Forms UI and Profile Update

[naveensanjula975]

No description provided.

[Copilot]

Pull request overview

This PR implements a password reset functionality using OTP (One-Time Password) instead of JWT tokens, adds email notification capabilities using Nodemailer, and makes minor adjustments to file upload validation. The changes also include database schema updates to store OTP data and updated documentation.

Changes:

• Replaced JWT-based password reset with OTP-based system (6-digit codes with 15-minute expiry)
• Added email service integration using Nodemailer for sending password reset codes
• Added database fields (resetOTP, resetOTPExpiry) to User model with corresponding migrations
• Removed GIF support from image upload middleware (now supports JPEG, PNG, WebP only)
• Added debug logging to validation and upload middleware

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
src/services/emailService.js	New email service for sending password reset OTPs via SMTP
src/routes/auth.js	Updated forgot-password and reset-password endpoints to use OTP instead of JWT
src/models/user.js	Added resetOTP and resetOTPExpiry fields to User model
src/database/migrations/20251220165748-add-reset-otp-fields.js	Empty migration file (duplicate/incomplete)
src/database/migrations/20251220000000-add-reset-otp-fields.cjs	Migration to add OTP fields to Users table
src/middleware/validation.js	Added debug logging for validation
src/middleware/upload.js	Removed GIF support and added debug logging
package.json	Added nodemailer dependency (v7.0.11)
package-lock.json	Lock file update for nodemailer
README.md	Added database setup and migration instructions
.env.example	Added SMTP configuration variables

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The warning message contains a logical error. It says "SMTP settings not missing" when it should say "SMTP settings missing" or "SMTP settings not found". The current message states the opposite of what the code is checking.

Suggested change

	console.warn('⚠️ SMTP settings not missing. Email sending functionality might fail.');
	console.warn('⚠️ SMTP settings missing. Email sending functionality might fail.');

[Copilot]

Setting rejectUnauthorized to false disables TLS certificate validation, which creates a security vulnerability by allowing man-in-the-middle attacks. While the comment mentions this is useful for development, it should be controlled by an environment variable to ensure it's never accidentally deployed to production. Consider using process.env.NODE_ENV === 'development' ? false : true or a dedicated SMTP_REJECT_UNAUTHORIZED environment variable.

[Copilot]

The password reset OTP verification lacks brute force protection. An attacker could attempt unlimited OTP guesses within the 15-minute window. With only 6 digits (1,000,000 possible combinations), this creates a security vulnerability. Consider implementing one or more protections: 1) Add a failed attempt counter with account lockout after a few failures, 2) Implement rate limiting on this endpoint, or 3) Add exponential backoff delays after failed attempts.

[Copilot]

The new password reset OTP functionality lacks test coverage. Given that the codebase has comprehensive testing (as evidenced by test files for other services and controllers), this critical security feature should have tests covering: OTP generation and storage, email sending, OTP validation (both valid and invalid cases), expiry checking, and password update flow. This is especially important for security-critical authentication flows.

[Copilot]

The OTP comparison uses a simple string equality check (user.resetOTP !== otp) which is vulnerable to timing attacks. An attacker could potentially use timing differences to determine correct OTP digits one at a time. Use crypto.timingSafeEqual() for constant-time string comparison to prevent timing attacks. Convert both strings to buffers before comparison.

[Copilot]

When email sending fails, the OTP is already saved in the database but the error response prevents the user from knowing about it. This means the OTP is stored but unusable. Consider either: 1) Wrapping both database update and email sending in a try-catch to rollback the OTP on email failure, or 2) Clearing the OTP from the database when email sending fails. Currently, the database contains an OTP that was never delivered to the user.

[Copilot]

The README.md references npm scripts (db:migrate, db:seed, db:reset) that don't exist in package.json. These scripts need to be added to package.json, or the README documentation should be updated to use the correct commands (e.g., npx sequelize-cli db:migrate).

Suggested change

	npm run db:migrate
	```
	2. **Seed Data**: Populate the database with demo users and branches.
	```bash
	npm run db:seed
	```
	**To reset the entire database (Undo all migrations, remigrate, and re-seed):**
	```bash
	npm run db:reset
	npx sequelize-cli db:migrate

2. Seed Data: Populate the database with demo users and branches.

   npx sequelize-cli db:seed

To reset the entire database (Undo all migrations, remigrate, and re-seed):

npx sequelize-cli db:migrate:undo:all && npx sequelize-cli db:migrate && npx sequelize-cli db:seed

[Copilot]

Using Math.random() for OTP generation is cryptographically insecure as Math.random() is a pseudo-random number generator not suitable for security-sensitive operations. An attacker could potentially predict OTP values. Use crypto.randomInt() instead for cryptographically secure random number generation. For example: crypto.randomInt(100000, 1000000).toString()

[Copilot]

This migration file is empty and contains only template comments with no actual migration logic. The up and down methods are empty stubs. This appears to be a duplicate of the .cjs migration file (20251220000000-add-reset-otp-fields.cjs) which contains the actual implementation. This empty migration file should be removed to avoid confusion and potential issues during migration execution.

Suggested change

	/** @type {import('sequelize-cli').Migration} */
	module.exports = {
	async up (queryInterface, Sequelize) {
	/**
	* Add altering commands here.
	*
	* Example:
	* await queryInterface.createTable('users', { id: Sequelize.INTEGER });
	*/
	},
	async down (queryInterface, Sequelize) {
	/**
	* Add reverting commands here.
	*
	* Example:
	* await queryInterface.dropTable('users');
	*/
	}
	};
	/**
	* This file is intentionally left empty.
	*
	* The actual "add reset OTP fields" migration is implemented in:
	* 20251220000000-add-reset-otp-fields.cjs
	*
	* This .js stub exists only to prevent confusion; it is not used as a
	* Sequelize migration and exports no migration logic.
	*/

[Copilot]

The resetOTP column is defined to store the raw 6-digit password reset code in plaintext, which means anyone who can read the database (including via a potential SQL injection elsewhere) can see valid reset codes and hijack accounts before they expire. Instead of persisting the raw OTP value, store only a hashed representation (similar to password hashing) and compare hashes during verification so that a database compromise does not expose usable reset codes.