Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
middleware for password reset emails
branch: master

This branch is 5 commits ahead of substack:master

Merge pull request #1 from terryh/master

update example and README
latest commit 991b8bab5f
@sampepose authored



middleware for managing password reset emails

TODO: Update this README and example


var fs = require('fs');
var express = require('express');
var app = express.createServer();

app.use(require('sesame')()); // for sessions

// example nodemailer config here
var forgot = require('../../')({
  uri: 'http://localhost:8080/password_reset',
  from: 'password-robot@localhost',
  transportType: 'SMTP',
  transportOptions: {
    service: "Gmail",
    auth: {
      user: "",
      pass: "password"

app.use(forgot.middleware);'/forgot', express.bodyParser(), function(req, res) {
  var email =;

  var callback = {
    error: function(err) {
      res.end('Error sending message: ' + err);
    success: function(success) {
      res.end('Check your inbox for a password reset message.');
  var reset = forgot(email, callback);

  reset.on('request', function(req_, res_) {
    req_.session.reset = {
      email: email,
    fs.createReadStream(__dirname + '/forgot.html').pipe(res_);
});'/reset', express.bodyParser(), function(req, res) {
  if (!req.session.reset) return res.end('reset token not set');

  var password = req.body.password;
  var confirm = req.body.confirm;
  if (password !== confirm) return res.end('passwords do not match');

  // update the user db here

  delete req.session.reset;
  res.end('password reset');

console.log('Listening on :8080');


var forgot = require('password-reset')(opts)

Create a new password reset session forgot with some options opts.

opts.uri must be the location of the password reset route, such as 'http://localhost:8080/_password_reset'. A query string is appended to opts.uri with a unique one-time hash.

opts.body(uri) can be a function that takes the password reset link uri and returns the email body as a string.

The options transportType and transportOptions are passed directly to nodemailer.

When the user clicks on the uri link forgot emits a "request", req, res event.

var reset = forgot(email, cb)

Send a password reset email to the email address. cb.error(error) fires when the email sent got some error. cb.success(success) fires when the email has been sent.

forgot.middleware(req, res, next)

Use this middleware function to intercept requests on the opts.uri.


Prevent a session from being used again. Call this after you have successfully reset the password.


Pass this value to forgot.expire(id).


reset.on('request', function (req, res) { ... })

Emitted when the user clicks on the password link from the email.

reset.on('failure', function (err) { ... })

Emitted when an error occurs sending email. You can also listen for this event in forgot()'s callback.

reset.on('success', function () {})

Emitted when an email is successfully sent.


With npm do:

npm install password-reset



credits to

Substack for the original module


With npm, do:

npm test
Something went wrong with that request. Please try again.