Password Reset via Email
Overview
A secure password reset flow that allows users to recover their accounts by verifying their identity through email. The system generates time-limited tokens, sends reset links, and ensures the process is protected against common security vulnerabilities.
User Stories
- As a user, I want to reset my password when I forget it, so that I can regain access to my account
- As a user, I want to receive a reset link via email, so that I can verify my identity
- As a user, I want the reset link to expire after a reasonable time, so that my account remains secure
- As a user, I want confirmation when my password is successfully changed, so that I know the process completed
Acceptance Criteria
- [ ] "Forgot password" link is visible on login page
- [ ] Reset form accepts email address
- [ ] System sends reset email within 2 minutes
- [ ] Reset link is valid for 1 hour only
- [ ] Reset page validates token before showing password form
- [ ] New password must meet security requirements (8+ chars, uppercase, number, special char)
- [ ] Password confirmation field must match new password
- [ ] All existing sessions are invalidated after password change
- [ ] Confirmation email sent after successful reset
Technical Requirements
- Generate cryptographically secure random tokens (min 32 bytes)
- Store token hash in database with expiration timestamp
- Invalidate token after single use
- Use rate limiting on reset requests (max 3 per hour per email)
- Send email using transactional email service (SendGrid, Postmark)
- Log all password reset attempts for security monitoring
Edge Cases
- Email doesn't exist in system → Send generic success message (prevent email enumeration)
- Token expired → Show clear message with option to request new link
- Token already used → Display error and redirect to login
- User clicks old reset link after password already changed → Show "already used" message
- Multiple reset requests → Only the latest token should be valid, invalidate previous ones
Out of Scope
- SMS-based password reset
- Security questions
- Account recovery without email access
- Admin-initiated password resets