Develop an endpoint to handle requests to reset password for registered users. If the password reset is successfully, it will be returned to the client with a '200' status. If an error occurs, an appropriate error status will be returned.
Acceptance Criteria
Validate that all required fields (email, newPassword, resetToken) are present in the request body.
Ensure the newPassword meets the defined strength criteria (e.g., minimum length, complexity)
Verify that the reset token is valid and not expired. Check that the reset token matches the user’s email.
Returns a 200 status code and the correct response body when password is successfully updated and hashed into the database.
Returns a 404 status code and the correct response body when user is not found.
Returns an appropriate error message when an error occurs.
Send an email notification to the user upon successful password update
Maintain audit logs of password reset requests for forensic purposes.
Purpose
Implement endpoints to facilitate secure password updates for users who have forgotten their passwords or suspect their credentials have been compromised.
Requirement
[ ] Verify the user's identity before allowing a password reset.
[ ] Use HTTPS to encrypt all password reset-related communications.
[ ] Create a unique, time-limited token for each password reset request
[ ] Associate tokens with the correct user account
Description
Develop an endpoint to handle requests to reset password for registered users. If the password reset is successfully, it will be returned to the client with a '200' status. If an error occurs, an appropriate error status will be returned.
Acceptance Criteria
Validate that all required fields (email, newPassword, resetToken) are present in the request body.
Ensure the newPassword meets the defined strength criteria (e.g., minimum length, complexity)
Verify that the reset token is valid and not expired. Check that the reset token matches the user’s email.
Returns a
200
status code and the correct response body when password is successfully updated and hashed into the database.Returns a
404
status code and the correct response body when user is not found.Returns an appropriate error message when an error occurs.
Send an email notification to the user upon successful password update
Maintain audit logs of password reset requests for forensic purposes.
Purpose
Implement endpoints to facilitate secure password updates for users who have forgotten their passwords or suspect their credentials have been compromised.
Requirement
[ ] Verify the user's identity before allowing a password reset.
[ ] Use HTTPS to encrypt all password reset-related communications.
[ ] Create a unique, time-limited token for each password reset request
[ ] Associate tokens with the correct user account
[ ] Enforce strong password policies (e.g., minimum length, complexity)
[ ] Hash the new password using a strong, slow hashing algorithm (e.g., bcrypt, Argon2)
Expected Outcome
Users are able to update their password successfully.
Endpoints
[POST] /api/v1/auth/reset-password
Description: Resets the user's password using the token received via email.
Request
Headers
Body
[ ] json
Response
Successful Password Update Status:
200 OK
[ ] json
Invalid Input or Token Status:
400 Bad Request
Server-side error Status:
500 Internal Server Error
[ ] json
Tests
Validation and Input Checks:
[ ] Verify that all required fields (ewPassword, resetToken) are present in the request body.
[ ] Ensure that the newPassword meets the defined strength criteria (e.g., minimum length, complexity requirements).
Token Validation:
[ ] Verify that the reset token is valid and not expired.
[ ] Check that the reset token matches the user’s email.
Response Scenarios:
Successful Password Update:
[ ] Send a request with a valid reset token and a strong new password.
[ ] Expect a 200 OK status code.
[ ] Verify that the response body contains:
Invalid Input or Token:
[ ] Send a request with missing fields or an invalid reset token.
[ ] Expect a 400 Bad Request status code.
[ ] Verify that the response body contains:
User Not Found:
[ ] Send a request with a valid reset token but an email not associated with any user.
[ ] Expect a 404 Not Found status code.
[ ] Verify that the response body contains:
Server Error:
[ ] Simulate a server error during processing (e.g., database failure).
[ ] Expect a 500 Internal Server Error status code.
[ ] Verify that the response body contains:
Security Measures:
[ ] Ensure HTTPS is used for all password reset-related communications.
[ ] Create unique, time-limited tokens for each password reset request.
[ ] Enforce strong password policies (length, complexity).
[ ] Hash the new password using a strong hashing algorithm.