Fix security event gaps in password reset flow

Log rate limit hits on forgot-password, distinguish expired vs invalid
reset tokens with separate event types, and log password reset requests
before token generation.

Author: MansiVisuals

src/app/api/auth/forgot-password/route.ts

@@ -38,6 +38,14 @@ export async function POST(request: NextRequest) {
   }, 'forgot-password')
 
   if (rateLimitResult) {
+    await logSecurityEvent({
+      type: 'ADMIN_PASSWORD_RESET_RATE_LIMIT_HIT',
+      severity: 'WARNING',
+      ipAddress: getClientIpAddress(request),
+      details: {
+        reason: 'Too many password reset requests',
+      },
+    })
     return rateLimitResult
   }
 
@@ -91,6 +99,17 @@ export async function POST(request: NextRequest) {
       settings?.smtpFromAddress
     )
 
+    // Log the reset request
+    await logSecurityEvent({
+      type: 'ADMIN_PASSWORD_RESET_REQUESTED',
+      severity: 'INFO',
+      ipAddress: getClientIpAddress(request),
+      details: {
+        userId: user.id,
+        email: user.email,
+      },
+    })
+
     // Generate secure reset token
     const token = generatePasswordResetToken({
       userId: user.id,

src/app/api/auth/reset-password/route.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { prisma } from '@/lib/db'
 import { rateLimit } from '@/lib/rate-limit'
-import { verifyPasswordResetToken } from '@/lib/password-reset'
+import { verifyPasswordResetTokenWithReason } from '@/lib/password-reset'
 import { hashPassword, validatePassword } from '@/lib/encryption'
 import { invalidateAdminSessions } from '@/lib/session-invalidation'
 import { logSecurityEvent } from '@/lib/video-access'
@@ -82,22 +82,25 @@ export async function POST(request: NextRequest) {
     }
 
     // Verify and decode token
-    const payload = verifyPasswordResetToken(token)
-    if (!payload) {
-      // Log invalid token attempt
+    const tokenResult = verifyPasswordResetTokenWithReason(token)
+    if (!tokenResult.valid) {
+      const eventType = tokenResult.reason === 'expired'
+        ? 'ADMIN_PASSWORD_RESET_TOKEN_EXPIRED'
+        : 'ADMIN_PASSWORD_RESET_TOKEN_INVALID'
       await logSecurityEvent({
-        type: 'ADMIN_PASSWORD_RESET_TOKEN_INVALID',
+        type: eventType,
         severity: 'WARNING',
         ipAddress: getClientIpAddress(request),
         details: {
-          reason: 'Invalid or expired token',
+          reason: tokenResult.reason === 'expired' ? 'Token expired' : 'Invalid or malformed token',
         },
       })
       return NextResponse.json(
         { error: authMessages.invalidOrExpiredResetToken || 'Invalid or expired reset token' },
         { status: 400 }
       )
     }
+    const payload = tokenResult.payload
 
     // Atomically mark token as used (single-use enforcement via SETNX)
     const redis = getRedis()

src/lib/password-reset.ts

@@ -35,33 +35,51 @@ export function generatePasswordResetToken(input: {
 
 /**
  * Verify and decode a password reset token
- * 
+ *
  * @param token - Encrypted token string
  * @returns Decoded payload or null if invalid/expired
  */
 export function verifyPasswordResetToken(token: string): {
   userId: string
   userEmail: string
 } | null {
+  const result = verifyPasswordResetTokenWithReason(token)
+  return result.valid ? result.payload : null
+}
+
+/**
+ * Verify a password reset token and return the failure reason.
+ * Used by the reset-password route to distinguish expired vs invalid tokens.
+ */
+export function verifyPasswordResetTokenWithReason(token: string): {
+  valid: true
+  payload: { userId: string; userEmail: string }
+} | {
+  valid: false
+  reason: 'invalid' | 'expired'
+} {
   try {
     const decoded = decrypt(token)
     const payload = JSON.parse(decoded) as Partial<PasswordResetPayloadV1>
 
     // Validate structure
-    if (payload.v !== 1 || payload.t !== 'password_reset') return null
-    if (typeof payload.uid !== 'string' || payload.uid.length === 0) return null
-    if (typeof payload.em !== 'string' || payload.em.length === 0) return null
-    if (typeof payload.exp !== 'number') return null
+    if (payload.v !== 1 || payload.t !== 'password_reset') return { valid: false, reason: 'invalid' }
+    if (typeof payload.uid !== 'string' || payload.uid.length === 0) return { valid: false, reason: 'invalid' }
+    if (typeof payload.em !== 'string' || payload.em.length === 0) return { valid: false, reason: 'invalid' }
+    if (typeof payload.exp !== 'number') return { valid: false, reason: 'invalid' }
 
     // Check expiration
-    if (Date.now() > payload.exp) return null
+    if (Date.now() > payload.exp) return { valid: false, reason: 'expired' }
 
     return {
-      userId: payload.uid,
-      userEmail: payload.em,
+      valid: true,
+      payload: {
+        userId: payload.uid,
+        userEmail: payload.em,
+      },
     }
   } catch {
-    return null
+    return { valid: false, reason: 'invalid' }
   }
 }