Edit on GitHub

Email Verification and Password Reset

Svelte Guardian provides built-in support for email verification and password reset functionality to enhance the security of your application.

Email Verification

Email verification ensures that users register with valid email addresses that they own. This prevents spam accounts and provides an additional layer of security.

Configuration

Configure email verification in your Svelte Guardian configuration:

security: { emailVerification: { method: 'otp', // 'otp' or 'link' otpLength: 6, // Length of OTP code (if using 'otp' method) otpExpiration: 15, // OTP validity in minutes tokenExpiration: 60, // Link token validity in minutes (if using 'link' method) sendEmailOnRegistration: true // Automatically send verification email on registration }, emailProvider: { // Email provider configuration // ... } }

Verification Methods

Svelte Guardian supports two verification methods:

  1. One-Time Password (OTP)

    • A numeric code is sent to the user’s email
    • User enters the code on your verification page
    • Simpler user experience for mobile users

  2. Verification Link

    • A unique URL with a token is sent to the user’s email
    • User clicks the link to verify their email
    • More familiar experience for many users

Implementation

Server-Side Setup

The email verification endpoints are automatically set up by Svelte Guardian:

  • POST:/auth/verify-email/send-otp: Sends a verification code or link
  • POST:/auth/verify-email/verify-otp: Verifies the OTP or token

Client-Side Implementation

Create a verification page that allows users to request and submit verification codes:

{#if !verificationSent}

Verify Your Email

We need to verify your email address.

{:else}

Enter Verification Code

We've sent a verification code to {email}.

{#if error}
{error}
{/if}
{/if}

Password Reset

Password reset functionality allows users to regain access to their accounts when they forget their passwords.

Configuration

Configure password reset in your Svelte Guardian configuration:

security: { passwordReset: { tokenExpiration: 15, // Token validity in minutes tokenLength: 64, // Length of reset token // Additional password reset options }, emailProvider: { // Email provider configuration // ... } }

How It Works

  1. User requests a password reset by providing their email
  2. A unique reset token is generated and stored
  3. A reset link containing the token is sent to the user’s email
  4. User clicks the link and is directed to your reset password page
  5. User enters a new password
  6. The system verifies the token and updates the password

Implementation

Server-Side Setup

The password reset endpoints are automatically set up by Svelte Guardian:

  • POST:/auth/reset-password/initiate-reset: Initiates the password reset process
  • POST:/auth/reset-password/reset: Handles the actual password reset

Client-Side Implementation

Create a reset password page:

{#if success && !token}

Check Your Email

We've sent password reset instructions to {email}.

{:else if success && token}

Password Reset Complete

Your password has been successfully reset. Redirecting to login...

{:else if token}

Reset Your Password

{#if error}
{error}
{/if}
{:else}

Reset Your Password

Enter your email address and we'll send you instructions to reset your password.

{#if error}
{error}
{/if}
{/if}

Customizing Email Templates

You can customize the email templates for verification and password reset emails:

emailProvider: { // Email provider configuration templates: { verification: { subject: 'Verify your email address', textTemplate: 'Your verification code is: {{otp}}', htmlTemplate: '

Your verification code is: {{otp}}

' }, passwordReset: { subject: 'Reset your password', textTemplate: 'Click this link to reset your password: {{url}}', htmlTemplate: '

Click here to reset your password.

' } } }

Security Considerations

  1. Token Expiration: Set appropriate expiration times for verification and reset tokens. Shorter times are more secure, but might inconvenience users.

  2. Rate Limiting: Apply strict rate limits to verification and password reset endpoints to prevent abuse.

  3. Email Sending Failures: Implement proper error handling for situations where emails cannot be sent.

  4. Token Storage: Verification tokens are securely hashed before being stored in the database.

  5. Password Requirements: Enforce strong password requirements when users set new passwords during reset.

Testing

For development and testing purposes, you might want to log emails instead of sending them:

emailProvider: { type: 'log', // Log emails to console instead of sending them from: 'noreply@example.com' }

This allows you to get verification codes and reset links without setting up an actual email service.

Share this page
← Email Templates OAuth Providers →