in e2e-auth-tests README
8cebd70 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 31, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
auth Ignored Ignored Mar 31, 2026 11:48pm

Request Review

@jalexw jalexw self-assigned this Mar 31, 2026
@jalexw
Copy link
Copy Markdown
Contributor Author

jalexw commented Mar 31, 2026
edited
Loading

Issue #1

@jalexw jalexw merged commit 19e056d into main Apr 1, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jalexw jalexw

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jalexw