apps/backend/.env.example

@@ -1,7 +1,14 @@
+BASE_URL =
 APP_PORT = 3000
 
 DATABASE_URL = 
 
 ACCESS_TOKEN_SECRET = 
 REFRESH_TOKEN_SECRET = 
+RESET_PASSWORD_TOKEN_SECRET =
 COOKIE_SECRET = 
+
+SMTP_USERNAME =
+SMTP_PASSWORD =
+SMTP_HOST =
+SMTP_PORT =

apps/backend/package.json

@@ -19,6 +19,7 @@
 		"hono": "^4.4.6",
 		"jsonwebtoken": "^9.0.2",
 		"moment": "^2.30.1",
+		"nodemailer": "^6.9.14",
 		"postgres": "^3.4.4",
 		"sharp": "^0.33.4",
 		"zod": "^3.23.8"
@@ -27,6 +28,7 @@
 		"@types/bcrypt": "^5.0.2",
 		"@types/jsonwebtoken": "^9.0.6",
 		"@types/node": "^20.14.2",
+		"@types/nodemailer": "^6.4.15",
 		"drizzle-kit": "^0.22.7",
 		"pg": "^8.12.0",
 		"tsx": "^4.15.5",

apps/backend/src/appEnv.ts

@@ -4,11 +4,17 @@ import { z } from "zod";
 dotenv.config();
 
 const envSchema = z.object({
+	BASE_URL: z.string(),
 	APP_PORT: z.coerce.number().int(),
 	DATABASE_URL: z.string(),
 	ACCESS_TOKEN_SECRET: z.string(),
 	REFRESH_TOKEN_SECRET: z.string(),
+	RESET_PASSWORD_TOKEN_SECRET: z.string(),
 	COOKIE_SECRET: z.string(),
+	SMTP_USERNAME: z.string(),
+	SMTP_PASSWORD: z.string(),
+	SMTP_HOST: z.string(),
+	SMTP_PORT: z.coerce.number().int(),
 });
 
 const parsedEnv = envSchema.safeParse(process.env);

apps/backend/src/drizzle/schema/users.ts

@@ -20,6 +20,7 @@ export const users = pgTable("users", {
 	email: varchar("email"),
 	password: text("password").notNull(),
 	isEnabled: boolean("isEnabled").default(true),
+	resetPasswordToken: varchar("resetPasswordToken"),
 	createdAt: timestamp("createdAt", { mode: "date" }).defaultNow(),
 	updatedAt: timestamp("updatedAt", { mode: "date" }).defaultNow(),
 	deletedAt: timestamp("deletedAt", { mode: "date" }),

apps/backend/src/index.ts

@@ -18,6 +18,7 @@ import HonoEnv from "./types/HonoEnv";
 import devRoutes from "./routes/dev/route";
 import appEnv from "./appEnv";
 import questionsRoute from "./routes/questions/route";
+import forgotPasswordRoutes from "./routes/forgotPassword/route";
 import assessmentsRoute from "./routes/assessments/route";
 
 configDotenv();
@@ -85,6 +86,7 @@ const routes = app
 	.route("/questions", questionsRoute)
 	.route("/management-aspect", managementAspectsRoute)
 	.route("/register", respondentsRoute)
+	.route("/forgot-password", forgotPasswordRoutes)
 	.route("/assessments", assessmentsRoute)
 	.onError((err, c) => {
 		if (err instanceof DashboardError) {

apps/backend/src/routes/forgotPassword/route.ts

@@ -0,0 +1,111 @@
+import { zValidator } from "@hono/zod-validator";
+import HonoEnv from "../../types/HonoEnv";
+import { z } from "zod";
+import { and, eq, isNull } from "drizzle-orm";
+import { Hono } from "hono";
+import db from "../../drizzle";
+import { users } from "../../drizzle/schema/users";
+import { notFound, unauthorized } from "../../errors/DashboardError";
+import { generateResetPasswordToken, verifyResetPasswordToken } from "../../utils/authUtils";
+import { sendResetPasswordEmail } from "../../utils/mailerUtils";
+import { hashPassword } from "../../utils/passwordUtils";
+
+const forgotPasswordRoutes = new Hono<HonoEnv>()
+	/**
+	 * Forgot Password
+	 * 
+	 * Checking emails in the database, generating tokens, and sending emails occurs.
+	 */
+	.post(
+		'/',
+		zValidator(
+			'json',
+			z.object({
+			email: z.string().email(),
+			})
+		),
+		async (c) => {
+			const { email } = c.req.valid('json');
+		
+			const user = await db
+				.select()
+				.from(users)
+				.where(
+				and(
+					isNull(users.deletedAt),
+					eq(users.email, email)
+				)
+			);
+	  
+			if (!user.length) throw notFound();
+	  
+			// Generate reset password token
+			const resetPasswordToken = await generateResetPasswordToken({
+				uid: user[0].id, 
+			});
+
+			await db
+				.update(users)
+				.set({
+					resetPasswordToken: resetPasswordToken
+				})
+				.where(eq(users.email, email));
+	  
+			// Send email with reset password token
+			await sendResetPasswordEmail(email, resetPasswordToken);
+		
+			return c.json({
+				message: 'Email has been sent successfully',
+			});
+		}
+	  )
+	/**
+	 * Reset Password
+	 */
+	.patch(
+		'/verify',
+		zValidator(
+			'json',
+			z.object({
+			password: z.string(),
+			confirm_password: z.string()
+			})
+		),
+		async (c) => {
+			const formData = c.req.valid('json');
+			const token = c.req.query('token')
+
+			// Token validation
+			if (!token) {
+				return c.json({ message: 'Token is required' }, 400);
+			}
+
+			// Password validation
+			if (formData.password !== formData.confirm_password) {
+				return c.json({ message: 'Passwords do not match' }, 400);
+			}
+		 
+			const decoded = await verifyResetPasswordToken(token);
+			if (!decoded) {
+				return c.json({ message: 'Invalid or expired token' }, 401);
+			}
+		
+			if (!decoded) throw unauthorized();
+
+			// Hash the password
+			const hashedPassword = await hashPassword(formData.password);
+
+			await db
+				.update(users)
+				.set({
+					password: hashedPassword,
+					updatedAt: new Date(),
+				})
+				.where(eq(users.id, decoded.uid));
+		
+			return c.json({
+				message: 'Password has been reset successfully'
+			});
+	});
+
+export default forgotPasswordRoutes;

apps/backend/src/utils/authUtils.ts

@@ -4,6 +4,7 @@ import appEnv from "../appEnv";
 // Environment variables for secrets, defaulting to a random secret if not set.
 const accessTokenSecret = appEnv.ACCESS_TOKEN_SECRET;
 const refreshTokenSecret = appEnv.REFRESH_TOKEN_SECRET;
+const resetPasswordTokenSecret = appEnv.RESET_PASSWORD_TOKEN_SECRET;
 
 // Algorithm to be used for JWT encoding.
 const algorithm: jwt.Algorithm = "HS256";
@@ -11,6 +12,7 @@ const algorithm: jwt.Algorithm = "HS256";
 // Expiry settings for tokens. 'null' signifies no expiry.
 export const accessTokenExpiry: number | string | null = null;
 export const refreshTokenExpiry: number | string | null = "30d";
+export const resetPasswordTokenExpiry: number | string | null = null;
 
 // Interfaces to describe the payload structure for access and refresh tokens.
 interface AccessTokenPayload {
@@ -21,6 +23,10 @@ interface RefreshTokenPayload {
 	uid: string;
 }
 
+interface ResetPasswordTokenPayload {
+	uid: string;
+}
+
 /**
  * Generates a JSON Web Token (JWT) for access control using a specified payload.
  *
@@ -84,3 +90,35 @@ export const verifyRefreshToken = async (token: string) => {
 		return null;
 	}
 };
+
+/**
+ * Generates a JSON Web Token (JWT) for reset password using a specified payload.
+ *
+ * @param payload - The payload containing user-specific data for the token.
+ * @returns A promise that resolves to the generated JWT string.
+ */
+export const generateResetPasswordToken = async (payload: ResetPasswordTokenPayload) => {
+	const token = jwt.sign(payload, resetPasswordTokenSecret, {
+		algorithm,
+		...(resetPasswordTokenExpiry ? { expiresIn: resetPasswordTokenExpiry } : {}),
+	});
+	return token;
+};
+
+/**
+ * Verifies a given reset password token and decodes the payload if the token is valid.
+ *
+ * @param token - The JWT string to verify.
+ * @returns A promise that resolves to the decoded payload or null if verification fails.
+ */
+export const verifyResetPasswordToken = async (token: string) => {
+	try {
+		const payload = jwt.verify(
+			token,
+			resetPasswordTokenSecret
+		) as ResetPasswordTokenPayload;
+		return payload;
+	} catch {
+		return null;
+	}
+};

apps/backend/src/utils/mailerUtils.ts

@@ -0,0 +1,33 @@
+import nodemailer from 'nodemailer';
+import appEnv from '../appEnv';
+
+/**
+ * Nodemailer configuration
+ */
+const transporter = nodemailer.createTransport({
+  host: appEnv.SMTP_HOST,
+  port: appEnv.SMTP_PORT,
+  secure: false,
+  auth: {
+    user: appEnv.SMTP_USERNAME,
+    pass: appEnv.SMTP_PASSWORD,
+  },
+  tls: {
+    rejectUnauthorized: false,
+  },
+});
+
+export async function sendResetPasswordEmail(to: string, token: string) {
+  const resetUrl = appEnv.BASE_URL + '/forgot-password/verify?token=' + token;
+
+  const info = await transporter.sendMail({
+    from: `"Your App" <${appEnv.SMTP_USERNAME}>`,
+    to,
+    subject: 'Password Reset Request',
+    text: `You requested a password reset. Click this link to reset your password: ${resetUrl}`,
+    html: `<p>You requested a password reset. Click this link to reset your password:<br><a href="${resetUrl}">${resetUrl}</a></p>`,
+  });
+
+  console.log('Email sent: %s', info.messageId);
+  return info;
+}

pnpm-lock.yaml

@@ -50,6 +50,9 @@ importers:
       moment:
         specifier: ^2.30.1
         version: 2.30.1
+      nodemailer:
+        specifier: ^6.9.14
+        version: 6.9.14
       postgres:
         specifier: ^3.4.4
         version: 3.4.4
@@ -69,6 +72,9 @@ importers:
       '@types/node':
         specifier: ^20.14.2
         version: 20.14.2
+      '@types/nodemailer':
+        specifier: ^6.4.15
+        version: 6.4.15
       drizzle-kit:
         specifier: ^0.22.7
         version: 0.22.7
@@ -1124,6 +1130,7 @@ packages:
   '@humanwhocodes/config-array@0.11.14':
     resolution: {integrity: sha512-3T8LkOmg45BV5FICb15QQMsyUSWrQ8AygVfC7ZG32zOalnqrilm018ZVCw0eapXux8FtA33q8PSRSstjee3jSg==}
     engines: {node: '>=10.10.0'}
+    deprecated: Use @eslint/config-array instead
 
   '@humanwhocodes/module-importer@1.0.1':
     resolution: {integrity: sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==}
@@ -1131,6 +1138,7 @@ packages:
 
   '@humanwhocodes/object-schema@2.0.2':
     resolution: {integrity: sha512-6EwiSjwWYP7pTckG6I5eyFANjPhmPjUX9JRLUSfNPC7FX7zK9gyZAfUEaECL6ALTpGX5AjnBq3C9XmVWPitNpw==}
+    deprecated: Use @eslint/object-schema instead
 
   '@humanwhocodes/retry@0.3.0':
     resolution: {integrity: sha512-d2CGZR2o7fS6sWB7DG/3a95bGKQyHMACZ5aW8qGkkqQpUoZV6C0X7Pc7l4ZNMZkfNBf4VWNe9E1jRsf0G146Ew==}
@@ -1759,6 +1767,9 @@ packages:
   '@types/node@20.14.2':
     resolution: {integrity: sha512-xyu6WAMVwv6AKFLB+e/7ySZVr/0zLCzOa7rSpq6jNwpqOrUbcACDWC+53d4n2QHOnDou0fbIsg8wZu/sxrnI4Q==}
 
+  '@types/nodemailer@6.4.15':
+    resolution: {integrity: sha512-0EBJxawVNjPkng1zm2vopRctuWVCxk34JcIlRuXSf54habUWdz1FB7wHDqOqvDa8Mtpt0Q3LTXQkAs2LNyK5jQ==}
+
   '@types/normalize-package-data@2.4.4':
     resolution: {integrity: sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==}
 
@@ -3226,6 +3237,7 @@ packages:
 
   glob@7.2.3:
     resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
+    deprecated: Glob versions prior to v9 are no longer supported
 
   globals@11.12.0:
     resolution: {integrity: sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==}
@@ -3377,6 +3389,7 @@ packages:
 
   inflight@1.0.6:
     resolution: {integrity: sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==}
+    deprecated: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
 
   inherits@2.0.4:
     resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==}
@@ -4047,6 +4060,10 @@ packages:
   node-releases@2.0.14:
     resolution: {integrity: sha512-y10wOWt8yZpqXmOgRo77WaHEmhYQYGNA6y421PKsKYWEK8aW+cqAphborZDhqfyKrbZEN92CN1X2KbafY2s7Yw==}
 
+  nodemailer@6.9.14:
+    resolution: {integrity: sha512-Dobp/ebDKBvz91sbtRKhcznLThrKxKt97GI2FAlAyy+fk19j73Uz3sBXolVtmcXjaorivqsbbbjDY+Jkt4/bQA==}
+    engines: {node: '>=6.0.0'}
+
   nopt@5.0.0:
     resolution: {integrity: sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==}
     engines: {node: '>=6'}
@@ -4561,6 +4578,7 @@ packages:
 
   rimraf@3.0.2:
     resolution: {integrity: sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==}
+    deprecated: Rimraf versions prior to v4 are no longer supported
     hasBin: true
 
   rollup@4.18.0:
@@ -6760,7 +6778,7 @@ snapshots:
   '@types/glob@7.2.0':
     dependencies:
       '@types/minimatch': 5.1.2
-      '@types/node': 20.11.24
+      '@types/node': 20.14.2
 
   '@types/graceful-fs@4.1.9':
     dependencies:
@@ -6805,6 +6823,10 @@ snapshots:
     dependencies:
       undici-types: 5.26.5
 
+  '@types/nodemailer@6.4.15':
+    dependencies:
+      '@types/node': 20.14.2
+
   '@types/normalize-package-data@2.4.4': {}
 
   '@types/parse-json@4.0.2': {}
@@ -6841,7 +6863,7 @@ snapshots:
 
   '@types/through@0.0.30':
     dependencies:
-      '@types/node': 20.11.24
+      '@types/node': 20.14.2
 
   '@types/tinycolor2@1.4.6': {}
 
@@ -9717,6 +9739,8 @@ snapshots:
 
   node-releases@2.0.14: {}
 
+  nodemailer@6.9.14: {}
+
   nopt@5.0.0:
     dependencies:
       abbrev: 1.1.1