jester/zlh-grind
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases Wiki Activity

Track API change password endpoint

Browse Source
This commit is contained in:
jester 2026-04-28 20:24:04 +00:00
parent 04cf130560
commit 1fccec5753
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Codex/API/CURRENT_STATE.md
View File

@ -88,6 +88,8 @@ This file records what is believed to be implemented now.
- Password reset request now delivers email through the configured support mailbox SMTP path first, with optional Resend fallback and console-link fallback for local development. - Password reset request now delivers email through the configured support mailbox SMTP path first, with optional Resend fallback and console-link fallback for local development.
- Password reset request routes are `POST /api/auth/password-reset/request` and alias `POST /api/auth/forgot-password`. - Password reset request routes are `POST /api/auth/password-reset/request` and alias `POST /api/auth/forgot-password`.
- Password reset confirm routes are `POST /api/auth/password-reset/confirm` and alias `POST /api/auth/reset-password`. - Password reset confirm routes are `POST /api/auth/password-reset/confirm` and alias `POST /api/auth/reset-password`.
- Logged-in password change is available at `POST /api/auth/change-password` with bearer auth and body `{ currentPassword, newPassword }`.
- Logged-in password change verifies the current password, enforces the same 8-character minimum, updates the password hash, and marks outstanding password reset tokens used.
- Reset links use `RESET_PASSWORD_URL_BASE`, then `PORTAL_URL`, then `http://localhost:3000`, and point at `/reset-password?token=...`. - Reset links use `RESET_PASSWORD_URL_BASE`, then `PORTAL_URL`, then `http://localhost:3000`, and point at `/reset-password?token=...`.
- Reset request responses remain generic to avoid account enumeration. - Reset request responses remain generic to avoid account enumeration.
- Reset confirmation rejects passwords shorter than 8 characters and marks all outstanding reset tokens for that user used after a successful password change. - Reset confirmation rejects passwords shorter than 8 characters and marks all outstanding reset tokens for that user used after a successful password change.