Help / Authentication / Password Recovery

Password Recovery Workflow

This workflow covers the complete password recovery process, from requesting a reset email to setting a new password. The flow includes email verification, time-limited reset tokens, and password complexity enforcement.

PASSWORD RECOVERY WORKFLOW User Clicks "Forgot Password" Link on login page Enter Email Address Recovery form API /auth/forgot-password Generates reset token, sends email Email Found? No (silent fail) Show Success Anyway Prevents email enumeration Yes Reset Email Sent Contains time-limited reset link (1 hour) User's Inbox Clicks Reset Link Opens in browser Token Valid? No (expired) Token Expired Error Request new reset link Retry flow Yes New Password Form (complexity check) Password Updated Redirect to Login

Step-by-Step Explanation

Requesting a Password Reset

  1. User clicks "Forgot Password" — On the login page, the user clicks the "Forgot Password" link, which navigates them to the password recovery form.
  2. Enters email address — The user enters the email address associated with their TubeRaker account.
  3. API processes the request — A POST request is sent to /auth/forgot-password. The server looks up the email in the database.
  4. Security: silent failure — If the email is not found, the API still responds with a success message. This prevents email enumeration attacks where an attacker could probe for registered accounts.
  5. Reset email sent — If the email exists, the server generates a cryptographically secure reset token (valid for 1 hour) and sends it to the user's email as a clickable link.

Resetting the Password

  1. User clicks the reset link — The user opens the email and clicks the reset link, which contains the reset token as a URL parameter.
  2. Token validation — The server validates the reset token: it must exist, not be expired (1 hour limit), and not have been previously used. Invalid or expired tokens show an error with an option to request a new link.
  3. New password form — If the token is valid, the user is shown a form to enter a new password. The password must meet complexity requirements: minimum 12 characters, uppercase and lowercase letters, at least one number, and at least one special character.
  4. Password updated — Once the new password passes validation, the server hashes it with bcrypt and updates the user's record. The reset token is marked as used.
  5. Redirect to login — The user is redirected to the login page with a success message, where they can sign in with their new password.

Security Considerations

  1. Email enumeration prevention — The API always returns the same success response regardless of whether the email exists, preventing attackers from discovering valid accounts.
  2. Time-limited tokens — Reset tokens expire after 1 hour. Expired tokens cannot be used and the user must request a new reset link.
  3. Single-use tokens — Each reset token can only be used once. After a password is changed, the token is immediately invalidated.
  4. Password complexity — New passwords must meet strict complexity requirements (12+ characters, mixed case, numbers, special characters) to protect against brute-force attacks.