feat: password reset url is configurable

Author: rrd108

docs/api/types.md

@@ -126,7 +126,7 @@ interface RuntimeModuleOptions {
     passwordResetTokens?: string
   }
   mailer?: MailerOptions
-  passwordResetBaseUrl?: string
+  passwordResetUrl?: string
   auth?: {
     whitelist?: string[]
     tokenExpiration?: number
@@ -161,7 +161,7 @@ interface ModuleOptions {
     passwordResetTokens: string
   }
   mailer?: MailerOptions
-  passwordResetBaseUrl?: string
+  passwordResetUrl: string
   auth: {
     whitelist: string[]
     tokenExpiration: number

docs/examples/advanced-configuration.md

@@ -39,8 +39,8 @@ export default defineNuxtConfig({
       }
     },
 
-    // Production URLs
-    passwordResetBaseUrl: process.env.PASSWORD_RESET_BASE_URL || 'https://myapp.com',
+    // Password reset URL path
+    passwordResetUrl: process.env.PASSWORD_RESET_URL || '/reset-password',
 
     // Security settings
     auth: {

docs/user-guide/configuration.md

@@ -59,8 +59,8 @@ export default defineNuxtConfig({
       }
     },
 
-    // Password reset URL
-    passwordResetBaseUrl: 'https://yourapp.com',
+    // Password reset URL path
+    passwordResetUrl: '/reset-password',
 
     // Authentication settings
     auth: {
@@ -159,7 +159,7 @@ nuxtUsers: {
       from: '"My App" <noreply@example.com>'
     }
   },
-  passwordResetBaseUrl: 'http://localhost:3000'
+  passwordResetUrl: '/reset-password'
 }
 ```
 
@@ -181,7 +181,7 @@ nuxtUsers: {
       from: '"Your App" <noreply@yourapp.com>'
     }
   },
-  passwordResetBaseUrl: 'https://yourapp.com'
+  passwordResetUrl: '/reset-password'
 }
 ```
 
@@ -248,7 +248,7 @@ nuxtUsers: {
 }
 ```
 
-**Note:** Login (`/login`) and password reset routes are always whitelisted automatically.
+**Note:** Login (`/login`), password reset page (default `/reset-password` or your custom `passwordResetUrl`), and password reset API endpoints are always whitelisted automatically.
 
 ### Role-Based Access Control (RBAC)
 
@@ -397,7 +397,7 @@ export default defineNuxtConfig({
       }
     },
 
-    passwordResetBaseUrl: process.env.PASSWORD_RESET_BASE_URL,
+    passwordResetUrl: process.env.PASSWORD_RESET_URL || '/reset-password',
 
     auth: {
       tokenExpiration: Number(process.env.TOKEN_EXPIRATION) || 1440
@@ -428,7 +428,7 @@ MAILER_PASS=app_specific_password
 MAILER_FROM="My App <noreply@myapp.com>"
 
 # URLs
-PASSWORD_RESET_BASE_URL=https://myapp.com
+PASSWORD_RESET_URL=/auth/reset-password
 
 # Auth
 TOKEN_EXPIRATION=1440
@@ -474,7 +474,7 @@ const defaults = {
       from: '"Nuxt Users Module" <noreply@example.com>'
     }
   },
-  passwordResetBaseUrl: 'http://localhost:3000',
+  passwordResetUrl: '/reset-password',
   auth: {
     whitelist: [],
     tokenExpiration: 1440,

docs/user-guide/installation.md

@@ -58,8 +58,8 @@ export default defineNuxtConfig({
     //     from: '"Your App Name" <noreply@example.com>',
     //   },
     // },
-    // Optional: Configure base URL for password reset links
-    // passwordResetBaseUrl: 'http://localhost:3000', // Default
+    // Optional: Configure URL path for password reset page
+    // passwordResetUrl: '/reset-password', // Default
   }
 })
 ```

docs/user-guide/password-reset.md

@@ -30,6 +30,52 @@ https://yourapp.com/reset-password?token=abc123...&email=user@example.com
 
 Your reset password page should read these query parameters to populate the reset form.
 
+## Reset URL Configuration
+
+The module automatically constructs password reset URLs using your application's base URL and the configured path.
+
+### Default Behavior
+
+By default, reset links use `/reset-password` as the path:
+
+```
+https://yourapp.com/reset-password?token=abc123...&email=user@example.com
+```
+
+### Custom Reset URL Path
+
+You can customize the path portion of the reset URL:
+
+```ts
+nuxtUsers: {
+  passwordResetUrl: '/auth/reset-password', // Custom path
+}
+```
+
+This will generate reset links like:
+
+```
+https://yourapp.com/auth/reset-password?token=abc123...&email=user@example.com
+```
+
+### Zero Configuration
+
+The module automatically detects your application's base URL from the incoming request, so you don't need to configure a full base URL. The system intelligently combines:
+
+- **Request host**: Automatically detected from headers
+- **Protocol**: Detected from `x-forwarded-proto` header or defaults to `http`
+- **Reset path**: Your configured `passwordResetUrl` (default: `/reset-password`)
+
+### Development vs Production
+
+**Development** (automatic detection):
+- Request to `http://localhost:3000` → Reset URL: `http://localhost:3000/reset-password`
+
+**Production** (automatic detection):
+- Request to `https://myapp.com` → Reset URL: `https://myapp.com/reset-password`
+
+No manual configuration of base URLs required!
+
 ## Configuration
 
 Configure the mailer in your `nuxt.config.ts`:
@@ -57,7 +103,7 @@ export default defineNuxtConfig({
         from: '"Your App" <noreply@yourapp.com>',
       },
     },
-    passwordResetBaseUrl: 'https://yourapp.com', // Base URL for reset links
+    passwordResetUrl: '/reset-password', // URL path for password reset page
   }
 })
 ```
@@ -81,7 +127,7 @@ nuxtUsers: {
       from: '"My Nuxt App" <noreply@example.com>',
     },
   },
-  passwordResetBaseUrl: 'http://localhost:3000',
+  passwordResetUrl: '/reset-password', // Custom URL path (optional)
 }
 ```
 

package.json

@@ -66,7 +66,7 @@
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "pretest": "node -v | grep -q 'v22' || (echo 'Please use Node.js v22 for testing' && exit 1)",
-    "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit",
+    "test:types": "yarn dev:prepare && vue-tsc --noEmit && cd playground && vue-tsc --noEmit",
     "test:unit": "./scripts/test-unit.sh",
     "test:sqlite": "./scripts/test-sqlite.sh",
     "test:mysql": "./scripts/test-mysql.sh",

src/module.ts

@@ -28,7 +28,7 @@ export const defaultOptions: ModuleOptions = {
       from: '"Nuxt Users Module" <noreply@example.com>',
     },
   },
-  passwordResetBaseUrl: 'http://localhost:3000',
+  passwordResetUrl: '/reset-password',
   auth: {
     whitelist: [],
     tokenExpiration: 24 * 60, // 24 hours
@@ -61,6 +61,7 @@ export default defineNuxtModule<RuntimeModuleOptions>({
     nuxt.options.runtimeConfig.nuxtUsers = {
       ...runtimeConfigOptions,
       apiBasePath: options.apiBasePath || defaultOptions.apiBasePath,
+      passwordResetUrl: options.passwordResetUrl || defaultOptions.passwordResetUrl,
       tables: {
         migrations: options.tables?.migrations || defaultOptions.tables.migrations,
         users: options.tables?.users || defaultOptions.tables.users,

src/runtime/constants.ts

@@ -1,5 +1,5 @@
 // Page routes that don't require authentication
-export const NO_AUTH_PATHS = ['/login']
+export const NO_AUTH_PATHS = ['/login', '/reset-password']
 
 // API routes that don't require authentication (will be prefixed with apiBasePath)
 export const NO_AUTH_API_PATHS = ['/session', '/password/forgot', '/password/reset']

src/runtime/server/api/nuxt-users/password/forgot.post.ts

@@ -1,4 +1,4 @@
-import { defineEventHandler, readBody, createError } from 'h3'
+import { defineEventHandler, readBody, createError, getHeader } from 'h3'
 import { sendPasswordResetLink } from '../../../services/password'
 import { useRuntimeConfig } from '#imports'
 import type { ModuleOptions } from 'nuxt-users/utils'
@@ -18,7 +18,12 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
-    await sendPasswordResetLink(email, options)
+    // Try to determine the base URL from the request
+    const host = getHeader(event, 'host')
+    const protocol = getHeader(event, 'x-forwarded-proto') || 'http'
+    const baseUrl = host ? `${protocol}://${host}` : undefined
+
+    await sendPasswordResetLink(email, options, baseUrl)
     // Always return a success-like message to prevent email enumeration
     return { message: 'If a user with that email exists, a password reset link has been sent.' }
   }

src/runtime/server/middleware/authorization.server.ts

@@ -20,8 +20,14 @@ export default defineEventHandler(async (event) => {
     return
   }
 
-  // internal no-auth paths (e.g., /login)
-  if (NO_AUTH_PATHS.includes(event.path)) {
+  // internal no-auth paths (e.g., /login, /reset-password) and custom password reset URL
+  const noAuthPaths = [...NO_AUTH_PATHS]
+  // Add custom password reset URL if different from default
+  if (options.passwordResetUrl && options.passwordResetUrl !== '/reset-password') {
+    noAuthPaths.push(options.passwordResetUrl)
+  }
+
+  if (noAuthPaths.includes(event.path)) {
     console.log(`[Nuxt Users] server.middleware.auth.global: NO_AUTH_PATH: ${event.path}`)
     return
   }