apps/web/pages/api/auth/forgot-password.ts

import { NextApiRequest, NextApiResponse } from "next";
import { sendResetPassword } from "@documenso/lib/mail";
import { defaultHandler, defaultResponder } from "@documenso/lib/server";
import prisma from "@documenso/prisma";
import crypto from "crypto";

async function postHandler(req: NextApiRequest, res: NextApiResponse) {
  const { email } = req.body;
  const cleanEmail = email.toLowerCase();

  if (!cleanEmail || !/.+@.+/.test(cleanEmail)) {
    res.status(400).json({ message: "Invalid email" });
    return;
  }

  const user = await prisma.user.findFirst({
    where: {
      email: cleanEmail,
    },
  });

  if (!user) {
    return res.status(200).json({ message: "A password reset email has been sent." });
  }

  const existingToken = await prisma.passwordResetToken.findFirst({
    where: {
      userId: user.id,
      createdAt: {
        gte: new Date(Date.now() - 1000 * 60 * 60),
      },
    },
  });

  if (existingToken) {
    return res.status(200).json({ message: "A password reset email has been sent." });
  }

  const token = crypto.randomBytes(64).toString("hex");
  const expiry = new Date();
  expiry.setHours(expiry.getHours() + 24); // Set expiry to one hour from now

  let passwordResetToken;
  try {
    passwordResetToken = await prisma.passwordResetToken.create({
      data: {
        token,
        expiry,
        userId: user.id,
      },
    });
  } catch (error) {
    return res.status(500).json({ message: "Something went wrong" });
  }

  await sendResetPassword(user, passwordResetToken.token);

  return res.status(200).json({ message: "A password reset email has been sent." });
}

export default defaultHandler({
  POST: Promise.resolve({ default: defaultResponder(postHandler) }),
});
Create reset password token for user 2023-06-05 13:05:25 +00:00			`import { NextApiRequest, NextApiResponse } from "next";`
Avoid user from setting the same old password 2023-06-05 16:36:16 +00:00			`import { sendResetPassword } from "@documenso/lib/mail";`
Create reset password token for user 2023-06-05 13:05:25 +00:00			`import { defaultHandler, defaultResponder } from "@documenso/lib/server";`
			`import prisma from "@documenso/prisma";`
			`import crypto from "crypto";`

			`async function postHandler(req: NextApiRequest, res: NextApiResponse) {`
			`const { email } = req.body;`
			`const cleanEmail = email.toLowerCase();`

Match emails with regex 2023-06-07 10:44:07 +00:00			`if (!cleanEmail \|\| !/.+@.+/.test(cleanEmail)) {`
fix: code style updates and email wording changes 2023-06-17 11:44:34 +10:00			`res.status(400).json({ message: "Invalid email" });`
Create reset password token for user 2023-06-05 13:05:25 +00:00			`return;`
			`}`

			`const user = await prisma.user.findFirst({`
			`where: {`
			`email: cleanEmail,`
			`},`
			`});`

			`if (!user) {`
Avoid leaking that a user has an account 2023-06-07 10:59:20 +00:00			`return res.status(200).json({ message: "A password reset email has been sent." });`
Create reset password token for user 2023-06-05 13:05:25 +00:00			`}`

Avoid consecutive password reset requests 2023-06-05 16:01:01 +00:00			`const existingToken = await prisma.passwordResetToken.findFirst({`
			`where: {`
			`userId: user.id,`
			`createdAt: {`
			`gte: new Date(Date.now() - 1000 * 60 * 60),`
			`},`
			`},`
			`});`

			`if (existingToken) {`
Avoid leaking that a user has an account 2023-06-07 10:59:20 +00:00			`return res.status(200).json({ message: "A password reset email has been sent." });`
Avoid consecutive password reset requests 2023-06-05 16:01:01 +00:00			`}`

Create reset password token for user 2023-06-05 13:05:25 +00:00			`const token = crypto.randomBytes(64).toString("hex");`
Expire token after 1 hour 2023-06-05 16:54:12 +00:00			`const expiry = new Date();`
Set reset token expiry to 24 hours 2023-06-07 11:02:50 +00:00			`expiry.setHours(expiry.getHours() + 24); // Set expiry to one hour from now`
Error handling for invalid users 2023-06-05 15:52:00 +00:00
			`let passwordResetToken;`
			`try {`
			`passwordResetToken = await prisma.passwordResetToken.create({`
			`data: {`
			`token,`
Expire token after 1 hour 2023-06-05 16:54:12 +00:00			`expiry,`
Error handling for invalid users 2023-06-05 15:52:00 +00:00			`userId: user.id,`
			`},`
			`});`
			`} catch (error) {`
Expire token after 1 hour 2023-06-05 16:54:12 +00:00			`return res.status(500).json({ message: "Something went wrong" });`
Error handling for invalid users 2023-06-05 15:52:00 +00:00			`}`
Create reset password token for user 2023-06-05 13:05:25 +00:00
feat: send reset password email 2023-06-05 13:44:22 +00:00			`await sendResetPassword(user, passwordResetToken.token);`
Create reset password token for user 2023-06-05 13:05:25 +00:00
Avoid leaking that a user has an account 2023-06-07 10:59:20 +00:00			`return res.status(200).json({ message: "A password reset email has been sent." });`
Create reset password token for user 2023-06-05 13:05:25 +00:00			`}`

			`export default defaultHandler({`
			`POST: Promise.resolve({ default: defaultResponder(postHandler) }),`
			`});`