Sindbad~EG File Manager

# Password Reset System - Installation & Testing Guide

## ✅ Files Created

1. **forgot-password.php** - Request password reset
2. **reset-password.php** - Set new password with token
3. **EmailService::sendPasswordResetEmail()** - Instant email delivery

---

## 🗄️ Database Table

The system automatically creates the `password_resets` table on first use:

```sql
CREATE TABLE IF NOT EXISTS password_resets (
    id INT PRIMARY KEY AUTO_INCREMENT,
    user_id INT NOT NULL,
    user_type ENUM('admin', 'member') NOT NULL,
    email VARCHAR(255) NOT NULL,
    token VARCHAR(255) NOT NULL,
    expires_at DATETIME NOT NULL,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    used TINYINT(1) DEFAULT 0,
    UNIQUE KEY unique_user (user_id, user_type),
    INDEX idx_token (token),
    INDEX idx_expires (expires_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
```

**No manual installation needed!** Table is created automatically.

---

## 🔐 Features

### **For Users:**
- ✅ Separate flows for Admin & Member
- ✅ Email validation
- ✅ Token-based reset (64 characters)
- ✅ 1-hour expiration
- ✅ One-time use tokens
- ✅ Password strength indicator
- ✅ Real-time password match validation
- ✅ Security best practices

### **Email Features:**
- ⚡ **Instant delivery** (not queued)
- 🎨 Professional HTML template
- 🔗 Clickable reset button
- 📋 Plain text URL fallback
- ⏰ Expiration warning
- 🛡️ Security notices

---

## 🧪 Testing Guide

### **Test Member Password Reset:**

1. **Request Reset:**
   - Go to `http://localhost/copmadinaarea/forgot-password.php`
   - Select "Member"
   - Enter member email
   - Click "Send Reset Link"

2. **Check Email:**
   - Email arrives instantly
   - Click "Reset Password" button
   - Or copy/paste URL

3. **Reset Password:**
   - Enter new password (min 6 characters)
   - Confirm password
   - See password strength indicator
   - Click "Reset Password"

4. **Login:**
   - Go to member login
   - Use new password
   - Success! ✓

### **Test Admin Password Reset:**

1. **Request Reset:**
   - Go to `http://localhost/copmadinaarea/forgot-password.php`
   - Select "Admin"
   - Enter admin email
   - Click "Send Reset Link"

2. **Follow same steps** as member test

---

## 📧 Email Template

**Subject:** Password Reset Request

**Content:**
```
┌──────────────────────────────────────┐
│  Password Reset Request              │
│                                      │
│  Dear [Name],                        │
│  We received a request to reset...   │
│                                      │
│  [  Reset Password  ] ← Button       │
│                                      │
│  Link: https://...                   │
│  Expires: 1 hour                     │
│                                      │
│  Security notice...                  │
└──────────────────────────────────────┘
```

---

## 🔒 Security Features

| Feature | Implementation |
|---------|----------------|
| **Token Length** | 64 characters (32 bytes hex) |
| **Expiration** | 1 hour |
| **One-time Use** | Token marked as used after reset |
| **Unique Constraint** | One active reset per user |
| **HTTPS Ready** | Works with SSL/TLS |
| **Email Privacy** | Doesn't reveal if email exists |
| **Password Hashing** | PHP password_hash() |

---

## 🎯 User Flow

### **Complete Password Reset Flow:**

```
User forgets password
    ↓
Goes to forgot-password.php
    ↓
Selects user type (Admin/Member)
    ↓
Enters email address
    ↓
Clicks "Send Reset Link"
    ↓
Email sent instantly ⚡
    ↓
User opens email
    ↓
Clicks reset button/link
    ↓
Redirected to reset-password.php?token=xxx&type=xxx
    ↓
Token validated (not expired, not used)
    ↓
Enter new password
    ↓
Password strength checked
    ↓
Confirm password match
    ↓
Click "Reset Password"
    ↓
Password updated in database
    ↓
Token marked as used
    ↓
Success! Redirect to login
    ↓
Login with new password ✓
```

---

## 🔗 Integration Points

### **Login Pages Already Updated:**

**login.php (Member):**
```html
<a href="forgot-password.php">Forgot password?</a>
```

**admin-login.php (Admin):**
```html
<a href="forgot-password.php">Forgot password?</a>
```

Both pages have working "Forgot password?" links!

---

## 💾 Database Updates

**For Admin Users:**
```sql
UPDATE users SET password = '[hashed]' WHERE id = ?
```

**For Member Users:**
```sql
UPDATE member_accounts SET password_hash = '[hashed]' WHERE member_id = ?
```

---

## ⚠️ Requirements

✅ **Email Service Enabled** - SMTP must be configured
✅ **EmailService Class** - Already created
✅ **Symfony Mailer** - For sending emails
✅ **Database Access** - For token storage

---

## 🎨 UI Features

### **Forgot Password Page:**
- 🎯 User type selector (Member/Admin)
- 📧 Email input field
- 🎨 Gradient design (blue-purple-yellow)
- 📱 Fully responsive
- ✅ Success/error messages
- 🔙 Links to both login pages

### **Reset Password Page:**
- 🔐 New password field
- 🔁 Confirm password field
- 👁️ Show/hide password toggle
- 📊 Password strength meter
- ✓ Real-time match validation
- ⏰ Token expiration handling
- 🎉 Success confirmation

---

## 🐛 Troubleshooting

### **Email Not Arriving:**
1. Check SMTP settings in database
2. Check email_settings table `is_enabled = 1`
3. Check PHP error logs
4. Test with `fix_smtp_settings.php`

### **Invalid Token:**
1. Token expires after 1 hour
2. Token can only be used once
3. Check link was copied correctly
4. Request new reset if expired

### **Password Not Updating:**
1. Check password meets requirements (6+ chars)
2. Check passwords match
3. Verify database connection
4. Check user exists in database

---

## 🚀 Production Tips

1. **Use HTTPS** - Protect reset tokens in transit
2. **Rate Limiting** - Prevent abuse (max 3 requests/hour)
3. **Email Logging** - Track reset attempts
4. **Monitor Tokens** - Clean up expired tokens (cron job)
5. **User Notifications** - Alert on successful reset

---

## 📝 Maintenance

### **Clean Up Old Tokens (Optional Cron Job):**

```sql
DELETE FROM password_resets 
WHERE expires_at < NOW() 
OR (used = 1 AND created_at < DATE_SUB(NOW(), INTERVAL 7 DAY))
```

Run weekly to keep table clean.

---

## ✨ Summary

- ✅ **Both admin and member password reset working**
- ✅ **Instant email delivery** (not queued)
- ✅ **Professional UI** with gradient design
- ✅ **Secure tokens** with expiration
- ✅ **Password strength validation**
- ✅ **One-time use tokens**
- ✅ **Automatic table creation**
- ✅ **Fully responsive design**

**Ready to use!** No additional installation required. Just test with a valid email address! 🎉