Skip to content

feat: Add forgot password page #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Oct 11, 2025
Merged

feat: Add forgot password page #155

merged 15 commits into from
Oct 11, 2025

Conversation

@ZeroWave022
Copy link
Member

@ZeroWave022 ZeroWave022 commented Aug 28, 2025

Users can now reset their password, assuming they provide the correct email and OTP code that is sent to that email.

@ZeroWave022 ZeroWave022 linked an issue Aug 28, 2025 that may be closed by this pull request
feat: forgot password form #80
Closed
@michaelbrusegard
Copy link
Member

michaelbrusegard commented Aug 29, 2025
edited
Loading

Important thing for security. You must not inform when the Email is invalid to the person who enters the email in forgot password as it can be used to find out which emails are registered on the website. Also remember extra rate limiting if it is not already done

@ZeroWave022
Copy link
Member Author

ZeroWave022 commented Aug 29, 2025
edited
Loading

Hey @michaelbrusegard

If someone enters an email that doesn't have a user attached to it, no forgot password request will be made. The user gets sent to the page to write in a OTP code, but no code will ever be valid. See here - the code you get doesn't exist in the db. Therefore this will always fail with the "incorrect code" error, no matter what you type in.

Rate limiting is not implemented. In the auth router, I see you use the RefillingTokenBucket, Throttler and ExpiringTokenBucket classes. There's also some util functions in src/server/api/rate-limit/index.ts. Could you explain the purpose of these classes/utils or otherwise document them?

@michaelbrusegard
Copy link
Member

michaelbrusegard commented Aug 29, 2025

I can explain it when I come visit Trondheim or on a call after work?

@ZeroWave022
Copy link
Member Author

ZeroWave022 commented Aug 29, 2025

Yeah, I'll send you a message in the evening :)

seandreassen
seandreassen requested changes Oct 9, 2025
View reviewed changes
Copy link
Member

@seandreassen seandreassen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have the correct env variables for email or matrix, so I'll just assume they work. If emails aren't sent or the matrix password isn't updated, this should also be fixed.

@ZeroWave022
Copy link
Member Author

ZeroWave022 commented Oct 11, 2025
edited
Loading

I have sent you some more info on Matrix if you'd like to test this PR more in regards to email sending and such

@seandreassen
Copy link
Member

seandreassen commented Oct 11, 2025

I have also tested the emails now, and they do work.

@ZeroWave022 ZeroWave022 merged commit b3d28b5 into dev Oct 11, 2025
5 checks passed
@ZeroWave022 ZeroWave022 deleted the feat/forgot-password branch October 11, 2025 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seandreassen seandreassen seandreassen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: forgot password form

4 participants

@ZeroWave022 @michaelbrusegard @seandreassen