Component: Node.js Backend / Authentication Flow
Files Affected: backend/controllers/authController.js, backend/routes/authRoutes.js
Description
The authentication system currently handles user registration, local login, and Google OAuth login. However, there is no implementation for a "Forgot Password" flow. If a user registers via email/password and forgets their credentials, there is no route to request a reset link and no mechanism to change the password, resulting in a permanent account lockout.
Proposed Fix
- Create a
/forgot-password route that accepts an email, generates a time-limited reset JWT, stores it, and emails a reset link to the user (e.g., using nodemailer).
- Create a
/reset-password route that validates the reset token and safely updates the password field in MongoDB using the existing bcrypt schema hooks.
Component: Node.js Backend / Authentication Flow
Files Affected:
backend/controllers/authController.js,backend/routes/authRoutes.jsDescription
The authentication system currently handles user registration, local login, and Google OAuth login. However, there is no implementation for a "Forgot Password" flow. If a user registers via email/password and forgets their credentials, there is no route to request a reset link and no mechanism to change the password, resulting in a permanent account lockout.
Proposed Fix
/forgot-passwordroute that accepts an email, generates a time-limited reset JWT, stores it, and emails a reset link to the user (e.g., usingnodemailer)./reset-passwordroute that validates the reset token and safely updates thepasswordfield in MongoDB using the existingbcryptschema hooks.