Hi there! Thanks for your article.
In my opinion the root problem is that we need tutorials in the first place. Why do so many developers have to reinvent the wheel (i.e. an accounts system)? Because there is nothing established for node.js yet. You suggest people use ruby, but this can’t be the final answer. I’d rather see a generic working solution emerge for node.js.
This spring I was frustrated about this lack of an accounts system (coming from the meteor ecosystem which provides this out of the box) and started developing a modular accounts system built on top of passport.js, called Ooth. The idea is to solve the problem once and for all, so that people won’t need tutorials, but will just be able to import a library that takes care of that aspect.
Since you mentioned a 5 years old package, I thought I’d share a link to my library, which is at the very least more recent and actively maintained — see for example the specific reset-password implementation here: https://github.com/nmaro/ooth/blob/master/packages/ooth-local/src/index.js
Honestly, though, my expertise is as a software architect, not in security, so this library would really benefit from a security audit. I used your article to review my library, and there are things to fix. I created a ticket: https://github.com/nmaro/ooth/issues/6 and I’ll follow your new GIT repo closely.
