Fixed issues:
- PasswordService has no new() method, use static methods directly
- Updated User model to use PasswordService::hash_password() directly
- Updated handlers to import verify_password function
- Fixed all password hashing and verification calls
Compilation errors resolved:
- error[E0599]: PasswordService::new() not found
- error[E0277]: Handler trait not implemented for setup_recovery
Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/auth/jwt.rs
Phase 2.4 - Password Recovery Feature
Features implemented:
- Zero-knowledge password recovery using recovery phrases
- Recovery phrases hashed with PBKDF2 (same as passwords)
- Setup recovery phrase endpoint (protected)
- Verify recovery phrase endpoint (public)
- Reset password with recovery phrase endpoint (public)
- Token invalidation on password reset
- Email verification stub fields added to User model
New API endpoints:
- POST /api/auth/recovery/setup (protected)
- POST /api/auth/recovery/verify (public)
- POST /api/auth/recovery/reset-password (public)
User model updates:
- recovery_phrase_hash field
- recovery_enabled field
- email_verified field (stub)
- verification_token field (stub)
- verification_expires field (stub)
Security features:
- Zero-knowledge proof (server never sees plaintext)
- Current password required to set/update phrase
- All tokens invalidated on password reset
- Token version incremented on password change
Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/main.rs
- backend/src/auth/jwt.rs
Documentation:
- backend/PASSWORD-RECOVERY-IMPLEMENTED.md
- backend/test-password-recovery.sh
- backend/PHASE-2.4-TODO.md (updated progress)
