Merge pull request #39 from abhijit1859/feat/middleware-rbac

Somilg11 · web-flow · commit 5220c55e19bc · 2025-10-23T00:05:42.000+05:30
Implement Secure Password Reset Flow
diff --git a/README.md b/README.md
@@ -68,17 +68,11 @@ PORT=5000
 
 # Database Configuration
 MONGO_URI=mongodb://localhost:27017/rbac
+JWT_SECRET=your-secret-key
+RESEND_API_KEY=your-resend-api-key
 
-# JWT Configuration
-JWT_SECRET=your-super-secret-jwt-key-here
-JWT_EXPIRY=1d
-
-# Refresh Token Configuration
-REFRESH_TOKEN_SECRET=your-super-secret-refresh-token-key-here
-REFRESH_TOKEN_EXPIRY=7d
-
-# CORS Configuration
-CORS_URL=http://localhost:3000
+🔑 Note: The RESEND_API_KEY can be obtained by creating an account on Resend Mail
+ and generating an API key.
 ```
 
 ### 4️⃣ Run the Project
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -26,6 +26,7 @@
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.19.1",
     "nodemon": "^3.1.10",
-    "readdirp": "^4.1.2"
+    "readdirp": "^4.1.2",
+    "resend": "^6.1.3"
   }
 }
diff --git a/src/controllers/authController.js b/src/controllers/authController.js
@@ -1,4 +1,7 @@
-import { registerUserService, loginUserService, refreshTokenService, logoutService } from '../services/authService.js';
+import { User } from '../models/user.model.js';
+import { registerUserService, loginUserService } from '../services/authService.js';
+import jwt from 'jsonwebtoken'
+import { sendEmail } from '../utils/sendEmail.js';
 
 export const registerUser = async (req, res) => {
   try {
@@ -17,6 +20,7 @@ export const registerUser = async (req, res) => {
 export const loginUser = async (req, res) => {
   try {
     const { email, password } = req.body;
+    
     const result = await loginUserService({ email, password });
 
     return res.status(200).json({
@@ -33,42 +37,98 @@ export const loginUser = async (req, res) => {
   }
 };
 
-export const refreshToken = async (req, res) => {
+export const forgotPassword = async (req, res) => {
+  const { email } = req.body;
+
   try {
-    const { refreshToken } = req.body;
-    const result = await refreshTokenService(refreshToken);
+    const user = await User.findOne({ email });
+   
+    if (!user) {
+      return res.status(401).json({
+        success: false,
+        message: "User not found"
+      })
+    }
+
+    const resetToken = jwt.sign(
+      { id: user._id },
+      process.env.JWT_SECRET,
+      {
+        expiresIn: '1h'
+      }
+    );
+
+
+    user.refreshToken = resetToken;
+    await user.save();
+
+    const resetUrl = `http://localhost:5000/api/auth/resetPassword/${resetToken}`
+
+    const html = `
+    <p>Hello ${user.fullname},</p>
+    <p>You requested a password reset. Click below to reset your password:</p>
+     <a href="${resetUrl}" target="_blank">${resetUrl}</a>
+      <p>This link will expire in <b>1 hour</b>.</p>
+
+    `
 
+    await sendEmail(user.email,html);
+
+    console.log(resetUrl);
     return res.status(200).json({
       success: true,
-      message: 'Token refreshed successfully',
-      accessToken: result.accessToken,
-      user: result.user,
-    });
+      message: 'Password reset link sent'
+    })
   } catch (error) {
-    console.error('Error in refreshToken:', error);
-    const status = error.statusCode || 401;
-    return res.status(status).json({ 
-      success: false, 
-      message: error.message || 'Token refresh failed' 
-    });
+    console.error(error)
+    return res.status(500).json({
+      success: false,
+      message: 'server error'
+    })
+
   }
-};
+}
 
-export const logout = async (req, res) => {
+
+export const resetPassword = async (req, res) => {
   try {
-    const { refreshToken } = req.body;
-    const result = await logoutService(refreshToken);
+    const { token } = req.params;
+    const { password } = req.body;
 
-    return res.status(200).json({
-      success: true,
-      message: result.message,
-    });
+    if (!password) {
+      return res.status(400).json({
+        success: false,
+        message: 'Password is required'
+      })
+    }
+
+    let decoded;
+    try {
+      decoded = jwt.verify(token, process.env.JWT_SECRET)
+    } catch (error) {
+     
+      return res.status(400).json({
+        success: false,
+        message: 'Invalid or expired token'
+      })
+    }
+
+ 
+
+    const user = await User.findById(decoded.id);
+    console.log(user)
+    if (!user || user.refreshToken !== token) {
+      return res.status(400).json({ success: false, message: 'Invalid or expired token' });
+    }
+    user.password = password;
+
+
+    user.refreshToken = undefined;
+    await user.save();
+    return res.status(200).json({ success: true, message: 'Password reset successful' });
   } catch (error) {
-    console.error('Error in logout:', error);
-    const status = error.statusCode || 400;
-    return res.status(status).json({ 
-      success: false, 
-      message: error.message || 'Logout failed' 
-    });
+
+    return res.status(500).json({ success: false, message: 'Server error' });
+
   }
-};
+}
diff --git a/src/routes/authRoutes.js b/src/routes/authRoutes.js
@@ -1,11 +1,12 @@
 import express from 'express';
-import { registerUser, loginUser, refreshToken, logout } from '../controllers/authController.js';
+import { registerUser,loginUser, forgotPassword, resetPassword } from '../controllers/authController.js';
+import { authMiddleware } from '../middlewares/auth.middleware.js';
 
 const router = express.Router();
 
 router.post('/register', registerUser);
 router.post('/login', loginUser);
-router.post('/refresh', refreshToken);
-router.post('/logout', logout);
+router.post('/forgotPassword',forgotPassword);
+router.post('/resetPassword/:token',resetPassword);
 
 export default router;
diff --git a/src/services/authService.js b/src/services/authService.js
@@ -53,14 +53,17 @@ export const loginUserService = async ({ email, password }) => {
   }
 
   const user = await User.findOne({ email }).populate('role');
+ 
   if (!user) {
     const err = new Error('Invalid credentials'); 
     err.statusCode = 401;
     throw err;
   }
+ 
 
-  const isMatch = bcrypt.compare(password, user.password);
-
+  const isMatch = await bcrypt.compare(password, user.password);
+  
+   
   if (!isMatch) {
     const err = new Error('Invalid credentials');
     err.statusCode = 401;
diff --git a/src/utils/sendEmail.js b/src/utils/sendEmail.js
@@ -0,0 +1,21 @@
+import { Resend } from "resend";
+import dotenv from "dotenv";
+dotenv.config();
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export const sendEmail = async (to,html) => {
+    try {
+    const response = await resend.emails.send({
+      from: "Acme <onboarding@resend.dev>",
+      to: [to],
+      subject:"Password reset Link",
+      html,
+    });
+
+    console.log("Email sent successfully:", response);
+    return response;
+  } catch (error) {
+    console.error("Error sending email:", error);
+    throw new Error("Failed to send email");
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@`
`26`	`26`	`"jsonwebtoken": "^9.0.2",`
`27`	`27`	`"mongoose": "^8.19.1",`
`28`	`28`	`"nodemon": "^3.1.10",`
`29`		`- "readdirp": "^4.1.2"`
	`29`	`+ "readdirp": "^4.1.2",`
	`30`	`+ "resend": "^6.1.3"`
`30`	`31`	`}`
`31`	`32`	`}`