adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): add single-use token login recovery flow

Browse Source
This commit is contained in:
Adolfo Reyna
2026-02-20 20:20:40 -05:00
parent c6d9dfd3c1
commit 469962d03c
4 changed files with 150 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
SECURITY_PASSWORD_PLAN.md
View File

@@ -6,19 +6,19 @@
- `auth/authEmail.js`
- `mongoDB.js`
## 1. Replace insecure reset flow with token-based reset
## 1. Replace insecure reset flow with single-use token login
- Problem:
- Current flow resets by username and emails a plaintext temporary password.
- Implementation:
- Add `POST /password/request-reset`:
- Accept identifier (email).
- Keep `POST /resetPassword` as token request endpoint:
- Accept identifier (email/username).
- Always return generic success response.
- If account exists, create one-time reset token with short TTL (15-30 min), store hashed token, email reset link.
- Add `POST /password/confirm-reset`:
- Accept token + new password.
- Validate token (exists, not expired, unused), then rotate password hash and invalidate all active sessions.
- If account exists, create one-time login token with short TTL (15-30 min), store hashed token, email link.
- Add `POST /password/token-login`:
- Accept token.
- Validate token (exists, not expired, unused), mark used atomically, then create normal auth session cookies.
- Data model:
- New collection `password_reset_tokens` with fields:
- New collection `password_login_tokens` with fields:
- `userId`, `tokenHash`, `expiresAt`, `usedAt`, `createdAt`, `requestMeta`.
- Add TTL index on `expiresAt`.
@@ -60,7 +60,7 @@
- On login, detect outdated hash params and rehash after successful auth.
## Suggested rollout order
1. Tokenized reset flow (new endpoints + DB token store).
1. Tokenized login flow (new endpoint + DB token store).
2. POST-only auth route enforcement.
3. Generic auth/reset responses.
4. Dedicated auth rate limiting.
@@ -68,10 +68,10 @@
## Validation checklist
- Unit/integration tests:
- reset token creation, expiry, one-time use, invalid token paths.
- token creation, expiry, one-time use, invalid token paths.
- login generic error response behavior.
- auth rate limiter trigger and cooldown.
- query credential rejection.
- Manual:
- verify no plaintext password emails are sent.
- verify existing sessions are revoked after password reset.
- verify token cannot be reused after first successful consumption.