27 lines
1.0 KiB
Markdown
27 lines
1.0 KiB
Markdown
|
# Complete Password Reset Flow
|
||
|
|
|
||
|
|
**ID:** EU-002
|
||
|
|
**Priority:** Critical
|
||
|
|
**Status:** Planned
|
||
|
|
|
||
|
|
## User Story
|
||
|
|
As an end user, I want to reset my password when I forget it so that I can regain access to my account securely.
|
||
|
|
|
||
|
|
## Acceptance Criteria
|
||
|
|
- [ ] User can request a password reset via email
|
||
|
|
- [ ] Reset email contains a secure, time-limited token link
|
||
|
|
- [ ] Clicking the link opens a form to set a new password
|
||
|
|
- [ ] Password must meet security requirements (length, complexity)
|
||
|
|
- [ ] Old password is invalidated after successful reset
|
||
|
|
- [ ] User receives confirmation email after password change
|
||
|
|
- [ ] All existing sessions are invalidated after password reset
|
||
|
|
|
||
|
|
## Technical Notes
|
||
|
|
- `resetPassword` handler exists but `setNewPassword` is a stub (returns `{ status: 'ok' }` without implementation)
|
||
|
|
- Need to implement actual password update logic
|
||
|
|
- Should use `ReceptionMailer` for email sending
|
||
|
|
- Consider rate limiting reset requests to prevent abuse
|
||
|
|
|
||
|
|
## Related TODOs
|
||
|
|
- `ts/reception/classes.loginsessionmanager.ts:229-238` - `setNewPassword` handler is incomplete
|