Skip to content

Implement comprehensive account management: profile editing, hiring availability, and credential lifecycle #335

Open
Open
Implement comprehensive account management: profile editing, hiring availability, and credential lifecycle#335
Assignees
moheladwy
Labels
apiany issue or pr related to the backend apiclientenhancementNew feature or requestmajorthis is a major pr/issue that needs attention ASAPnew feature
@moheladwy

Description

@moheladwy
moheladwy
opened on Jun 29, 2025

Overview

Build a robust account management system enabling users to manage public profile info, hiring availability, and full credential lifecycle (email/password change, password reset, forgotten password recovery). This lays foundation for future security and personalization features.

Functional Areas

  1. Profile Editing
  2. Hiring Availability Toggle
  3. Credential & Security Management
  4. Audit & Notifications

1. Profile Editing

Fields (example):

  • Display name
  • Headline / short bio
  • Location / timezone
  • Skills / expertise tags
  • Avatar image
  • Social / portfolio links (GitHub, LinkedIn, Website)
    Validation:
  • Length limits (e.g., name <= 80 chars, bio <= 500)
  • Allowed protocols for links (https only)
  • Image size/type enforcement for avatar

2. Hiring Availability

  • Boolean flag IsOpenToHire
  • Optional desired roles / rate range (future phase)
  • Visible badge on profile when enabled
  • Included in search filters for talent discovery

3. Credential & Security Lifecycle

Features:

  • Change Email (with confirmation flow: send verification link to new email)
  • Change Password (requires current password)
  • Forgot Password (request reset link via email token)
  • Reset Password (token validated, enforce complexity)
  • Enforce password complexity (configurable: length + classes)
  • Optional future MFA enrollment placeholder
    Endpoints (illustrative):
  • POST /api/account/profile/update
  • POST /api/account/avatar
  • POST /api/account/hiring/toggle
  • POST /api/account/email/change
  • POST /api/account/password/change
  • POST /api/account/password/forgot
  • POST /api/account/password/reset
    Security:
  • Rate limit password reset requests
  • Expire reset tokens (e.g., 30 minutes)
  • Single-use tokens
  • Audit log for credential changes

4. Audit & Notifications

  • Log profile changes (field-level diffs optional future)
  • Log credential operations (email/password updates)
  • Email notifications:
    • Email changed
    • Password changed
    • Password reset requested
  • Optional in-app notifications (future phase)

Data Model Additions (If Needed)

  • UserProfile extended fields (bio, links, skills)
  • HiringStatus flag in user record
  • PasswordResetToken table: token, userId, expiresAt, usedAt
  • EmailChangeRequest table: userId, newEmail, token, expiresAt

UI/UX

Pages / Sections:

  • Account Settings dashboard with tabs: Profile | Hiring | Security
  • Avatar uploader (reuse global media uploader component)
  • Inline validation + success toasts
  • Password strength meter and guidelines
  • Clear confirmations on successful changes

Accessibility:

  • Proper labeling of inputs
  • Keyboard navigable tab structure

Implementation Steps

  1. Extend user entity & migrations for missing fields.
  2. Implement profile update service with validation.
  3. Add hiring toggle endpoint + UI badge logic.
  4. Implement email change request + confirmation processing.
  5. Implement password change + forgot/reset flows.
  6. Create secure token generation & storage utilities.
  7. Integrate email sending for notifications.
  8. Build Account Settings UI (client) with state management.
  9. Add audit logging for security-related actions.
  10. Write unit & integration tests for all critical flows.

Security Considerations

  • Hash passwords with strong algorithm (e.g., PBKDF2/BCrypt/Argon2)
  • Never log raw credentials or tokens
  • Secure token randomness (cryptographically secure RNG)
  • Throttle credential-related endpoints (anti-bruteforce)
  • Validate email ownership before switching

Acceptance Criteria

  • Users can update all profile fields with validation
  • Hiring availability flag persists and displays on profile
  • Email change flow requires verification of new address
  • Password change requires current password and meets complexity rules
  • Forgot password flow issues email with valid time-limited token
  • Reset password invalidates token after use
  • Audit logs created for profile + credential changes
  • Notification emails sent for security-sensitive actions
  • UI settings pages responsive and accessible
  • All new endpoints covered by tests

Future Enhancements (Follow-ups)

  • MFA (TOTP / WebAuthn)
  • Session management & device revocation
  • Skills taxonomy & endorsements
  • Profile completeness scoring
  • Avatar cropping & optimization pipeline

This feature strengthens user control, security hygiene, and sets groundwork for advanced trust & discovery features.

Metadata

Metadata

Assignees

Labels

apiany issue or pr related to the backend apiclientenhancementNew feature or requestmajorthis is a major pr/issue that needs attention ASAPnew feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions