Authentication
Reset Password
Set a new password using the reset token from the email link. Strict rate limit (3/hour).
POST /api/v1/auth/reset-password — 🌐 Public · Rate limit: 3 req / hour
Completes the password reset flow. Validates the reset token from the email link, updates User.passwordHash, and revokes all existing sessions for the user (forces re-login).
Request
Body — ResetPasswordDto
| Field | Type | Required | Validation | Notes |
|---|---|---|---|---|
token | string | ✓ | @IsString() | Reset token from email link (PasswordReset.token) |
newPassword | string | ✓ | 8–128 chars; must include upper + lower + digit | bcrypt hashed (salt rounds from auth.salt_rounds) |
Response
200 OK — SuccessOnlyResponseDto
{ "success": true }Errors
| HTTP | code / i18nKey | Reason |
|---|---|---|
400 | auth.reset_password.invalid_token | Token not found, expired, or already consumed |
400 | (DTO validation) | Password policy violation (length, character class) |
429 | (throttle) | Rate limit exceeded (3 req/hour — extra strict for password mutations) |
Side effects
- Lookup
PasswordResetby token; verify not expired + not used. - bcrypt hash new password (salt rounds from config).
- Atomic transaction: update
User.passwordHash, markPasswordReset.usedAt = now(), revoke ALL activeSessionrecords (force re-login on every device). - Reset
User.loginAttempts = 0andUser.lockedUntil = null(account unlocked). - Send security alert email: "Your password was reset on
{date}". - Audit log:
auth.reset_password.success.
Code samples
curl -X POST https://api.bio.re/api/v1/auth/reset-password \
-H 'Content-Type: application/json' \
-d '{
"token": "abc123-reset-token-from-email",
"newPassword": "NewSecureP@ss456"
}'async function resetPassword(token: string, newPassword: string): Promise<void> {
const res = await fetch('https://api.bio.re/api/v1/auth/reset-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ token, newPassword }),
});
const json = await res.json();
if (!res.ok || !json.success) {
throw Object.assign(new Error(json?.error?.message ?? 'Reset failed'), {
code: json?.error?.code,
});
}
}import { useMutation } from '@tanstack/react-query';
export function useResetPassword() {
return useMutation({
mutationFn: async (input: { token: string; newPassword: string }) => {
const res = await fetch('/api/v1/auth/reset-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(input),
});
const json = await res.json();
if (!res.ok || !json.success) {
throw Object.assign(new Error(json?.error?.message ?? 'Reset failed'), {
code: json?.error?.code,
i18nKey: json?.error?.i18nKey,
});
}
},
onSuccess: () => {
router.push('/login?reason=password_reset');
},
});
}Try it
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
curl -X POST "https://loading/api/v1/auth/reset-password" \ -H "Content-Type: application/json" \ -d '{ "token": "string", "newPassword": "stringst" }'{
"success": true
}{
"success": false,
"error": {
"code": "AUTH_UNAUTHORIZED",
"message": "Invalid credentials",
"i18nKey": "auth.login.invalid_credentials",
"i18nVars": {
"field": "email"
},
"details": [
{
"message": "email must be an email"
}
],
"correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
}{
"success": false,
"error": {
"code": "AUTH_UNAUTHORIZED",
"message": "Invalid credentials",
"i18nKey": "auth.login.invalid_credentials",
"i18nVars": {
"field": "email"
},
"details": [
{
"message": "email must be an email"
}
],
"correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
}Source
| Source | Path | Lines |
|---|---|---|
| Controller | apps/api-core/src/modules/auth/auth.controller.ts | 214–223 |
| DTO (request) | apps/api-core/src/modules/auth/dto/index.ts | 115–121 (ResetPasswordDto) |
| Service | apps/api-core/src/modules/auth/auth.service.ts | resetPassword() |
| Prisma models | packages/prisma/prisma/schema.prisma | User, PasswordReset, Session |