As a user I want to reset my forgotten password via email so I can regain access without contacting the admin #36

New Issue

Closed

opened 2026-03-20 19:01:47 +01:00 by marcel · 0 comments

marcel commented 2026-03-20 19:01:47 +01:00

Owner

Copy Link

Background

Passwords are set by the admin and users can change them on their profile page (#35). But if a user forgets their password before they change it, they are locked out and must ask the admin to intervene. A self-service reset flow via email removes that friction.

Depends on #35 — the email column on app_users must exist before this can be implemented.

Desired behaviour

• The login page has a "Forgot password?" link below the submit button
• Clicking it opens /forgot-password — a simple form with one field: email address
• The user submits their email; the backend sends a reset link if the address matches a known account (no error is shown either way to avoid user enumeration)
• The link leads to /reset-password?token=... — a form with two fields: new password and confirmation
• Submitting a valid, unexpired, unused token updates the password and redirects to /login with a success message
• Expired or already-used tokens show a clear error with a link back to /forgot-password
• Reset tokens are valid for 24 hours

Implementation notes

Backend

New Flyway migration — password reset token table:

CREATE TABLE password_reset_tokens (
    token      VARCHAR(64) PRIMARY KEY,
    user_id    UUID        NOT NULL REFERENCES app_users(id) ON DELETE CASCADE,
    expires_at TIMESTAMP   NOT NULL,
    used       BOOLEAN     NOT NULL DEFAULT FALSE
);

New service method UserService.requestPasswordReset(email):

1. Look up user by email — if not found, silently return (no error, no timing difference)
2. Delete any existing unused tokens for this user before creating a new one — prevents token accumulation from repeated requests
3. Generate a secure random token (SecureRandom, 256-bit hex)
4. Persist PasswordResetToken with expires_at = now() + 24h
5. Send email via Spring JavaMailSender with a link: ${app.base-url}/reset-password?token=...
6. Catch MailException — if SMTP is not configured or delivery fails, log the error but return normally. The UI always shows "check your inbox" so SMTP misconfiguration does not leak information or produce a 500.

New service method UserService.resetPassword(token, newPassword):

1. Load token — throw DomainException.notFound if missing
2. Verify not expired and not used — throw DomainException.conflict if invalid
3. Update user password hash, mark token as used
4. Invalidate all sessions for that user (same mechanism as #35 password change)

Token cleanup: A @Scheduled job runs nightly and deletes all tokens where expires_at < now() or used = true. This prevents the table from growing indefinitely.

New endpoints (no authentication required — must be added to the Spring Security permit-list alongside /api/auth/login):

Method	Path	Purpose
POST	/api/auth/forgot-password	Triggers reset email
POST	/api/auth/reset-password	Consumes token, sets new password

Email configuration

All mail settings are externalised as environment variables:

spring.mail.host=${MAIL_HOST:smtp.gmail.com}
spring.mail.port=${MAIL_PORT:587}
spring.mail.username=${MAIL_USERNAME:}
spring.mail.password=${MAIL_PASSWORD:}
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=true

app.mail.from=${MAIL_FROM:${spring.mail.username}}
app.base-url=${APP_BASE_URL:http://localhost:5173}

docker-compose.yml passes MAIL_HOST, MAIL_USERNAME, MAIL_PASSWORD, MAIL_FROM, APP_BASE_URL as env vars so the same image works in both environments.

Frontend

• New route src/routes/forgot-password/ — email form, always shows "check your inbox" after submit
• New route src/routes/reset-password/ — reads ?token from URL, shows new-password form; on success redirects to /login with a success message (no auto-login)
• "Forgot password?" link on the login page
• i18n keys in de.json / en.json / es.json

Testing

• UserServiceTest:
  • requestPasswordReset with unknown email does nothing and does not throw
  • requestPasswordReset with known email creates a token and calls JavaMailSender
  • requestPasswordReset when JavaMailSender throws MailException does not propagate the exception
  • requestPasswordReset deletes any existing token for the user before creating a new one
  • resetPassword with expired token throws
  • resetPassword with used token throws
  • resetPassword with valid token updates password hash, marks token used, invalidates sessions
• @WebMvcTest — both endpoints return 200 regardless of whether email matches
• E2E Playwright spec — request reset, extract token from DB directly (bypassing email), submit new password, log in with new password

Dependencies

• #35 must be merged first — email column must exist and be unique

---

User Journey

User arrives at the login page but can't remember their password. They click the "Forgot password?" link beneath the login form. On the next page they enter their email address and submit. The page always shows a neutral "check your inbox" confirmation — no hint about whether the email is registered.

They open their email, click the reset link, and land on a page with two fields: new password and confirmation. They submit and are redirected to the login page with a success message. They log in immediately with their new password.

If they click an old or already-used reset link, they see a clear error explaining the link has expired, with a link back to the forgot-password page to start over.

E2E Scenarios

Scenario: Request a password reset
  Given I am on the login page
  When I click "Forgot password?"
  And I enter my email address and submit
  Then I see a "check your inbox" message
  And no information is revealed about whether the email is registered

Scenario: Reset password with a valid token
  Given a valid reset token exists in the database for my account
  When I navigate to /reset-password?token=<token>
  And I enter a new password and submit
  Then I am redirected to the login page with a success message
  And I can log in with the new password

Scenario: Expired token is rejected
  Given a reset token exists that has passed its 24-hour expiry
  When I navigate to /reset-password?token=<expired-token>
  Then I see an error message telling me the link has expired
  And I see a link back to the forgot-password page

## Background Passwords are set by the admin and users can change them on their profile page (#35). But if a user forgets their password before they change it, they are locked out and must ask the admin to intervene. A self-service reset flow via email removes that friction. **Depends on #35** — the `email` column on `app_users` must exist before this can be implemented. ## Desired behaviour - The login page has a "Forgot password?" link below the submit button - Clicking it opens `/forgot-password` — a simple form with one field: email address - The user submits their email; the backend sends a reset link if the address matches a known account (no error is shown either way to avoid user enumeration) - The link leads to `/reset-password?token=...` — a form with two fields: new password and confirmation - Submitting a valid, unexpired, unused token updates the password and redirects to `/login` with a success message - Expired or already-used tokens show a clear error with a link back to `/forgot-password` - Reset tokens are valid for **24 hours** ## Implementation notes **Backend** New Flyway migration — password reset token table: ```sql CREATE TABLE password_reset_tokens ( token VARCHAR(64) PRIMARY KEY, user_id UUID NOT NULL REFERENCES app_users(id) ON DELETE CASCADE, expires_at TIMESTAMP NOT NULL, used BOOLEAN NOT NULL DEFAULT FALSE ); ``` New service method `UserService.requestPasswordReset(email)`: 1. Look up user by email — if not found, **silently return** (no error, no timing difference) 2. **Delete any existing unused tokens for this user** before creating a new one — prevents token accumulation from repeated requests 3. Generate a secure random token (`SecureRandom`, 256-bit hex) 4. Persist `PasswordResetToken` with `expires_at = now() + 24h` 5. Send email via Spring `JavaMailSender` with a link: `${app.base-url}/reset-password?token=...` 6. **Catch `MailException`** — if SMTP is not configured or delivery fails, log the error but return normally. The UI always shows "check your inbox" so SMTP misconfiguration does not leak information or produce a 500. New service method `UserService.resetPassword(token, newPassword)`: 1. Load token — throw `DomainException.notFound` if missing 2. Verify not expired and not used — throw `DomainException.conflict` if invalid 3. Update user password hash, mark token as used 4. Invalidate all sessions for that user (same mechanism as #35 password change) **Token cleanup:** A `@Scheduled` job runs nightly and deletes all tokens where `expires_at < now()` or `used = true`. This prevents the table from growing indefinitely. New endpoints (no authentication required — must be added to the Spring Security permit-list alongside `/api/auth/login`): | Method | Path | Purpose | |--------|------|---------| | `POST` | `/api/auth/forgot-password` | Triggers reset email | | `POST` | `/api/auth/reset-password` | Consumes token, sets new password | **Email configuration** All mail settings are externalised as environment variables: ```properties spring.mail.host=${MAIL_HOST:smtp.gmail.com} spring.mail.port=${MAIL_PORT:587} spring.mail.username=${MAIL_USERNAME:} spring.mail.password=${MAIL_PASSWORD:} spring.mail.properties.mail.smtp.auth=true spring.mail.properties.mail.smtp.starttls.enable=true app.mail.from=${MAIL_FROM:${spring.mail.username}} app.base-url=${APP_BASE_URL:http://localhost:5173} ``` `docker-compose.yml` passes `MAIL_HOST`, `MAIL_USERNAME`, `MAIL_PASSWORD`, `MAIL_FROM`, `APP_BASE_URL` as env vars so the same image works in both environments. **Frontend** - New route `src/routes/forgot-password/` — email form, always shows "check your inbox" after submit - New route `src/routes/reset-password/` — reads `?token` from URL, shows new-password form; on success redirects to `/login` with a success message (no auto-login) - "Forgot password?" link on the login page - i18n keys in `de.json` / `en.json` / `es.json` ## Testing - `UserServiceTest`: - `requestPasswordReset` with unknown email does nothing and does not throw - `requestPasswordReset` with known email creates a token and calls `JavaMailSender` - `requestPasswordReset` when `JavaMailSender` throws `MailException` does not propagate the exception - `requestPasswordReset` deletes any existing token for the user before creating a new one - `resetPassword` with expired token throws - `resetPassword` with used token throws - `resetPassword` with valid token updates password hash, marks token used, invalidates sessions - `@WebMvcTest` — both endpoints return 200 regardless of whether email matches - E2E Playwright spec — request reset, extract token from DB directly (bypassing email), submit new password, log in with new password ## Dependencies - **#35** must be merged first — email column must exist and be unique --- ## User Journey User arrives at the login page but can't remember their password. They click the "Forgot password?" link beneath the login form. On the next page they enter their email address and submit. The page always shows a neutral "check your inbox" confirmation — no hint about whether the email is registered. They open their email, click the reset link, and land on a page with two fields: new password and confirmation. They submit and are redirected to the login page with a success message. They log in immediately with their new password. If they click an old or already-used reset link, they see a clear error explaining the link has expired, with a link back to the forgot-password page to start over. ## E2E Scenarios ``` Scenario: Request a password reset Given I am on the login page When I click "Forgot password?" And I enter my email address and submit Then I see a "check your inbox" message And no information is revealed about whether the email is registered Scenario: Reset password with a valid token Given a valid reset token exists in the database for my account When I navigate to /reset-password?token=<token> And I enter a new password and submit Then I am redirected to the login page with a success message And I can log in with the new password Scenario: Expired token is rejected Given a reset token exists that has passed its 24-hour expiry When I navigate to /reset-password?token=<expired-token> Then I see an error message telling me the link has expired And I see a link back to the forgot-password page ```

marcel referenced this issue 2026-03-20 19:04:26 +01:00

As a user I want a profile page so I can change my password and keep my personal information up to date #35

marcel added the feature label 2026-03-20 19:11:19 +01:00

marcel added the user label 2026-03-20 19:12:38 +01:00

marcel referenced this issue 2026-03-22 23:58:11 +01:00

feat: password reset via email (#36) #49

marcel closed this issue 2026-03-23 10:14:08 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-533-mass-import-ux

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label feature user

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#36