WAGERBABE DOCS
All Stories
4-3-password-reset-flowReadyEpic 4.3

Story 4.3: Password Reset Flow

Status: ready-for-dev

Tasks

  • Task 1: Create Request Reset Endpoint (AC: 1, 2, 4, 9)
    • 1.1 Create `PasswordResetRequest` Pydantic model with email field
    • 1.2 Implement `POST /api/v1/auth/request-reset` endpoint in auth.py
    • 1.3 Query users table by email to check if user exists (internal only)
    • 1.4 Generate UUID reset token if user exists
    • 1.5 Store token in Redis with pattern `password_reset:{token}` → email, 15min TTL
    • 1.6 Apply rate limiting decorator `@limiter.limit("3/minute")`
    • 1.7 Return generic success message regardless of email existence
  • Task 2: Implement Email Service Integration (AC: 3)
    • 2.1 Create `server/app/services/email_service.py` module
    • 2.2 Implement `send_password_reset_email()` function using Supabase Auth emails
    • 2.3 Construct reset URL: `https://wagerbabe.com/reset-password?token={token}`
    • 2.4 Include token expiry notice (15 minutes) in email body
    • 2.5 Handle email delivery errors gracefully (log but don't expose to user)
  • Task 3: Create Confirm Reset Endpoint (AC: 5, 6, 7, 10)
    • 3.1 Create `PasswordResetConfirm` Pydantic model with token and new_password fields
    • 3.2 Add password validation (min 8 characters) to Pydantic model
    • 3.3 Implement `POST /api/v1/auth/reset-password-confirm` endpoint
    • 3.4 Retrieve email from Redis using token key
    • 3.5 Return 400 if token not found or expired
    • 3.6 Update user password via SupabaseService
    • 3.7 Delete token from Redis immediately after successful reset (one-time use)
  • Task 4: Implement Session Invalidation (AC: 8)
    • 4.1 After successful password reset, call `session_manager.invalidate_all_user_sessions(user_id)`
    • 4.2 Ensure all Redis session keys for user are deleted
    • 4.3 Log session invalidation count for monitoring
  • Task 5: Add Helper Method to SupabaseService (AC: 5)
    • 5.1 Add `get_user_by_email(email)` method to SupabaseService
    • 5.2 Add `update_user_password_by_email(email, new_password)` method to SupabaseService
    • 5.3 Ensure bcrypt cost=12 for password hashing
  • Task 6: Frontend Password Reset Flow (AC: 1, 5)
    • 6.1 Create `/forgot-password` page with email input form
    • 6.2 Create `/reset-password` page that accepts token from URL query param
    • 6.3 Implement new password form with confirmation field
    • 6.4 Add success/error state handling with appropriate messages
    • 6.5 Redirect to login page after successful reset
  • Task 7: Testing (AC: 1-10)
    • 7.1 Unit test: request reset with valid email stores token in Redis
    • 7.2 Unit test: request reset with invalid email still returns success (security)
    • 7.3 Unit test: confirm reset with valid token updates password
    • 7.4 Unit test: confirm reset with expired token returns 400
    • 7.5 Unit test: confirm reset with used token returns 400 (one-time use)
    • 7.6 Unit test: confirm reset invalidates all user sessions
    • 7.7 Integration test: rate limiting enforced (3 req/min)
    • 7.8 Integration test: full reset flow end-to-end
  • Task 8: Documentation (AC: 1-10)
    • 8.1 Add endpoint documentation to OpenAPI schema
    • 8.2 Document rate limiting in API docs
    • 8.3 Add security considerations to docstrings

Progress

Tasks0/8
Acceptance Criteria0
Total Tasks8

Navigation

View Epic 4.3All Stories