#112 Password Reset Functionality | Authentication & Authorization | A Complete NODE JS Course

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this lecture and in the next one we are going to implement a user-friendly password reset functionality which is kind of standard in most web applications and you might have used the password reset functionality before while using some web application and it usually works something like this so first you have to provide your email address then you will get an email with the link where you can click that link will take you to a page where you can put in a new password and reset your password right and this is a very standard procedure for resetting a password and that's how we are also going to implement it in our application so here basically two steps are involved in the first step the user sends a post request to forgot password route only with his email address this will then create a reset token and send that to the email address that was provided so just a simple random token not a Json web token then in the second part the user sends that token from his email along with the new password in order to update his password this functionality we will Implement in the next lecture okay so let's go to vs code and here in the auth controller we basically need to function the first function for the forward password so let's create that function so let's say exports Dot forgot password it's going to be a middleware function and this middleware function is going to receive the request the response and the next function then we also want to have the password reset middleware so again let's say exports.password reset again it is going to be a middleware function and there we are going to receive the request object the response object and the next function so as I mentioned earlier first the user will make a post request to this forgot password and in here we will write the functionality to get the user based on his email address generate a token for that user and send it to his email then once the user will receive the email with the reset password token he will again make a post request to this password reset function where in the post request he will send his new password along with the token which he has received and then this function will reset the user's password so we will implement this function later now let's also go ahead and let's create these routes for these two functions so let's go to file explorer here and let's go to this auth router.js and there just like login and sign up let's go ahead and let's create routes for reset password and forgot password so let's say the URL is going to be forgot password and here it is going to be reset password and the middleware function here it will be forgot password so this is the function which we want to call when a user makes the request to forgot password and then we want to execute reset password middleware when a request is made to this reset password URL so it is going to be reset password okay let me go back to earthcontrol.js here all right we are calling it password reset but let me go ahead and let me call it reset password instead of password reset okay so we have our route in place now we have our middleware functions in place now we just need to go ahead and implement the functionality so in here inside this forgot password will be a function we need to do three things the first thing is we need to get user based on the posted email so as I mentioned when the user will make a request to this forgot password API he's going to make a post request and with the post request he's going to provide his email address so based on that email address we need to get the user from the mongodb database once we have the user what we need to do is we need to generate a random reset token and this reset token we will send back to the user and finally in the third step we need to send an email to the user with the reset token okay so let's go ahead and let's Implement these functionalities one by one and the first one is very simple and I think you already know how to do that so let's go ahead and let's create a variable let's call it user and then in order to get the user from the database on the user model we are going to use the find one method okay so using this find one method we are going to filter the user based on his email because when the user will make a post request to this API he is going to send the email in the request body so from the request body we can get that email and based on that email we can filter the user so on the request body we will have the email property okay and based on that email we want to filter the user and we will assign that user to this user variable now if this expression let's also use the await keyword here because it will run asynchronously and let's make this function as async because we want to use the await keyword and since it is an async function let's also wrap it within a sync error Handler function all right so if the email provided by the user if with that email we have a user in the database in that case this expression will return that user and we are assign it to this user variable but if with that email we don't have any user in that case this expression will return undefined so we want to check if the user actually exists in the database or not so for that let's use this if statement and there let's check not user that means if the user does not exist in that case we are going to create an error object so basically we are creating an instance of our custom error class okay and here let's specify an error message and let's say we could not find the user with given email and then the status code will be 404 that means not found and from here let's go ahead and let's call the global error handling middleware by using this next function and passing this error object to that next function okay all right but if the user exists we want to move to the next step where we are going to generate a random reset token for this what I am going to do is I am going to create a reusable function here and this function will be an instance function it will be an instance method which we can call on the user object so again let's go to usermodel.js and there let's create an instance method and to create an instance method as you already know we need to use the user schema on that we need to call the methods and on that we can create our instance method and I am going to call this method create reset password token okay you can name it anything but I just want to give it a meaningful name so since this function is going to create a reset password token I am calling it create reset password token all right inside this let's create a variable let's call it reset token okay now this password reset token it should be a random token but at the same time it should not be as cryptographically strong as the password hash that we created before so we can use the very simple random bytes function from the built-in crypto module in order to create this reset token so let's go ahead and let's first import this crypto Library so for that let's create a variable let's simply call it crypto and let's require the crypto package here okay and let's go ahead and let's use this crypto package so here let's say crypto Dot random bytes so this is a function which we can use to create a random string token okay so first we need to specify the number of characters which we want in the string token let's say 32 and then we also need to specify the number type so as you can see first is the size and then we can also specify the type in which we want to have this reset token string so basically here we want the token to be a hexadecimal number okay so for that we can say to string and there we can specify hex all right so here it is going to create a reset token but this reset token it is not going to be encrypted it will be a plane token and this is the token which we are going to send to the user and it's like a reset password only that the user can use to create a new password so only the user will have access to this token now since this reset token it is going to be a plane string if we store it in the database and if a hacker gets access to the database then hacker can change the password instead of you doing it so they would then effectively control your account instead of you controlling it and so just like password we should not store this reset token in a plain text first we are going to encrypt it and then we are going to save it in the database now again the encryption of this reset token that should not be that strong like we did it for password so for the password we use a strong encryption but that is not required for this reset token and so to encrypt this reset token again we can use the crypto package here so we can say crypto dot create hash so here also we are simply creating a hash via encrypting the restart token and to this we need to specify the algorithm which we want to use here we want to use sha 256 algorithm then we need to use update function on this and there we need to specify which string we want to encrypt in this case we want to encrypt this reset token and after that let's also use the digest function and there we will specify in which format we want the encryption so again here we want the encryption in hexadecimal format all right now where are we going to store this encrypted reset token well again we are going to store it in the database but to store it in the database we need to have a field where we want to store this so on this schema after this password changed let's go ahead and let's create one more field and let's call it maybe password reset token okay it is going to be of type string and I'm also going to specify one more field which will be password reset token expire and this is going to store a date time okay so in this field we will store when the reset token password will expire all right so here let me copy this field name let me scroll down and here let's say this dot password reset token equals this value now here we want to use this keyword so here we cannot use the arrow function syntax so I will use the function keyword here okay now we also want to set the value for this password reset token expires so when will this password expire usually in the real world applications the token which we receive in the email for resetting the password that expires in 10 minutes so that's what we are going to do here this password reset token this will expire in 10 minutes so for that let's say this dot password reset token expires and here let's specify a time on this so here let's say did dot now so it will give us the current date and time on that we want to add 10 minutes so for that let's say Plus 10 this time is in minutes we need to convert it into milliseconds in order to add it so we can say 10 into 60 so this will give us the time in seconds into 1000 so this will give us the time in milliseconds so if we want to add these many number of milliseconds to the current date time and this is basically the number of milliseconds in 10 minutes okay so after 10 minutes the reset token which has been generated that will expire finally let's go ahead and let's return the reset token okay so here if you see we are returning the plane reset token we are not returning the encrypted reset token because the user should get the plain reset token he should not get the encrypted reset token but in the database we should be storing the encrypted reset token so when the user will make a request using this reset token first we will compare this reset token with the encrypted reset token in the database and if they are same then only we will proceed I hope you got the point now just for testing purpose let's go ahead and let's add a console.log statement here and let's log the plane reset token so this one and also the encrypted reset token so this dot password reset token let's see if the changes here and let's go ahead and let's use this function in our auth controller so here we can simply say user Dot and then the name of the function and we know that this is going to return us the reset token the plain reset token so let's go ahead and let's store it in a variable and let's simply call it reset token now here if I go back to usermodel.js we are simply setting the values for this password reset token and password reset token expires but it has not been saved in the database so these updated values this has not been saved in the database so we also need to save that for that let's go back to authcontroller.js again and on this user object let's call the save function okay and this is going to run asynchronously so let's await it here okay with this let's again save the changes and let's test this out so let's go to postman and let me open a new tab here and here we are going to make a post request and let me add the URL so I will go to this login request I'll copy this URL let me paste it here and here we are going to make a request to forgot password API this is what the URL is right if I go back to vs code and if you go to auth route.js the name is forgot password so after the URL after API slash V1 slash users we need to specify forgot password and we need to make a post request here because if you see for this route be expecting a post request then only this forward password route Handler will be called so let's again go back to postman all right then when we are making this post request in the body we also need to specify the email address so let me select raw here we are going to send a Json data so there we are going to specify an object in that object we will specify email and here let's say we want to change the email of maybe this user Mark so I'll copy his email from here and let's specify it here so for this user we want to change the password so currently we are going to make a request to this forgot password API let's go ahead and let's make this request and here you see we are getting this error message something went wrong please try again later now here we don't know what the error is so what I will do is I will stop this process by pressing Ctrl C and I will run this application in the development mode so for that I will run this command npm Run start so this will run this application in the development mode if I press enter now the application should be running in the development mode and in the development mode we will get the actual error so again if I go ahead and if I make the request you see we have this error message callback must be a function and here we have this error in usermodel.js at line number 72. let's go back to usermodel.js line number 72 and the problem here is with this random bytes function I think so if I hover over this function it has four overloads so with the first overload only takes a size then let me see what are the other overloads so this is the second overload where it takes a size and a callback function so what I will do is I will remove this one and let's try only with the size okay so let me save the changes again let's go back to postman and let's make a request again and here it says user validation field confirm password please confirm your password so basically here we have the validation error because we have not provided any value for the confirm password so what we want is in this case we don't want to validate so for example here when we are saving the user data in the database at that time we don't want to use the validations which we have used on the user schema okay we only want to validate when we are updating a user or when we are creating a user but in this case we simply want to save the password reset token and password reset token expires okay so here I am going to disable the validation for that we can simply say validate before save and we can set it to false all right with this let's save the changes again let's go back to postman let's make a request so here we will not get any response because from this function currently we are not sending anything back to the client so let me go ahead and let me cancel it here but let's go back to vs code and there you see this one is the encrypted token okay encrypted reset token and this one is the plane reset token but I want this plain reset token in the hexadecimal form and to do that the mistake which I was doing is I was passing it as second argument but actually it should be dot to string and there I need to specify the type as hex okay and this should not work so let me save the changes again let me go back to postman and let me make a request again so again since we are not returning any response it will keep on going so let me cancel it here but let's go back to vs code and there you will now see that this plane token is also in hexadecimal format and this one is the encrypted token okay so now we have our plane token and the encrypted token next what we want is we want to send this plane token in the email to the user and using that token he can reset his password so we will do that in the next lecture okay now before we wrap up this lecture let me also go back to Compass Let me refresh this collection and now you will see for this user Mark whose email we send with the post request to forgot password you can see now we have two new Fields password reset token which is this token and then password reset token expires which is the current date plus 10 minutes okay so at this date and time this reset token will expire all right so this is all from this lecture if you have any questions then feel free to ask it thank you for listening and have a great day

Info

Channel: procademy

Views: 8,431

Rating: undefined out of 5

Keywords: authentication, authorization, express, mongoose, mongodb, node js, node js tutorial, complete node js course

Id: 4ML_j17jsVg

Channel Id: undefined

Length: 21min 0sec (1260 seconds)

Published: Wed May 17 2023