Reputation: 555
Should I put my JWT token in the URL for password reset functionality?
I'm currently doing forgot password functionality for the first time and here's the code so far.
sends the email for the user that has the URL with the JWT token
router.post('/change-password', verifyAuth, resetPassword);
receives and confirms JWT then changes password
router.post('/change-password/:token/:password', confirmResetPassword);
the process I'm currently thinking about is in the email I send the user to
http://localhost:3000/change-passowrd?token=TOKEN_VALUE
but I'm not sure if this is a smart idea or not? I can also use cookies if it's better, any idea?
Upvotes: 1
Views: 713
Answers (1)
Reputation: 1499
It's okay to store the JWT token store in the URL for reset password functionality. You have to send this link using Email or any other secure communication service.
I implemented this feature
https://yourapp.com/home/reset/${token}
const data = {
from: "[email protected]",
to: user.email,
subject: "Please reset your password",
text: `Hello ${user.name},\n\nI heard that you lost your Teeny password. You can use the following link to reset your password: https://yourapp.com/home/reset/${token}
};
transporter.sendMail(data, function (error, info) {
if (error) {
console.log(error);
} else {
console.log("Email sent: " + info.response);
}
});
Now if the user hits this URL, validate the token and redirect or render the change password page. But don't send the password through the URL.
Upvotes: 1
Related Questions
- jwt access token and refresh token flow
- reset password putting password into jwt payload
- Where should I save jwt refresh token?
- ExpressJS authorization with JWT - Is this correct?
- Access token + Refresh token right approach?
- Access/Refresh token confusion
- password reset with jwt structure
- JWT refresh Token Implementation
- Password reset link using jwt and nodejs
- JWT refresh token or not