search
HomeGithubDiscordBlog

48 - Password Reset

hashtag
Overview

OpenAlgo provides a secure multi-step password reset flow that supports both email-based reset tokens and TOTP verification for accounts with 2FA enabled.

hashtag
Architecture Diagram

┌──────────────────────────────────────────────────────────────────────────────┐
│                        Password Reset Architecture                           │
└──────────────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────────────┐
│                         Step 1: Initiate Reset                               │
│                         /forgot-password                                     │
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │  User enters email address                                           │   │
│  │                                                                      │   │
│  │  Email: [[email protected]                    ]                       │   │
│  │                                                                      │   │
│  │  [Send Reset Link]                                                   │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                    │                                         │
│                                    ▼                                         │
│                          Validate email exists                               │
│                                    │                                         │
│              ┌─────────────────────┴─────────────────────┐                  │
│              │                                           │                   │
│         Email Found                                 Not Found                │
│              │                                           │                   │
│              ▼                                           ▼                   │
│     Generate reset token                        Show generic message         │
│     Store in database                           (prevent enumeration)        │
│     Send email with link                                                     │
└─────────────────────────────────────────────────────────────────────────────┘

                                     │ User clicks email link


┌─────────────────────────────────────────────────────────────────────────────┐
│                         Step 2: Verify Identity                              │
│                         /reset-password?token=xxx                            │
│                                                                              │
│                          Validate reset token                                │
│                                    │                                         │
│              ┌─────────────────────┴─────────────────────┐                  │
│              │                                           │                   │
│       Token Valid                                  Token Invalid/Expired     │
│              │                                           │                   │
│              ▼                                           ▼                   │
│     Check if TOTP enabled                         Show error message         │
│              │                                                               │
│    ┌─────────┴─────────┐                                                    │
│    │                   │                                                     │
│ TOTP Enabled      No TOTP                                                   │
│    │                   │                                                     │
│    ▼                   ▼                                                     │
│ Show TOTP Form    Show Password Form                                        │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

                                     │ After verification


┌─────────────────────────────────────────────────────────────────────────────┐
│                         Step 3: Set New Password                             │
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │  New Password:     [••••••••••••••••                 ]               │   │
│  │  Confirm Password: [••••••••••••••••                 ]               │   │
│  │                                                                      │   │
│  │  Requirements:                                                       │   │
│  │  ✓ At least 8 characters                                            │   │
│  │  ✓ Contains uppercase letter                                        │   │
│  │  ✓ Contains lowercase letter                                        │   │
│  │  ✓ Contains number                                                  │   │
│  │  ✓ Contains special character                                       │   │
│  │                                                                      │   │
│  │  [Reset Password]                                                    │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                    │                                         │
│                                    ▼                                         │
│                    Hash password with Argon2 + pepper                        │
│                    Update user record                                        │
│                    Invalidate reset token                                    │
│                    Invalidate all sessions                                   │
│                    Redirect to login                                         │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

hashtag
Database Schema

hashtag
password_reset_tokens Table

hashtag
Token Generation

hashtag
Secure Token Creation

hashtag
Token Validation

hashtag
Password Security

hashtag
Argon2 Hashing with Pepper

hashtag
Password Requirements

hashtag
TOTP Integration

hashtag
Reset with 2FA

hashtag
API Endpoints

hashtag
Request Reset

Response:

hashtag
Validate Token

Response:

hashtag
Reset Password

Response:

hashtag
Reset Flow Implementation

hashtag
Full Reset Service

hashtag
Security Measures

hashtag
Rate Limiting

hashtag
Audit Logging

hashtag
Token Security

Measure
Implementation

Token entropy

256 bits (secrets.token_urlsafe(32))

Token storage

SHA-256 hash only

Expiration

1 hour

Single use

Marked used after completion

IP logging

Request IP recorded

hashtag
Frontend Components

hashtag
Forgot Password Form

hashtag
Reset Password Form

hashtag
Key Files Reference

File
Purpose

blueprints/auth.py

Reset endpoints and core logic

database/user_db.py

User model with password hash

utils/email_utils.py

Password reset email sending

database/settings_db.py

SMTP settings for email

frontend/src/pages/ForgotPassword.tsx

Request form

frontend/src/pages/ResetPassword.tsx

Reset form

Note: Password reset logic is implemented directly in blueprints/auth.py. There are no separate password_reset_db.py or password_reset_service.py files. Reset tokens are stored in the session rather than a dedicated database table.

Previous47 - SMTP ConfigurationNext49 - Themes

Last updated