Skip to main content
IntentLang
← All examples

ResetPassword

examples/ResetPassword.intent

ResetPassword.intent
1# ResetPassword.intent
2# The secure password-reset mission, end to end: a name and a goal grow into
3# guarantees, never-rules, an executable decision, and tests that prove it.
4# Compiles clean and runs 3/3 with the deterministic `intent` compiler (no AI).
5
6mission ResetPassword
7
8goal
9 Let a user securely reset their password
10
11why
12 A weak reset flow is a common path to account takeover.
13
14requires
15 verified email
16 reset token
17
18input
19 email: Email
20 token: ResetToken
21 newPassword: Secret
22
23output
24 result: PasswordResetResult
25
26constraints
27 token.ttl <= 15 minutes
28 password.minLength >= 12
29
30guarantees
31 token expires after 15 minutes
32 token can only be used once
33 password is never logged
34
35guarantee token expires after 15 minutes
36 because a long-lived reset token widens the account-takeover window
37 verify test token expiration
38
39guarantee token can only be used once
40 because a reusable reset token is an account-takeover risk
41 verify test one time use
42
43guarantee password is never logged
44 because a plaintext password in logs is a credential leak
45 verify test raw password not logged
46
47never
48 log the new password
49 return the token to the client
50
51never log the new password
52 because logs are visible to support and observability tools
53 verify test raw password not logged
54
55never return the token to the client
56 because a returned token can be replayed to seize the account
57 verify test token not returned
58
59# The reset policy is a decision, it runs, it is not a wish. `intent run` / `intent test`.
60decision CanReset
61 inputs
62 tokenAgeMinutes
63 attempts
64 rule expired
65 when tokenAgeMinutes > 15
66 return Denied
67 rule tooManyAttempts
68 when attempts >= 5
69 return Denied
70 rule allowed
71 when attempts < 5
72 return Allowed
73 default
74 return Denied
75
76target
77 DotNet
78 Tests
79
80style
81 ASP.NET Core
82 EntityFramework
83 BCrypt
84
85test CanReset
86 case fresh token
87 given tokenAgeMinutes 3, attempts 1
88 expect Allowed
89 case expired token
90 given tokenAgeMinutes 20, attempts 1
91 expect Denied
92 case locked out
93 given tokenAgeMinutes 3, attempts 5
94 expect Denied
Draft syntax. This file is illustrative and does not run yet.