[FEAT]: Implement API Endpoint for User Password Reset - Backend

[max-out-oluwadara]

Description

Develop an endpoint to handle requests to reset password for registered users. If the password reset is successfully, it will be returned to the client with a '200' status. If an error occurs, an appropriate error status will be returned.

Acceptance Criteria

• Validate that all required fields (email, newPassword, resetToken) are present in the request body.
• Ensure the newPassword meets the defined strength criteria (e.g., minimum length, complexity)
• Verify that the reset token is valid and not expired. Check that the reset token matches the user’s email.
• Returns a 200 status code and the correct response body when password is successfully updated and hashed into the database.
• Returns a 404 status code and the correct response body when user is not found.
• Returns an appropriate error message when an error occurs.
• Send an email notification to the user upon successful password update
• Maintain audit logs of password reset requests for forensic purposes.

Purpose

Implement endpoints to facilitate secure password updates for users who have forgotten their passwords or suspect their credentials have been compromised.

Requirement

• [ ] Verify the user's identity before allowing a password reset.
• [ ] Use HTTPS to encrypt all password reset-related communications.
• [ ] Create a unique, time-limited token for each password reset request
• [ ] Associate tokens with the correct user account
• [ ] Enforce strong password policies (e.g., minimum length, complexity)
• [ ] Hash the new password using a strong, slow hashing algorithm (e.g., bcrypt, Argon2)

Expected Outcome

• Users are able to update their password successfully.

STEP 1

Endpoints

[POST] /api/v1/request-password-request

Description: Initiates the password reset process by verifying the user's email and sending a reset token.

Request

Header Content-Type: application/json

Body

• [ ] json

  {
     "email": "string"
  }

Response

Success (200 OK)

{
    "message": "If a user with that email exists, a password reset link has been sent."
}

Error Response If user cant be found (400 Bad Request)

• [ ] json

  {
  "status": "error",
  "message": "Invalid input data",
  "errors": [
  {
    "field": "email",
    "message": "Invalid email"
  }
  ]
  }

Server-side error(500 Internal Server Error)

• [ ] json

  
  {
  "status": "error",
  "message": "Internal server error",
  "errorCode": "SERVER_ERROR_001"
  }

### **STEP 2**

### Endpoints
[POST] /api/v1/reset-password

**Description**: Resets the user's password using the token received via email.

### Request

Headers

Content-Type: application/json X-Reset-Token:

Body
- [ ] json

{ "new_password": "string" }

### Response

_Successful Password Update_
_Status:  `200 OK`_
- [ ]  json

{ "message": "Password updated successfully.", "status_code": 200 }

_Invalid Input or Token_
_Status:  `400 Bad Request`_

{ "message": "Invalid input or token", "status_code": 400 }

_Server-side error_
_Status:  `500 Internal Server Error`_
- [ ] json

{ "message": "Server error during processing.", "status_code": 500, }

### Tests

**Validation and Input Checks:**

- [ ] Verify that all required fields (ewPassword, resetToken) are present in the request body.
- [ ] Ensure that the newPassword meets the defined strength criteria (e.g., minimum length, complexity requirements).

**Token Validation:**
- [ ] Verify that the reset token is valid and not expired.
- [ ] Check that the reset token matches the user’s email.

### Response Scenarios:

**Successful Password Update:**
- [ ] Send a request with a valid reset token and a strong new password.
- [ ] Expect a 200 OK status code.
- [ ] Verify that the response body contains:

{ "message": "Password updated successfully.", "status_code": 200 }

**Invalid Input or Token:**
- [ ] Send a request with missing fields or an invalid reset token.
- [ ] Expect a 400 Bad Request status code.
- [ ] Verify that the response body contains:

{ "message": "Invalid input or token", "status_code": 400 }

**User Not Found:**
- [ ] Send a request with a valid reset token but an email not associated with any user.
- [ ] Expect a 404 Not Found status code.
- [ ] Verify that the response body contains:

{ "message": "User not found", "status_code": 404 }

**Server Error:**
- [ ] Simulate a server error during processing (e.g., database failure).
- [ ] Expect a 500 Internal Server Error status code.
- [ ] Verify that the response body contains:

{ "message": "Server error during processing.", "status_code": 500 }

**Security Measures:**
- [ ] Ensure HTTPS is used for all password reset-related communications.
- [ ] Create unique, time-limited tokens for each password reset request.
- [ ] Enforce strong password policies (length, complexity).
- [ ] Hash the new password using a strong hashing algorithm.

[Ayobamidele]

Tests

Validation and Input Checks:

• [ ] Verify that all required fields (ewPassword, resetToken) are present in the request body.
• [ ] Ensure that the newPassword meets the defined strength criteria (e.g., minimum length, complexity requirements).

Token Validation:

• [ ] Verify that the reset token is valid and not expired.
• [ ] Check that the reset token matches the user’s email.

Response Scenarios:

• Successful Password Update:
• [ ] Send a request with a valid reset token and a strong new password.
• [ ] Expect a 200 OK status code.
• [ ] Verify that the response body contains:

{
    "message": "Password updated successfully.",
    "status_code": 200
}

• Invalid Input or Token:
• [ ] Send a request with missing fields or an invalid reset token.
• [ ] Expect a 400 Bad Request status code.
• [ ] Verify that the response body contains:

{
    "message": "Invalid input or token",
    "status_code": 400
}

• User Not Found:
• [ ] Send a request with a valid reset token but an email not associated with any user.
• [ ] Expect a 404 Not Found status code.
• [ ] Verify that the response body contains:

{
    "message": "User not found",
    "status_code": 404
}

• Server Error:
• [ ] Simulate a server error during processing (e.g., database failure).
• [ ] Expect a 500 Internal Server Error status code.
• [ ] Verify that the response body contains:

{
    "message": "Server error during processing.",
    "status_code": 500
}

Security Measures:

• [ ] Ensure HTTPS is used for all password reset-related communications.
• [ ] Create unique, time-limited tokens for each password reset request.
• [ ] Enforce strong password policies (length, complexity).
• [ ] Hash the new password using a strong hashing algorithm.

[max-out-oluwadara]

@Ayobamidele thanks, have update the test

[phurhard]

Why you close it initially??

[Shullyd7]

Why is token in request body instead of request header?

[max-out-oluwadara]

@Shullyd7 Have make the necessary adjustment sir... please help recheck

[max-out-oluwadara]

@phurhard it open now sir.. it a mistake

[phurhard]

A question is asked why, and you just went ahead to change it to headers. Okay, why is the Authtoken in headers?? Is a user signed in before they can reset the password?? Or the token is given to client without signing in??

[Ayobamidele]

It is required for security purposes, so a token must always be generated to verify the process of resetting the password. wherever the user is logged in or not

[phurhard]

I know why a token is needed, I'm asking you if you know why you're putting it in the header or body. The token needed is it the JWT token or it's the confirmation token sent to the user's mail.

[Ayobamidele]

The confirmation token is sent to the user's mail.

[phurhard]

So how would the user send that confirmation mail in the header??

[Ayobamidele]

Corrected sir, It would be in the body.

[max-out-oluwadara]

@phurhard
Have put it into two steps sir

One the user email is verified first. if user is found reset email is sent if user is not found appropriate error response and code is send

two the user click on the link in the email... the link will contain the token and it take the user to the page where the new email will be post to the database. With the approperiate response thanks

[max-out-oluwadara]

@phurhard @Shullyd7 @markessien

The frontend will extract the token sir

headers: { 'Content-Type': 'application/json', 'X-Reset-Token': token }

From the url params example https://example.com/reset-password?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9......