How to handle forgot password to reset password using a one-time link.

Поділитися
Вставка
  • Опубліковано 20 гру 2024

КОМЕНТАРІ • 124

  • @neishaosu3402
    @neishaosu3402 5 місяців тому

    I really loved your explanation. It was straight to the point, without any unnecessary bullshit. Plain, simple, and easy to follow for resetting the password. Good job!

  • @shakilahmed6870
    @shakilahmed6870 Рік тому +5

    One suggestion for all.
    Instead of generating jwt secret using a secret key+user old password, use crypto to generate a new secret key each time user wants to reset the password and store the secret key in your database. When user successfully resets the password, just delete the secret key from database so that it cant be used again.

  • @NickTheDevGuy
    @NickTheDevGuy 8 місяців тому

    Ahh thank you so much! I've been looking for this for almost a week. The other videos on YT all use randomly generated crypto tokens, but I wanted to use JWT instead. This was a life saver, and very well explained. Thanks again man!

  • @shrutisharma8750
    @shrutisharma8750 2 роки тому +3

    Your explanation is soo good

  • @RajnishKumar-wi8zl
    @RajnishKumar-wi8zl 3 роки тому +1

    best video in the youtube for the reset password technique

  • @varadgauthankar
    @varadgauthankar 2 роки тому +1

    really loved the tutorial, it's perfect how you only focus on the topic and not other things. Thanks a lot.

  • @weiyangxumo5671
    @weiyangxumo5671 2 роки тому

    Thanks for the video! It's easy to learn. I like the way you skip the unimportant part and only focus on password reset!

  • @loirenhuh
    @loirenhuh 2 роки тому +4

    Bro you are my superman, for my deadlines

  • @vemuyaswanth803
    @vemuyaswanth803 3 роки тому +3

    This is so frickin' clear. Thank you pal!!!

  • @ali-celebi
    @ali-celebi 2 роки тому +1

    I like the way we can leverage JWT to create a token which helps us to create one-time link. Useful tutorial!

  • @ankitbansal6450
    @ankitbansal6450 2 роки тому +2

    Amazing video bro , simple and clear explanation

  • @osherezra8460
    @osherezra8460 3 роки тому +3

    Right on the point and so clear thank you so glad I'v found this channel man keep it up

  • @shaileshk_gy
    @shaileshk_gy 3 роки тому +9

    Please provide a link to the code in the description. That would be awesome.

  • @richardstowey
    @richardstowey 2 роки тому

    Thanks for providing such a clear tutorial on how to do this. Much appreciated!

  • @daviddaedae
    @daviddaedae 3 роки тому +1

    Love these node tutorials

  • @johardas8954
    @johardas8954 3 роки тому +2

    your videos are of very high quality.

    • @mafiacodes
      @mafiacodes  3 роки тому

      I appreciate that! Thank you!

  • @jumaelahmed9995
    @jumaelahmed9995 8 місяців тому

    Which font you are using can you please tell me?

  • @gauravbawa5609
    @gauravbawa5609 Рік тому

    Thanks you so much for this video.. thanks to you i have able to complete this authentication part smoothly. I find many challenges when using the same code with database but little by little debugging finally i happen to get to the same result.. Your content is really worked with real case scenario. I really appreciate the time and effort you took to explain the process concisely.

  • @nonlinearacademy
    @nonlinearacademy 4 місяці тому

    Hi, thank for this awesome tutorial. Just I'm curious if there is any repository with the code from your example?

  • @ant9177
    @ant9177 2 роки тому +1

    Can you tell me what font is used in Vs code ?

  • @JSXPLANET
    @JSXPLANET 3 роки тому

    thanks you for your clear explanation , i have a doubt regarding where the token is storage in the project , is into cache?

  • @juanssal
    @juanssal 2 роки тому

    Clear and simple. Thanks my friend

  • @sofienethabet7727
    @sofienethabet7727 3 роки тому +4

    Please provide a link to the code in the description. That would be awesome. Thanks :D

  • @robhawkins2446
    @robhawkins2446 Рік тому

    This was excellent, thank you!

  • @jakubgadzala7474
    @jakubgadzala7474 3 роки тому +1

    Great video! Subscribed to channel. Thank you.

    • @jakubgadzala7474
      @jakubgadzala7474 3 роки тому +1

      So, I have watched it earlier today. By now I have watched it second time and implemented into my project without any hussle whatsover! The quality of your tutorial is better than many I have watched on udemy. They usually talk to much or not clear enough. Your explanation was perfect, step by step, easy to replicate in any project. Thank you a milion again sir!

  • @namangogia9252
    @namangogia9252 2 роки тому

    Thank you, very clear explanation

  • @waytofuture
    @waytofuture 2 роки тому

    thank you sir easy explanation af

  • @mouadbfs349
    @mouadbfs349 9 місяців тому

    Thanks this tutorial very helpfull

  • @cliffXsoul
    @cliffXsoul 3 роки тому

    Thank you so much, it really helped me!

  • @amankhanna354
    @amankhanna354 3 роки тому

    Very informative. Thanks⚡️

  • @frutoramirezjuanjose5930
    @frutoramirezjuanjose5930 2 роки тому

    Which vscode theme color do you use?

  • @jdera1872
    @jdera1872 3 роки тому +1

    Thanks this helps me a lot..

  • @official-ali
    @official-ali 3 роки тому +1

    Great tutorial ❤️

  • @shivlingjadhav9936
    @shivlingjadhav9936 3 роки тому +1

    Superb 🔥🔥

  • @welvissouza7617
    @welvissouza7617 2 роки тому

    Fantastic video, congratulations. Could you tell me what vscode theme you were using?

  • @emtezet29
    @emtezet29 Рік тому +1

    It is not one-time link if the user sets exactly the same password. It should've been generated private key, stored on distributed fs or memory until user changed their password. Once done you remove the key. Obviously you need to have a dedicated authorization mechanism just for this endpoint.

  • @robertphillips124714
    @robertphillips124714 2 роки тому +1

    Great explanation, thank you very much!!
    Is it best practice to use the current password for the jwt secret in this way? I get that the secret is never sent to the client, but it still feels like it might be a an unnecessary risk. I'd be interested to know your thoughts.

    • @mafiacodes
      @mafiacodes  2 роки тому +1

      No problem at all, moreover it’s more secure since we are creating a secret using a common secret and hashed password , so no worries with that

    • @codingprojects4002
      @codingprojects4002 2 роки тому +1

      Its safe to use it.. because your current password is hashed and u r using that hash plus jwt secret so no one can decode it.. even if u get hashed password text u can't get password from it.. it is secure

  • @arnobchowdhury9641
    @arnobchowdhury9641 3 роки тому

    I have one question. Can a similar approach be taken for user's email validation when a user signs up? Great video. Thanks a lot.

    • @mafiacodes
      @mafiacodes  3 роки тому +1

      Yes, absolutely

    • @arnobchowdhury9641
      @arnobchowdhury9641 3 роки тому

      @@mafiacodes Thanks a lot for the reply.

    • @danielsouza1824
      @danielsouza1824 3 роки тому +1

      I did the signup process with jwt. With an email validation to activate account.

    • @MahadyHasan
      @MahadyHasan 3 роки тому

      you can check the signs-up email address on the user table on the database. If the email already exists, an error message can show." this email already registered", otherwise signs up will continue.

  • @Rise_and_Shine1
    @Rise_and_Shine1 Рік тому +2

    Good Work Bro Keep It Up Bro Can u plz provide the source code

    • @mafiacodes
      @mafiacodes  Рік тому

      I'll check if I have saved it...

  • @thongtranlequoc688
    @thongtranlequoc688 8 місяців тому

    If the user re-enters the old password, then the token will still be valid until it expires, right?

  • @juhandvan
    @juhandvan 3 роки тому +1

    Thank you so much

  • @riteshthakur9250
    @riteshthakur9250 3 роки тому +1

    sir what if i am using env variable for JWT secret key and not not using password in the secret like you did only using the env variable for storing secret will it give invalid signature

    • @mafiacodes
      @mafiacodes  3 роки тому +1

      U can only use env variable but in that case the link will be valid for lifetime of the token even if it has been used once to reset a password

    • @riteshthakur9250
      @riteshthakur9250 3 роки тому

      @@mafiacodes so i will have to use the password with jwt secret for not use it more than one time once it is used

    • @mafiacodes
      @mafiacodes  3 роки тому

      Yes

    • @danielsouza1824
      @danielsouza1824 3 роки тому

      That was awesome, I was looking for this kind of answer, how to generate unique token regarding the reset password, to not be valid after the process.

  • @jandeswart1378
    @jandeswart1378 3 роки тому

    Thank you. This videao is very helpful.

  • @shashwatdhingra3580
    @shashwatdhingra3580 Рік тому

    Thanks brother

  • @bent9808
    @bent9808 2 роки тому

    How do I get the user from the database from the reset password link? We didn't need a request.body

  • @rvb6516
    @rvb6516 2 роки тому

    Does this work on iOS or do we have to use universal links ?

  • @riteshthakur9250
    @riteshthakur9250 3 роки тому

    great video as always
    please also make videos on MERN full stack videos

  • @mitubarua9248
    @mitubarua9248 2 роки тому

    does have any git repo??

  • @snehabaser3155
    @snehabaser3155 3 роки тому

    I have one doubt. Like during sign up i store token in database.. so is again need to generate token for reset password or i fetch from database??

    • @snehabaser3155
      @snehabaser3155 3 роки тому

      Please reply as early as possible. It would be great help!

    • @mafiacodes
      @mafiacodes  3 роки тому

      u have to watch the full video to understand how it works, it has nothing related to signups...

    • @danielsouza1824
      @danielsouza1824 3 роки тому

      The token is never stored, only generated and saved in the client side (maybe in your mailbox)

  • @ajibolaanthony7867
    @ajibolaanthony7867 2 роки тому

    please how can i set it to get the email and password in my database

  • @jesseemana9598
    @jesseemana9598 Рік тому

    amazing channel

  • @abharani9265
    @abharani9265 2 роки тому

    Thanks for tutorials! really helpful.

  • @colindante5164
    @colindante5164 Рік тому +1

    Thankyou much ))

  • @HSBTechYT
    @HSBTechYT 3 роки тому

    For some reason jwt verify is returning false , basicaly it's not working

  • @ruqiaimran2299
    @ruqiaimran2299 3 роки тому +1

    Can we send email of the user in the url apart from id of the user
    Btw great content :-)

  • @samueloluwasegun746
    @samueloluwasegun746 9 місяців тому

    Pls can you share your vs code profile i like your extensions

  • @gmix218
    @gmix218 3 роки тому

    Sir hello one time paasword means if you failed to use the first otp that google send...google will not send another otp again???..is that mean of otp....or they send again?? but in some other time or day??.because i reiceve my otp but accidentally i cancel my request for reset password link .then i fill up again in google recovery form and option to submit not show again..is it because i failed to use my first code???how can i get again... hope you answer me..thank you sir

  • @rohitjakhmola7446
    @rohitjakhmola7446 Рік тому +1

    help alot....

  • @digenmore5949
    @digenmore5949 2 роки тому

    Sir I tried with database but not working please help me with this problem.

  • @kuldeepruletiya3146
    @kuldeepruletiya3146 3 роки тому

    nice video,please make video on otp based login system

  • @technoinfoworldwide2329
    @technoinfoworldwide2329 3 роки тому

    Suppose my boss is giving me existing code written by others, now they provide me their api..now how to test and properly integrate in frontend (.ejs) ..can you make a video on this topic

  • @gamerminiax8901
    @gamerminiax8901 3 роки тому

    Great video but we need this with db.

    • @mafiacodes
      @mafiacodes  3 роки тому +1

      easy to do, just follow the logic

    • @Pravesh-Dwivedi
      @Pravesh-Dwivedi 3 роки тому

      Sir please make this video with db

  • @Ahmedahmed-qg5ep
    @Ahmedahmed-qg5ep 2 роки тому

    Thanks, Bro! It helps a lot 👍☺

  • @MohamedAli-vf3vy
    @MohamedAli-vf3vy Рік тому

    where can i find the source code

  • @josephjoey3904
    @josephjoey3904 3 роки тому

    Link to source? Will help in debugging errors. Thank you

  • @khushboogoyal27
    @khushboogoyal27 3 роки тому

    @yoursTRULY it says "Cannot GET /reset-password/qwerty12".

    • @khushboogoyal27
      @khushboogoyal27 3 роки тому +1

      ```const express = require("express");
      const jwt = require("jsonwebtoken");
      const app = express();
      app.use(express.json());
      app.use(express.urlencoded({extended: false}))
      app.set("view engine", "ejs")
      let user = {
      id: "qwerty12#45",
      email: "k@gmail.com",
      password: "qwer123@#$fghj"
      }
      //To create a token we need secret.
      const JWT_SECRET = "some super secret..."
      app.get("/", (req, res) => {
      res.send("Hello World!")
      })
      app.get("/forgot-password", (req, res, next) => {
      res.render("forgot-password");
      })
      app.post("/forgot-password", (req, res, next) => {
      const {email} = req.body;
      //res.send(email);
      //make sure user exist in DB.
      if(email !== user.email){
      res.send("User not registered")
      return;
      }
      //user exist and now create one time link that is valid for 15 mins.
      //we need to create one more secret because we dont want that user can use the same link even after 15mins completed.
      const secret = JWT_SECRET + user.password;
      //this payload will be stored inside our JWT token.
      const payload = {
      email: user.email,
      id: user.id
      }
      const token = jwt.sign(payload, secret, {expiresIn: "15m"});
      //generating link through this token.
      const link = `localhost:3000/reset-password/${user.id}/${token}`;
      console.log(link);
      //we can use transactional emails here.
      res.send("Password reset link has been sent to your email.");
      });
      app.get("/reset-password/:id/:token", (req, res, next) => {
      const {id, token} = req.params
      //check if this id exist in DB.
      if(id !== user.id){
      res.send("Invalid ID...")
      return
      }
      //we have a valid id and we have a valid user with this id.
      const secret = JWT_SECRET + user.password;
      try{
      const payload = jwt.verify(token, secret)
      res.render("reset-password", {email: user.email})
      } catch(error){
      console.log(error.message);
      res.send(error.message);
      }

      })
      app.post("/reset-password/:id/:token", (req, res, next) => {
      const {id, token} = req.params;
      const {password, password2} = req.body;
      //check if this id exist in DB.
      if(id !== user.id){
      res.send("Invalid ID...")
      return;
      }
      const secret = JWT_SECRET + user.password
      try{
      const payload = jwt.verify(token, secret)
      //validate password and password2 should match.
      //we can simple find the user with the payload, email and id and finally update with new password.
      //always hash the password before saving.
      user.password = password
      res.send(user)
      }
      catch(error){
      console.log(error.message);
      res.send(error.message)
      }
      res.send(user);
      })
      app.listen(3000, ()=>{
      console.log(`localhost:3000`)
      })```

    • @mafiacodes
      @mafiacodes  3 роки тому

      That is an invalid url

    • @khushboogoyal27
      @khushboogoyal27 3 роки тому

      @@mafiacodes but the code is exactly same as you have explained. can you plz share the source code of it?

    • @khushboogoyal27
      @khushboogoyal27 3 роки тому

      @yoursTRULY now that error is gone and the code is working fine. but when i submit entries for password and confirm password it gives me some errors. although that page redirect to another page and displayed the desired data. it says this in my console -
      Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
      at ServerResponse.setHeader (_http_outgoing.js:558:11)
      at ServerResponse.header (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/response.js:771:10)
      at ServerResponse.send (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/response.js:170:12)
      at ServerResponse.json (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/response.js:267:15)
      at ServerResponse.send (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/response.js:158:21)
      at /Volumes/khush/downloads/forgot-password/app.js:96:9
      at Layer.handle [as handle_request] (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/router/layer.js:95:5)
      at next (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/router/route.js:137:13)
      at Route.dispatch (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/router/route.js:112:3)
      at Layer.handle [as handle_request] (/Volumes/khush/downloads/forgot-password/node_modules/express/lib/router/layer.js:95:5)

    • @editingtuto1.011
      @editingtuto1.011 2 роки тому

      Same problem is occurring with me too

  • @suroya37
    @suroya37 3 роки тому

    if user1 have a link to reset password that I have, that mean user1 can reset password on my account ?

    • @mafiacodes
      @mafiacodes  3 роки тому

      no each one can reset only his password

  • @lazharimen1475
    @lazharimen1475 3 роки тому

    great job

  • @wtrudg1
    @wtrudg1 3 роки тому +1

    tks so much

  • @dontargetme2416
    @dontargetme2416 3 роки тому +1

    you're my pal

  • @ExplorerSpace
    @ExplorerSpace 3 роки тому

    where is your git

  • @marzukzarir
    @marzukzarir 3 роки тому +1

    awesomeeeeee......

  • @Codeforcessolutions
    @Codeforcessolutions Рік тому

    Is this free

  • @suryakantkashyap2468
    @suryakantkashyap2468 2 роки тому

    Code link?

  • @franciscob340
    @franciscob340 2 роки тому

    Fala mais devagar moço, por favor. Tem criança chorando aqui

  • @bharanidharank1295
    @bharanidharank1295 2 роки тому +1

    hi

  • @Stefan-xm9qb
    @Stefan-xm9qb 3 місяці тому +1

    What if the user resets his password and then later changes it back to the old one? Does the old link then become valid again? Your solution is trash.

    • @iganic7574
      @iganic7574 2 місяці тому +1

      He don't show hashing part ,
      Use bcrypt to hash password before saving it he will add some salt to it , so even if two password is same there hash will be completely different

  • @mohamedyoussef8835
    @mohamedyoussef8835 3 роки тому

    Awesome

  • @Vertex_17
    @Vertex_17 2 роки тому

    I'm getting "invalid id".... Actually I tried to use mongodb database for this.... I checked it, I'm getting the value of res.send(user.id).... but I'm not getting any value for res.send(id)... So it's not matching... Hence it is showing undefined
    What can I do for this problem?

  • @dhanrajshinde8904
    @dhanrajshinde8904 11 місяців тому

    Help me bro for my Instagram account I forget ten my password email is not working number is not working backup code are not working what can I do bro help me but my account is active I can't log in help me bro😢

  • @crisluda22445
    @crisluda22445 2 роки тому

    this is hackable if I want to hack johndoe account it is easy to do so if I no johndoo id, I will reset my account and pass in john doe id in the URL and reset it. you are not verifying the token with the id.

  • @saidiachref3014
    @saidiachref3014 10 місяців тому

    Thank you so much, this is so helpful