Password & Account Recovery

Overview

Password management covers three scenarios: changing an existing password, resetting a forgotten password via email, and creating a password for OAuth-only accounts.

Change Password (Settings)

• Available in Profile Settings under Account Security
• If the user already has a password: requires current password + new password with confirmation
• If the user signed up via Google OAuth: shows "Set Password" with just new password + confirmation (no current password required)
• Password validation enforces minimum length, uppercase, lowercase, number, and special character requirements

Forgot Password Flow

1. User enters their email on /forgot-password
2. API checks if the account exists and has a password
3. OAuth-only accounts — returns a specific error directing the user to sign in with Google and create a password in settings
4. Accounts with a password — generates a secure token (SHA-256 hashed), stores it in the PasswordResetToken collection with a 5-minute TTL, and sends a branded reset email via Resend
5. User clicks the link, lands on /reset-password?token=...
6. Token is verified and the user sets a new password

Token Security

• Raw token sent in the email, SHA-256 hash stored in the database — even a database leak doesn't expose valid tokens
• Tokens are single-use and expire after 5 minutes
• All existing tokens for the user are deleted before creating a new one

OAuth Account Handling

When an OAuth-only user hits the forgot password page, they see an informative message explaining they need to sign in with Google first. The "Sign in with Google" button triggers the OAuth flow directly (no extra step) and redirects to Profile Settings where they can create a password.

Content coming soon — add your video and detailed writeup here.