fix(auth): add single-use token login recovery flow

2026-02-20 20:20:40 -05:00
parent c6d9dfd3c1
commit 469962d03c
4 changed files with 150 additions and 86 deletions
--- a/index.js
+++ b/index.js
@@ -42,7 +42,7 @@ app.use(limiter);
 // Use tighter thresholds than the global limiter and key by account+IP.

 // Authentication
-const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
+const { signup, login, logout, resetPassword, loginWithPasswordToken } = require('./auth/authEmail.js');
 /**
 * @swagger
 * /signup:
@@ -133,7 +133,7 @@ app.get('/logout', logout);
 * @swagger
 * /resetPassword:
 *   post:
- *     summary: Resets a user's password
+ *     summary: Sends a one-time sign-in link if the account exists
 *     tags: [Auth]
 *     requestBody:
 *       required: true
@@ -159,10 +159,30 @@ app.get('/logout', logout);
 *         description: Bad request.
 */
 app.route('/resetPassword').post(resetPassword);
-// SECURITY PLAN (point #1):
-// Replace /resetPassword with request/confirm reset token endpoints:
-// POST /password/request-reset
-// POST /password/confirm-reset
+// SECURITY FIX (#1):
+// Single-use token login endpoint for password recovery flow.
+/**
+ * @swagger
+ * /password/token-login:
+ *   post:
+ *     summary: Consumes a one-time password token and starts a session
+ *     tags: [Auth]
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             properties:
+ *               token:
+ *                 type: string
+ *     responses:
+ *       200:
+ *         description: Logged in with one-time token
+ *       401:
+ *         description: Invalid or expired token
+ */
+app.post('/password/token-login', loginWithPasswordToken);

 // Routes
 const profileRoute = require('./routes/profile.js');