HSNAKDValidation Labhakdogan.com

Authentication

Forgot password

Email submission triggers a reset confirmation; rate limit prevents spam.

User story

As a user who forgot my password, I want to request a reset link and see clear feedback that an email is on its way.

Acceptance criteria

  • Email field validates format before submitting
  • Successful submission reveals confirmation copy
  • Rate limit kicks in after 3 attempts in 60s
  • Submission survives full keyboard navigation

Manual test steps

  1. 1.Open /forgot-password
  2. 2.Enter demo@hakdogan.com
  3. 3.Submit the form
  4. 4.Wait for confirmation banner

Expected result

A confirmation banner reads 'Reset link sent' even if email does not exist (security by obscurity).

Possible bug risks

  • Reveals whether email exists (account enumeration)
  • Reset email contains a token that does not expire
  • Rate limit not enforced on the API route

Reference Playwright spec

forgot-password.spec.ts
ts
1
2
3
4
5
6
7
8
9
import { test, expect } from '@playwright/test';

test('forgot password confirmation @regression', async ({ page }) => {
  await page.goto('https://lab.hakdogan.com/forgot-password');
  await page.getByLabel(/email/i).fill('demo@hakdogan.com');
  await page.getByRole('button', { name: /send reset/i }).click();

  await expect(page.getByText(/reset link sent/i)).toBeVisible();
});