Complete backend implementation for password reset functionality in LocalMind.
POST /api/v1/auth/forgot-password
Body: { "email": "user@example.com" }
Response: { "success": true, "message": "If the email exists, a reset link has been sent." }
POST /api/v1/auth/reset-password/:token
Body: { "password": "NewPassword123@" }
Response: { "success": true, "message": "Password reset successful" }
FRONTEND_URL=http://localhost:3000
SMTP_SERVICE=gmail
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-app-password
SMTP_FROM=noreply@localmind.com- Go to: https://myaccount.google.com/apppasswords
- Select Mail + Windows/Device
- Copy password → Add to SMTP_PASSWORD in .env
# Forgot password
curl -X POST http://localhost:5000/api/v1/auth/forgot-password \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com"}'| File | Purpose |
|---|---|
PASSWORD_RESET_API.md |
Complete technical docs |
SETUP_GUIDE.md |
Quick start + integration |
IMPLEMENTATION_SUMMARY.md |
What was implemented |
AUTHENTICATION_API.md |
All auth endpoints |
BACKEND_IMPLEMENTATION_CHECKLIST.md |
Detailed checklist |
✅ Secure Tokens - 256 bits entropy, SHA256 hashed
✅ Time-Limited - Expire after 15 minutes
✅ One-Time Use - Can't reuse tokens
✅ Strong Passwords - 8-20 chars, mixed case, numbers, special chars
✅ Privacy - Never reveal if email exists
✅ No Logging - Tokens never logged
New Files:
src/services/password-reset.service.tssrc/utils/email.utils.ts
Modified Files:
src/api/v1/user/user.model.ts- Added schema fieldssrc/api/v1/user/user.controller.ts- Added 2 methodssrc/api/v1/user/user.routes.ts- Added 2 routessrc/api/v1/user/user.validator.ts- Added 2 schemassrc/api/v1/user/user.constant.ts- Added messagessrc/api/v1/user/user.type.ts- Updated interfacesrc/validator/env.ts- Added email varstsconfig.json- Added Node typesenv.example- Added examples
curl -X POST http://localhost:5000/api/v1/auth/forgot-password \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com"}'curl -X POST http://localhost:5000/api/v1/auth/reset-password/TOKEN \
-H "Content-Type: application/json" \
-d '{"password": "NewPassword123@"}'curl -X POST http://localhost:5000/api/v1/user/login \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "NewPassword123@"}'Token Expiry: 15 minutes
Password Requirements: 8-20 chars, uppercase, lowercase, number, special char
Token Size: 64 hex characters (256 bits)
Email Service: Supports Gmail and custom SMTP
Before going to production:
- Set strong
JWT_SECRET - Configure real SMTP service
- Use HTTPS only
- Set
NODE_ENV=production - Set
FRONTEND_URLto your domain - Enable CORS for frontend only
- Rotate SMTP credentials
fetch('/api/v1/auth/forgot-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email }),
})fetch(`/api/v1/auth/reset-password/${token}`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ password }),
})Email not sent?
→ Check SMTP config in .env
→ Verify Gmail app password
Token invalid?
→ Token expires after 15 min
→ Token can only be used once
Password requirements?
→ 8-20 chars
→ Must have uppercase, lowercase, number, special char
For detailed information, see:
- Full API docs:
PASSWORD_RESET_API.md - Setup guide:
SETUP_GUIDE.md - Implementation details:
IMPLEMENTATION_SUMMARY.md
Last Updated: January 11, 2025
Status: ✅ Complete & Ready