How to Handle Password Reset Token Event

In this guide, you'll learn how to handle the auth.password_reset event, which is emitted when a request is sent to the Generate Reset Password Token API route.

You'll create a subscriber that listens to the event. When the event is emitted, the subscriber sends an email notification to the user.

1. Create Subscriber#

The first step is to create a subscriber that listens to the auth.password_reset and sends the user a notification with instructions to reset their password.

Create the file src/subscribers/handle-reset.ts with the following content:

src/subscribers/handle-reset.ts
5import { Modules } from "@medusajs/framework/utils"6
7export default async function resetPasswordTokenHandler({8  event: { data: {9    entity_id: email,10    token,11    actor_type,12  } },13  container,14}: SubscriberArgs<{ entity_id: string, token: string, actor_type: string }>) {15  const notificationModuleService = container.resolve(16    Modules.NOTIFICATION17  )18
19  const urlPrefix = actor_type === "customer" ? 20    "https://storefront.com" : 21    "https://admin.com"22
23  await notificationModuleService.createNotifications({24    to: email,25    channel: "email",26    template: "reset-password-template",27    data: {28      // a URL to a frontend application29      url: `${urlPrefix}/reset-password?token=${token}&email=${email}`,30    },31  })32}33
34export const config: SubscriberConfig = {35  event: "auth.password_reset",36}

You subscribe to the auth.password_reset event. The event has a data payload object with the following properties:

  • entity_id: The identifier of the user. When using the emailpass provider, it's the user's email.
  • token: The token to reset the user's password.
  • actor_type: The user's actor type. For example, if the user is a customer, the actor_type is customer. If it's an admin user, the actor_type is user.
NoteThis event's payload previously had an actorType field. It was renamed to actor_type after Medusa v2.0.7.

In the subscriber, you:

  • Decide the frontend URL based on whether the user is a customer or admin user by checking the value of actor_type.
  • Resolve the Notification Module and use its createNotifications method to send the notification.
  • You pass to the createNotifications method an object having the following properties:
    • to: The identifier to send the notification to, which in this case is the email.
    • channel: The channel to send the notification through, which in this case is email.
    • template: The template ID in the third-party service.
    • data: The data payload to pass to the template. You pass the URL to redirect the user to. You must pass the token and email in the URL so that the frontend can send them later to the Medusa application when reseting the password.

2. Test it Out: Generate Reset Password Token#

To test the subscriber out, send a request to the /auth/{actor_type}/{auth_provider}/reset-password API route, replacing {actor_type} and {auth_provider} with the user's actor type and provider used for authentication respectively.

For example, to generate a reset password token for an admin user using the emailpass provider, send the following request:

Code
1curl --location 'http://localhost:9000/auth/user/emailpass/reset-password' \2--header 'Content-Type: application/json' \3--data-raw '{4    "identifier": "admin-test@gmail.com"5}'

In the request body, you must pass an identifier parameter. Its value is the user's identifier, which is the email in this case.

If the token is generated successfully, the request returns a response with 201 status code. In the terminal, you'll find the following message indicating that the auth.password_reset event was emitted and your subscriber ran:

Code
info:    Processing auth.password_reset which has 1 subscribers

The notification is sent to the user with the frontend URL to enter a new password.


Next Steps: Implementing Frontend#

In your frontend, you must have a page that accepts token and email query parameters.

The page shows the user password fields to enter their new password, then submits the new password, token, and email to the Reset Password Route.

Examples#

Was this page helpful?
Edit this page