Devlaner · nazarli-shabnam · Apr 16, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
diff --git a/api/internal/auth/service.go b/api/internal/auth/service.go
@@ -18,19 +18,26 @@ var (
 	ErrInvalidCredentials = errors.New("invalid email or password")
 	ErrEmailTaken         = errors.New("email already registered")
 	ErrUsernameTaken      = errors.New("username already taken")
+	ErrResetTokenInvalid  = errors.New("reset token is invalid or expired")
 )
 
 const bcryptCost = 12
 
 type Service struct {
-	userStore    *store.UserStore
-	sessionStore *store.SessionStore
+	userStore       *store.UserStore
+	sessionStore    *store.SessionStore
+	resetTokenStore *store.PasswordResetTokenStore
 }
 
 func NewService(userStore *store.UserStore, sessionStore *store.SessionStore) *Service {
 	return &Service{userStore: userStore, sessionStore: sessionStore}
 }
 
+// SetResetTokenStore attaches the password reset token store (optional dependency).
+func (s *Service) SetResetTokenStore(ts *store.PasswordResetTokenStore) {
+	s.resetTokenStore = ts
+}
+
 type SignUpRequest struct {
 	Email     string `json:"email" binding:"required,email"`
 	Password  string `json:"password" binding:"required,min=8"`
@@ -145,6 +152,52 @@ func (s *Service) ChangePassword(ctx context.Context, userID uuid.UUID, currentP
 	return s.userStore.Update(ctx, u)
 }
 
+// ForgotPassword generates a reset token for the given email.
+// Returns the plain token and the user. If the email is not found, returns ("", nil, nil)
+// so callers can respond with a generic success (no user enumeration).
+func (s *Service) ForgotPassword(ctx context.Context, email string) (token string, user *model.User, err error) {
+	if s.resetTokenStore == nil {
+		return "", nil, errors.New("password reset not configured")
+	}
+	email = strings.TrimSpace(strings.ToLower(email))
+	u, err := s.userStore.GetByEmail(ctx, email)
+	if err != nil || u == nil {
+		return "", nil, nil
+	}
+	if !u.IsActive {
+		return "", nil, nil
+	}
+	token, err = s.resetTokenStore.Create(ctx, u.ID)
+	if err != nil {
+		return "", nil, err
+	}
+	return token, u, nil
+}
+
+// ResetPassword validates a reset token and sets the new password.
+func (s *Service) ResetPassword(ctx context.Context, token, newPassword string) error {
+	if s.resetTokenStore == nil {
+		return errors.New("password reset not configured")
+	}
+	rec, err := s.resetTokenStore.GetValid(ctx, token)
+	if err != nil || rec == nil {
+		return ErrResetTokenInvalid
+	}
+	u, err := s.userStore.GetByID(ctx, rec.UserID)
+	if err != nil || u == nil {
+		return ErrResetTokenInvalid
+	}
+	hash, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcryptCost)
+	if err != nil {
+		return err
+	}
+	u.Password = string(hash)
+	if err := s.userStore.Update(ctx, u); err != nil {
+		return err
+	}
+	return s.resetTokenStore.MarkUsed(ctx, rec.ID)
+}
+
 func (s *Service) createSession(ctx context.Context, userID uuid.UUID) (string, error) {
 	key := make([]byte, 20)
 	if _, err := rand.Read(key); err != nil {

diff --git a/api/internal/handler/auth.go b/api/internal/handler/auth.go
@@ -3,13 +3,16 @@ package handler
 
 import (
 	"errors"
+	"fmt"
+	"log/slog"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/Devlaner/devlane/api/internal/auth"
 	"github.com/Devlaner/devlane/api/internal/middleware"
 	"github.com/Devlaner/devlane/api/internal/model"
+	"github.com/Devlaner/devlane/api/internal/queue"
 	"github.com/Devlaner/devlane/api/internal/store"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -23,6 +26,8 @@ type AuthHandler struct {
 	Ws         *store.WorkspaceStore
 	NotifPrefs *store.UserNotificationPreferenceStore
 	ApiTokens  *store.ApiTokenStore
+	Queue      *queue.Publisher
+	AppBaseURL string
 }
 
 type SignInRequest struct {
@@ -164,6 +169,80 @@ func (h *AuthHandler) SignOut(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }
 
+type ForgotPasswordRequest struct {
+	Email string `json:"email" binding:"required,email"`
+}
+
+type ResetPasswordRequest struct {
+	Token       string `json:"token" binding:"required"`
+	NewPassword string `json:"new_password" binding:"required,min=8"`
+}
+
+// ForgotPassword generates a password-reset token and emails the user a reset link.
+// POST /auth/forgot-password/
+func (h *AuthHandler) ForgotPassword(c *gin.Context) {
+	var req ForgotPasswordRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request", "detail": err.Error()})
+		return
+	}
+
+	token, user, err := h.Auth.ForgotPassword(c.Request.Context(), req.Email)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to process request"})
+		return
+	}
+
+	// Always return success to prevent user enumeration.
+	if token == "" || user == nil {
+		c.JSON(http.StatusOK, gin.H{"message": "If that email is registered, a reset link has been sent."})
+		return
+	}
+
+	resetURL := fmt.Sprintf("%s/reset-password?token=%s", strings.TrimRight(h.AppBaseURL, "/"), token)
+
+	body := fmt.Sprintf(
+		"Hi %s,\n\nYou requested a password reset for your Devlane account.\n\nClick the link below to set a new password (valid for 30 minutes):\n%s\n\nIf you didn't request this, you can safely ignore this email.\n\n— Devlane",
+		strings.TrimSpace(user.FirstName+" "+user.LastName),
+		resetURL,
+	)
+
+	if h.Queue != nil {
+		if err := h.Queue.PublishSendEmail(c.Request.Context(), queue.SendEmailPayload{
+			To:      *user.Email,
+			Subject: "Devlane – Reset your password",
+			Body:    body,
+			Kind:    "forgot_password",
+		}); err != nil {
+			slog.Error("failed to enqueue password reset email", "email", *user.Email, "error", err)
+		}
+	} else {
+		slog.Warn("password reset link (queue not configured — use this URL to reset)",
+			"email", *user.Email, "reset_url", resetURL)
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "If that email is registered, a reset link has been sent."})
+}
+
+// ResetPassword validates the token and sets a new password.
+// POST /auth/reset-password/
+func (h *AuthHandler) ResetPassword(c *gin.Context) {
+	var req ResetPasswordRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request", "detail": err.Error()})
+		return
+	}
+	if err := h.Auth.ResetPassword(c.Request.Context(), req.Token, req.NewPassword); err != nil {
+		if err == auth.ErrResetTokenInvalid {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Reset link is invalid or has expired. Please request a new one."})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to reset password"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "Password has been reset successfully. You can now sign in."})
+}
+
 // Me returns the authenticated user.
 // GET /api/users/me/
 func (h *AuthHandler) Me(c *gin.Context) {

diff --git a/api/internal/model/password_reset_token.go b/api/internal/model/password_reset_token.go
@@ -0,0 +1,19 @@
+package model
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// PasswordResetToken stores a one-time token for "forgot password" flows.
+type PasswordResetToken struct {
+	ID        uuid.UUID `gorm:"type:uuid;primaryKey;default:gen_random_uuid()"`
+	UserID    uuid.UUID `gorm:"type:uuid;not null;index"`
+	Token     string    `gorm:"type:varchar(64);uniqueIndex;not null"`
+	ExpiresAt time.Time `gorm:"not null"`
+	UsedAt    *time.Time
+	CreatedAt time.Time
+}
+
+func (PasswordResetToken) TableName() string { return "password_reset_tokens" }
diff --git a/api/internal/router/router.go b/api/internal/router/router.go
@@ -70,8 +70,25 @@ func New(cfg Config) *gin.Engine {
 	userFavoriteStore := store.NewUserFavoriteStore(cfg.DB)
 
 	// Auth
+	passwordResetTokenStore := store.NewPasswordResetTokenStore(cfg.DB)
 	authSvc := auth.NewService(userStore, sessionStore)
-	authHandler := &handler.AuthHandler{Auth: authSvc, Settings: instanceSettingStore, Winv: workspaceInviteStore, Ws: workspaceStore, NotifPrefs: userNotifPrefStore, ApiTokens: apiTokenStore}
+	authSvc.SetResetTokenStore(passwordResetTokenStore)
+
+	appBaseURL := cfg.AppBaseURL
+	if appBaseURL == "" {
+		appBaseURL = cfg.CORSAllowOrigin
+	}
+
+	authHandler := &handler.AuthHandler{
+		Auth:       authSvc,
+		Settings:   instanceSettingStore,
+		Winv:       workspaceInviteStore,
+		Ws:         workspaceStore,
+		NotifPrefs: userNotifPrefStore,
+		ApiTokens:  apiTokenStore,
+		Queue:      cfg.Queue,
+		AppBaseURL: appBaseURL,
+	}
 	// Instance setup (no auth) — first-run flow; seeds general settings (instance_id, admin_email, instance_name)
 	instanceHandler := &handler.InstanceHandler{Auth: authSvc, Users: userStore, Settings: instanceSettingStore}
 	r.GET("/api/instance/setup-status/", instanceHandler.SetupStatus)
@@ -99,12 +116,6 @@ func New(cfg Config) *gin.Engine {
 	stickySvc := service.NewStickyService(stickyStore, workspaceStore)
 	recentVisitSvc := service.NewRecentVisitService(userRecentVisitStore, workspaceStore, issueStore, projectStore, pageStore)
 
-	// Base URL for invite links (e.g. email links to frontend)
-	appBaseURL := cfg.AppBaseURL
-	if appBaseURL == "" {
-		appBaseURL = cfg.CORSAllowOrigin
-	}
-
 	// Handlers
 	workspaceHandler := &handler.WorkspaceHandler{
 		Workspace:  workspaceSvc,
@@ -277,6 +288,8 @@ func New(cfg Config) *gin.Engine {
 		authGroup.POST("/sign-in/", authHandler.SignIn)
 		authGroup.POST("/sign-up/", authHandler.SignUp)
 		authGroup.POST("/sign-out/", authHandler.SignOut)
+		authGroup.POST("/forgot-password/", authHandler.ForgotPassword)
+		authGroup.POST("/reset-password/", authHandler.ResetPassword)
 	}
 
 	// Legacy /api/v1

diff --git a/api/internal/store/password_reset_token.go b/api/internal/store/password_reset_token.go
@@ -0,0 +1,65 @@
+package store
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"time"
+
+	"github.com/Devlaner/devlane/api/internal/model"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+const resetTokenExpireMinutes = 30
+
+type PasswordResetTokenStore struct{ db *gorm.DB }
+
+func NewPasswordResetTokenStore(db *gorm.DB) *PasswordResetTokenStore {
+	return &PasswordResetTokenStore{db: db}
+}
+
+// Create generates a cryptographically random token, stores it, and returns the plain token.
+func (s *PasswordResetTokenStore) Create(ctx context.Context, userID uuid.UUID) (string, error) {
+	// Invalidate any existing unused tokens for this user.
+	s.db.WithContext(ctx).
+		Where("user_id = ? AND used_at IS NULL", userID).
+		Delete(&model.PasswordResetToken{})
+
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	token := hex.EncodeToString(b)
+	rec := &model.PasswordResetToken{
+		ID:        uuid.New(),
+		UserID:    userID,
+		Token:     token,
+		ExpiresAt: time.Now().UTC().Add(time.Duration(resetTokenExpireMinutes) * time.Minute),
+	}
+	if err := s.db.WithContext(ctx).Create(rec).Error; err != nil {
+		return "", err
+	}
+	return token, nil
+}
+
+// GetValid returns the token record if it exists, has not expired, and has not been used.
+func (s *PasswordResetTokenStore) GetValid(ctx context.Context, token string) (*model.PasswordResetToken, error) {
+	var rec model.PasswordResetToken
+	err := s.db.WithContext(ctx).
+		Where("token = ? AND expires_at > ? AND used_at IS NULL", token, time.Now().UTC()).
+		First(&rec).Error
+	if err != nil {
+		return nil, err
+	}
+	return &rec, nil
+}
+
+// MarkUsed sets used_at so the token cannot be reused.
+func (s *PasswordResetTokenStore) MarkUsed(ctx context.Context, id uuid.UUID) error {
+	now := time.Now().UTC()
+	return s.db.WithContext(ctx).
+		Model(&model.PasswordResetToken{}).
+		Where("id = ?", id).
+		Update("used_at", now).Error
+}
diff --git a/api/migrations/000002_password_reset_tokens.down.sql b/api/migrations/000002_password_reset_tokens.down.sql
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS password_reset_tokens;
diff --git a/api/migrations/000002_password_reset_tokens.up.sql b/api/migrations/000002_password_reset_tokens.up.sql
@@ -0,0 +1,10 @@
+CREATE TABLE IF NOT EXISTS password_reset_tokens (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id UUID NOT NULL REFERENCES users (id) ON DELETE CASCADE,
+    token VARCHAR(64) NOT NULL UNIQUE,
+    expires_at TIMESTAMPTZ NOT NULL,
+    used_at TIMESTAMPTZ,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_user ON password_reset_tokens (user_id);
+CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_token ON password_reset_tokens (token);
diff --git a/ui/src/api/types.ts b/ui/src/api/types.ts
@@ -301,6 +301,17 @@ export interface SignUpRequest {
   invite_token?: string;
 }
 
+/** POST /auth/forgot-password/ request */
+export interface ForgotPasswordRequest {
+  email: string;
+}
+
+/** POST /auth/reset-password/ request */
+export interface ResetPasswordRequest {
+  token: string;
+  new_password: string;
+}
+
 /** Instance settings: section key -> value object (from GET /api/instance/settings/) */
 export type InstanceSettingsResponse = Record<string, Record<string, unknown>>;
 

diff --git a/ui/src/components/layout/ModuleDetailHeader.tsx b/ui/src/components/layout/ModuleDetailHeader.tsx
@@ -6,7 +6,6 @@ import { DateRangeModal } from '../workspace-views/DateRangeModal';
 import { ProjectIconDisplay } from '../ProjectIconModal';
 import { ModuleWorkItemsFiltersPanel } from '../module-work-items/ModuleWorkItemsToolbarPanels';
 import { ProjectIssuesDisplayPanel } from '../project-issues/ProjectIssuesDisplayPanel';
-import { ProjectSectionNavChevron } from './ProjectSectionNavChevron';
 import { workspaceService } from '../../services/workspaceService';
 import { stateService } from '../../services/stateService';
 import { cycleService } from '../../services/cycleService';
@@ -395,7 +394,7 @@ export function ModuleDetailHeader({
           </span>
           {projectName}
         </Link>
-        <ProjectSectionNavChevron baseUrl={baseUrl} currentSection="modules" />
+        <span className="shrink-0 text-(--txt-placeholder)" aria-hidden>/</span>
         <Link
           to={`${baseUrl}/modules`}
           className="flex shrink-0 items-center gap-1.5 truncate font-medium text-(--txt-secondary) no-underline hover:text-(--txt-primary) hover:underline"
@@ -405,7 +404,7 @@ export function ModuleDetailHeader({
           </span>
           Modules
         </Link>
-        <ProjectSectionNavChevron baseUrl={baseUrl} currentSection="modules" />
+        <span className="shrink-0 text-(--txt-placeholder)" aria-hidden>/</span>
         <div ref={dropdownRef} className="relative flex min-w-0 shrink-0 items-center">
           <button
             type="button"

diff --git a/ui/src/components/layout/PageHeader.tsx b/ui/src/components/layout/PageHeader.tsx
@@ -58,7 +58,6 @@ import { PROJECT_VIEWS_FILTER_EVENT } from '../../lib/projectViewsEvents';
 import { slugify } from '../../lib/slug';
 import { MODULE_WORK_ITEMS_COUNT_EVENT } from '../../lib/moduleWorkItemsPrefs';
 import { ModuleDetailHeader } from './ModuleDetailHeader';
-import { ProjectSectionNavChevron } from './ProjectSectionNavChevron';
 
 export type ProjectSection = 'issues' | 'cycles' | 'modules' | 'views' | 'pages';
 
@@ -2296,7 +2295,7 @@ function ProjectSectionHeader({
             </div>
           </div>
         )}
-        <ProjectSectionNavChevron baseUrl={baseUrl} currentSection={section} />
+        <span className="shrink-0 text-(--txt-placeholder)" aria-hidden>/</span>
         <ProjectSectionDropdown
           baseUrl={baseUrl}
           currentSection={section}