feat: add password reset ("forgot password") flow
Build & Push Docker Image / build (push) Successful in 4m12s
Build & Push Docker Image / build (push) Successful in 4m12s
Add a self-service password reset to the login flow: - Login page now shows a "Passwort vergessen?" link under the password field - New /forgot-password page requests a reset email by address - New /reset-password page sets a new password from an emailed token - Backend: POST /auth/forgot-password and /auth/reset-password with dedicated rate limiters; tokens stored as SHA-256 hashes with a 1h expiry - Generic responses avoid leaking account existence or SMTP/SSO state; SSO-only accounts are skipped - New sendPasswordResetEmail mailer + email/auth i18n keys (de + en) - DB migration: reset_token_hash, reset_token_expires, reset_requested_at Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -384,6 +384,25 @@ export async function initDatabase() {
|
||||
}
|
||||
}
|
||||
|
||||
// Password reset: store a SHA-256 hash of the reset token (never the raw token)
|
||||
if (!(await db.columnExists('users', 'reset_token_hash'))) {
|
||||
await db.exec('ALTER TABLE users ADD COLUMN reset_token_hash TEXT DEFAULT NULL');
|
||||
}
|
||||
if (!(await db.columnExists('users', 'reset_token_expires'))) {
|
||||
if (isPostgres) {
|
||||
await db.exec('ALTER TABLE users ADD COLUMN reset_token_expires TIMESTAMP DEFAULT NULL');
|
||||
} else {
|
||||
await db.exec('ALTER TABLE users ADD COLUMN reset_token_expires DATETIME DEFAULT NULL');
|
||||
}
|
||||
}
|
||||
if (!(await db.columnExists('users', 'reset_requested_at'))) {
|
||||
if (isPostgres) {
|
||||
await db.exec('ALTER TABLE users ADD COLUMN reset_requested_at TIMESTAMP DEFAULT NULL');
|
||||
} else {
|
||||
await db.exec('ALTER TABLE users ADD COLUMN reset_requested_at DATETIME DEFAULT NULL');
|
||||
}
|
||||
}
|
||||
|
||||
// Federation sync: add deleted + updated_at to federated_rooms
|
||||
if (!(await db.columnExists('federated_rooms', 'deleted'))) {
|
||||
await db.exec('ALTER TABLE federated_rooms ADD COLUMN deleted INTEGER DEFAULT 0');
|
||||
|
||||
@@ -92,6 +92,50 @@ export async function sendVerificationEmail(to, name, verifyUrl, appName = 'Redl
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Send a password reset email with a clickable link.
|
||||
* @param {string} to - recipient email
|
||||
* @param {string} name - user's display name
|
||||
* @param {string} resetUrl - full password reset URL
|
||||
* @param {string} appName - branding app name (default "Redlight")
|
||||
* @param {string} lang - language code
|
||||
*/
|
||||
export async function sendPasswordResetEmail(to, name, resetUrl, appName = 'Redlight', lang = 'en') {
|
||||
if (!transporter) {
|
||||
throw new Error('SMTP not configured');
|
||||
}
|
||||
|
||||
const from = process.env.SMTP_FROM || process.env.SMTP_USER;
|
||||
const headerAppName = sanitizeHeaderValue(appName);
|
||||
const safeName = escapeHtml(name);
|
||||
|
||||
await transporter.sendMail({
|
||||
from: `"${headerAppName}" <${from}>`,
|
||||
to,
|
||||
subject: t(lang, 'email.resetPassword.subject', { appName: headerAppName }),
|
||||
html: `
|
||||
<div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
|
||||
<h2 style="color:#cba6f7;margin-top:0;">${t(lang, 'email.greeting', { name: safeName })}</h2>
|
||||
<p>${t(lang, 'email.resetPassword.intro')}</p>
|
||||
<p style="text-align:center;margin:28px 0;">
|
||||
<a href="${resetUrl}"
|
||||
style="display:inline-block;background:#cba6f7;color:#1e1e2e;padding:12px 32px;border-radius:8px;text-decoration:none;font-weight:bold;">
|
||||
${t(lang, 'email.resetPassword.button')}
|
||||
</a>
|
||||
</p>
|
||||
<p style="font-size:13px;color:#7f849c;">
|
||||
${t(lang, 'email.linkHint')}<br/>
|
||||
<a href="${resetUrl}" style="color:#89b4fa;word-break:break-all;">${escapeHtml(resetUrl)}</a>
|
||||
</p>
|
||||
<p style="font-size:13px;color:#7f849c;">${t(lang, 'email.resetPassword.validity')}</p>
|
||||
<hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
|
||||
<p style="font-size:12px;color:#585b70;">${t(lang, 'email.resetPassword.footer')}</p>
|
||||
</div>
|
||||
`,
|
||||
text: `${t(lang, 'email.greeting', { name })}\n\n${t(lang, 'email.resetPassword.intro')}\n${resetUrl}\n\n${t(lang, 'email.resetPassword.validity')}\n\n- ${appName}`,
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Send a federation meeting invitation email.
|
||||
* @param {string} to - recipient email
|
||||
|
||||
Reference in New Issue
Block a user