added rate limiter | cannot submit current password | throws specific…

[Shazzz135]

This pull request introduces a 24-hour rate limiting mechanism for password resets, improves backend and frontend handling of password reset and authentication errors, and enhances user experience by providing clearer error messages and preventing password reuse. The backend now tracks the last password reset time for each user and enforces the rate limit, while the frontend consistently displays server-provided error messages. Several API error response types have also been standardized.

Backend: Password Reset Rate Limiting and Security Enhancements

• Added a new middleware passwordResetRateLimiter that enforces a 24-hour rate limit on password reset requests per user, using a new lastPasswordResetAt field on the User model. This middleware is now applied to the /forgot-password route. [1] [2] [3] [4] [5] [6]
• Updated the password reset logic to prevent users from reusing their current password and to update the lastPasswordResetAt timestamp upon a successful password reset.

Frontend: Error Handling and User Feedback Improvements

• Standardized error response handling across all authentication-related API calls to consistently extract and display error messages from the new error response structure. (F827e69bL3R3, [1] [2] [3] [4] [5] [6] [7] [8]
• Updated the new password form to redirect users to a dedicated success page after resetting their password and to show server-provided error messages directly, improving clarity for end users.

API Types and Documentation

• Updated the ErrorResponse type to include a structured error object with code, message, and optional details, standardizing error payloads across the frontend and backend.
• Improved documentation and comments throughout the codebase for new and updated features.

These changes collectively improve security, user experience, and maintainability of the password reset and authentication flows.… errors | flow: -> new-password -> new-password-made -> login

Final PR request!

[Copilot]

Pull request overview

This pull request introduces a password reset rate limiting mechanism, prevents password reuse during resets, and standardizes error handling across the authentication flow. The changes improve security and user experience by enforcing a 24-hour cooldown on password reset requests and providing clearer error messages from the backend to the frontend.

Changes:

• Added rate limiting middleware to prevent password reset abuse
• Implemented password reuse prevention in the reset flow
• Standardized error response structure across frontend and backend
• Updated password reset flow to redirect to a success page instead of dashboard

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
backend/src/middleware/authMiddleware.ts	Added passwordResetRateLimiter middleware to enforce 24-hour rate limit on password resets
backend/src/models/user.ts	Added lastPasswordResetAt field to track password reset timestamps for rate limiting
backend/src/routes/authRoutes.ts	Applied rate limiter to /forgot-password, added password reuse check, and updated lastPasswordResetAt timestamp
frontend/src/features/auth/types/authTypes.ts	Updated ErrorResponse interface to use structured error object with code, message, and optional details
frontend/src/features/auth/services/authApi.ts	Updated all API error handlers to extract messages from new error structure with try-catch for JSON parsing
frontend/src/features/auth/components/NewPassword.tsx	Changed redirect from dashboard to success page and improved error message display

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Flapjacck]

LGTM