nlcc-itinerary/server/api/auth/reset-password.post.ts

import { getPasswordResetCode, resetPasswordByEmail, deletePasswordResetCode, deleteAllUserSessions, getUserByEmail } from '~/server/utils/database'

export default defineEventHandler(async (event) => {
  const body = await readBody(event)
  const { email, code, newPassword } = body

  if (!email || !code || !newPassword) {
    throw createError({
      statusCode: 400,
      message: 'Email, code, and new password are required',
    })
  }

  // Validate password requirements
  if (newPassword.length < 8) {
    throw createError({
      statusCode: 400,
      message: 'Password must be at least 8 characters long',
    })
  }

  const hasUpperCase = /[A-Z]/.test(newPassword)
  const hasLowerCase = /[a-z]/.test(newPassword)
  const hasNumberOrSymbol = /[0-9!@#$%^&*(),.?":{}|<>]/.test(newPassword)

  if (!hasUpperCase || !hasLowerCase || !hasNumberOrSymbol) {
    throw createError({
      statusCode: 400,
      message: 'Password must contain uppercase, lowercase, and number/symbol',
    })
  }

  // Verify code exists and hasn't expired
  // Convert to uppercase for case-insensitive comparison
  const resetCode = getPasswordResetCode(email, code.toUpperCase())
  
  if (!resetCode) {
    throw createError({
      statusCode: 400,
      message: 'Invalid or expired reset code',
    })
  }

  // Get user info before resetting password
  const user = getUserByEmail(email)
  if (!user) {
    throw createError({
      statusCode: 404,
      message: 'User not found',
    })
  }

  // Reset password
  resetPasswordByEmail(email, newPassword)

  // SECURITY: Invalidate ALL sessions when password is reset via forgot-password flow
  // User must log in again with new password
  deleteAllUserSessions(user.username)

  // Delete used reset code
  deletePasswordResetCode(email)

  return {
    success: true,
    message: 'Password reset successfully. Please log in with your new password.'
  }
})