Self-service forgot-password flow (AUTH01) #35

New issue

Closed

opened 2026-04-21 20:52:16 +00:00 by frank · 1 comment

frank commented

2026-04-21 20:52:16 +00:00

Owner

Status (verified 2026-05-05)

The token-based reset infrastructure is built. Only the self-service entry point is missing.

Done (commit `57f5a7d`, 2026-04-23)

password_reset_tokens table with 24h expiry (migration 018)
POST /users/{id}/reset-link (admin-gated) — generates token
POST /auth/reset-password (public) — consumes token
/reset-password/:token page for setting a new password
Admin-page UI: generate link, copy to clipboard, share with user

Remaining (~2-3 hours once email infra lands)

"Forgot password?" link on login page
/forgot-password page with email input
POST /auth/forgot-password endpoint: look up user by email, generate token (reuse existing logic), send email with reset link

Dependency

Blocked on #39 (email sending infrastructure).

Launch posture

Admin-generated reset is a defensible fallback for self-hosted installs that don't have SMTP configured. Original BLOCKER tag dropped — finishing this is now priority:medium gated on #39.

## Status (verified 2026-05-05) The token-based reset infrastructure is **built**. Only the self-service entry point is missing. ### Done (commit 57f5a7d, 2026-04-23) - `password_reset_tokens` table with 24h expiry (migration 018) - `POST /users/{id}/reset-link` (admin-gated) — generates token - `POST /auth/reset-password` (public) — consumes token - `/reset-password/:token` page for setting a new password - Admin-page UI: generate link, copy to clipboard, share with user ### Remaining (~2-3 hours once email infra lands) - "Forgot password?" link on login page - `/forgot-password` page with email input - `POST /auth/forgot-password` endpoint: look up user by email, generate token (reuse existing logic), send email with reset link ### Dependency Blocked on #39 (email sending infrastructure). ### Launch posture Admin-generated reset is a defensible fallback for self-hosted installs that don't have SMTP configured. Original BLOCKER tag dropped — finishing this is now `priority:medium` gated on #39.

frank added this to the Launch Prep milestone

2026-04-21 20:52:16 +00:00

frank added the

security

priority:high

feature

labels

2026-04-21 20:52:16 +00:00

frank changed title from ~~BLOCKER: Password reset flow (AUTH01)~~ to Self-service forgot-password flow (AUTH01)

2026-05-05 15:29:03 +00:00

frank added

priority:medium

and removed

priority:high

labels

2026-05-05 15:30:11 +00:00

frank referenced this issue from a commit

2026-05-05 20:34:20 +00:00

feat: self-service forgot-password flow with Resend email (closes #35, #39)

frank closed this issue

2026-05-05 20:34:20 +00:00

frank referenced this issue

2026-05-05 20:38:50 +00:00

Email sending infrastructure (EML01) #39

frank commented

2026-05-05 20:38:50 +00:00

Author

Owner

Done in commit c9391e2 — verified end-to-end on production (home.cookslate.app):

POST /auth/forgot-password (rate-limited 5/10min/IP, doesn't leak email existence)
New /forgot-password page in the React frontend
'Forgot password?' link added under the Sign In button on /login
Reset emails sent via Resend (#39 infrastructure)

Reset link → existing /reset-password/:token page from commit 57f5a7d (token consumption flow already in place from admin-generated reset feature).

Done in commit c9391e2 — verified end-to-end on production (home.cookslate.app): - `POST /auth/forgot-password` (rate-limited 5/10min/IP, doesn't leak email existence) - New `/forgot-password` page in the React frontend - 'Forgot password?' link added under the Sign In button on `/login` - Reset emails sent via Resend (#39 infrastructure) Reset link → existing `/reset-password/:token` page from commit 57f5a7d (token consumption flow already in place from admin-generated reset feature).