jester/zlh-grind
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases Wiki Activity

Update API Codex password reset state

Browse Source
This commit is contained in:
jester 2026-04-28 20:17:01 +00:00
parent f2ff5a4876
commit 04cf130560
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Codex/API/CURRENT_STATE.md
View File

@ -85,6 +85,13 @@ This file records what is believed to be implemented now.
## Billing / auth lifecycle
- API issues access tokens and refresh tokens.
- Password reset tokens are stored hashed and exchanged through API routes.
- Password reset request now delivers email through the configured support mailbox SMTP path first, with optional Resend fallback and console-link fallback for local development.
- Password reset request routes are `POST /api/auth/password-reset/request` and alias `POST /api/auth/forgot-password`.
- Password reset confirm routes are `POST /api/auth/password-reset/confirm` and alias `POST /api/auth/reset-password`.
- Reset links use `RESET_PASSWORD_URL_BASE`, then `PORTAL_URL`, then `http://localhost:3000`, and point at `/reset-password?token=...`.
- Reset request responses remain generic to avoid account enumeration.
- Reset confirmation rejects passwords shorter than 8 characters and marks all outstanding reset tokens for that user used after a successful password change.
- Default reset sender is `ZeroLag Hub Support <support@zerolaghub.com>` and production SMTP is configured through `SMTP_HOST`, `SMTP_PORT`, `SMTP_SECURE`, `SMTP_USER`, and `SMTP_PASS`.
- Stripe billing routes cover checkout, upgrade, downgrade, portal, and current billing state.
- Stripe webhooks are mounted with raw body parsing before normal JSON middleware.
- Billing scheduler starts in-process and performs limited reminder/reconciliation work.