From f46487b01555ce88aa951ff2a54c837aa9893a3c Mon Sep 17 00:00:00 2001
From: Bogdan Artemenko <artemenkobogdan@gmail.com>
Date: Mon, 13 May 2019 18:53:52 +0300
Subject: [PATCH] ResetPassword Table and all CRUD methods. (#1916)

---
 .../console/consoleweb/consoleql/mail.go      |   9 +-
 .../console/consoleweb/consoleql/query.go     |  12 +-
 .../consoleweb/consoleql/query_test.go        |   3 +-
 satellite/console/consoleweb/server.go        |  19 +
 satellite/console/database.go                 |   2 +
 satellite/console/resetpasswordtoken.go       |  70 ++++
 satellite/console/resetpasswordtoken_test.go  |  89 +++++
 satellite/console/service.go                  |  54 ++-
 satellite/satellitedb/consoledb.go            |   5 +
 satellite/satellitedb/dbx/satellitedb.dbx     |  23 ++
 satellite/satellitedb/dbx/satellitedb.dbx.go  | 367 ++++++++++++++++++
 .../dbx/satellitedb.dbx.postgres.sql          |   7 +
 .../dbx/satellitedb.dbx.sqlite3.sql           |   7 +
 satellite/satellitedb/locked.go               |  41 ++
 satellite/satellitedb/migrate.go              |  13 +
 satellite/satellitedb/resetpasstokens.go      | 101 +++++
 .../satellitedb/testdata/postgres.v19.sql     | 242 ++++++++++++
 web/satellite/static/emails/Forgot.html       |   3 +-
 .../static/resetPassword/success.css          |  66 ++++
 .../static/resetPassword/success.html         |  34 ++
 20 files changed, 1142 insertions(+), 25 deletions(-)
 create mode 100644 satellite/console/resetpasswordtoken.go
 create mode 100644 satellite/console/resetpasswordtoken_test.go
 create mode 100644 satellite/satellitedb/resetpasstokens.go
 create mode 100644 satellite/satellitedb/testdata/postgres.v19.sql
 create mode 100644 web/satellite/static/resetPassword/success.css
 create mode 100644 web/satellite/static/resetPassword/success.html

diff --git a/satellite/console/consoleweb/consoleql/mail.go b/satellite/console/consoleweb/consoleql/mail.go
index 67ef0a1ab..fd4d2bc99 100644
--- a/satellite/console/consoleweb/consoleql/mail.go
+++ b/satellite/console/consoleweb/consoleql/mail.go
@@ -8,6 +8,8 @@ const (
 	ActivationPath = "activationPath"
 	// PasswordRecoveryPath is key for path which handles password recovery
 	PasswordRecoveryPath = "passwordRecoveryPath"
+	// CancelPasswordRecoveryPath is key for path which handles let us know sequence
+	CancelPasswordRecoveryPath = "cancelPasswordRecoveryPath"
 	// SignInPath is key for sign in server route
 	SignInPath = "signInPath"
 )
@@ -26,9 +28,10 @@ func (*AccountActivationEmail) Subject() string { return "Activate your email" }
 
 // ForgotPasswordEmail is mailservice template with reset password data
 type ForgotPasswordEmail struct {
-	Origin    string
-	UserName  string
-	ResetLink string
+	Origin                     string
+	UserName                   string
+	ResetLink                  string
+	CancelPasswordRecoveryLink string
 }
 
 // Template returns email template name
diff --git a/satellite/console/consoleweb/consoleql/query.go b/satellite/console/consoleweb/consoleql/query.go
index a41a741f9..7a837d8c3 100644
--- a/satellite/console/consoleweb/consoleql/query.go
+++ b/satellite/console/consoleweb/consoleql/query.go
@@ -112,14 +112,15 @@ func rootQuery(service *console.Service, mailService *mailservice.Service, types
 						return false, fmt.Errorf("%s is not found", email)
 					}
 
-					recoveryToken, err := service.GeneratePasswordRecoveryToken(p.Context, user.ID, user.Email)
+					recoveryToken, err := service.GeneratePasswordRecoveryToken(p.Context, user.ID)
 					if err != nil {
 						return false, errors.New("failed to generate password recovery token")
 					}
 
 					rootObject := p.Info.RootValue.(map[string]interface{})
 					origin := rootObject["origin"].(string)
-					link := origin + rootObject[PasswordRecoveryPath].(string) + recoveryToken
+					passwordRecoveryLink := origin + rootObject[PasswordRecoveryPath].(string) + recoveryToken
+					cancelPasswordRecoveryLink := origin + rootObject[CancelPasswordRecoveryPath].(string) + recoveryToken
 					userName := user.ShortName
 					if user.ShortName == "" {
 						userName = user.FullName
@@ -131,9 +132,10 @@ func rootQuery(service *console.Service, mailService *mailservice.Service, types
 							p.Context,
 							[]post.Address{{Address: user.Email, Name: userName}},
 							&ForgotPasswordEmail{
-								Origin:    origin,
-								ResetLink: link,
-								UserName:  userName,
+								Origin:                     origin,
+								ResetLink:                  passwordRecoveryLink,
+								CancelPasswordRecoveryLink: cancelPasswordRecoveryLink,
+								UserName:                   userName,
 							},
 						)
 					}()
diff --git a/satellite/console/consoleweb/consoleql/query_test.go b/satellite/console/consoleweb/consoleql/query_test.go
index 9090b6414..d0468cf72 100644
--- a/satellite/console/consoleweb/consoleql/query_test.go
+++ b/satellite/console/consoleweb/consoleql/query_test.go
@@ -502,7 +502,8 @@ func TestGraphqlQuery(t *testing.T) {
 
 			})
 
-			rootObject[consoleql.PasswordRecoveryPath] = "?activationToken="
+			rootObject[consoleql.PasswordRecoveryPath] = "?token="
+			rootObject[consoleql.CancelPasswordRecoveryPath] = "?token="
 			query := fmt.Sprintf("query {forgotPassword(email: \"%s\")}", user.Email)
 
 			result := testQuery(t, query)
diff --git a/satellite/console/consoleweb/server.go b/satellite/console/consoleweb/server.go
index 7211ad1ab..a45a301ea 100644
--- a/satellite/console/consoleweb/server.go
+++ b/satellite/console/consoleweb/server.go
@@ -94,6 +94,7 @@ func NewServer(logger *zap.Logger, config Config, service *console.Service, mail
 	if server.config.StaticDir != "" {
 		mux.Handle("/activation/", http.HandlerFunc(server.accountActivationHandler))
 		mux.Handle("/password-recovery/", http.HandlerFunc(server.passwordRecoveryHandler))
+		mux.Handle("/cancel-password-recovery/", http.HandlerFunc(server.cancelPasswordRecoveryHandler))
 		mux.Handle("/registrationToken/", http.HandlerFunc(server.createRegistrationTokenHandler))
 		mux.Handle("/usage-report/", http.HandlerFunc(server.bucketUsageReportHandler))
 		mux.Handle("/static/", http.StripPrefix("/static", fs))
@@ -251,22 +252,27 @@ func (s *Server) passwordRecoveryHandler(w http.ResponseWriter, req *http.Reques
 		err := req.ParseForm()
 		if err != nil {
 			s.serveError(w, req)
+			s.log.Debug(err.Error())
 		}
 
 		password := req.FormValue("password")
 		passwordRepeat := req.FormValue("passwordRepeat")
 		if strings.Compare(password, passwordRepeat) != 0 {
 			s.serveError(w, req)
+			s.log.Debug(err.Error())
 			return
 		}
 
 		err = s.service.ResetPassword(context.Background(), recoveryToken, password)
 		if err != nil {
+			s.log.Debug(err.Error())
 			s.serveError(w, req)
 		}
+		http.ServeFile(w, req, filepath.Join(s.config.StaticDir, "static", "resetPassword", "success.html"))
 	default:
 		t, err := template.ParseFiles(filepath.Join(s.config.StaticDir, "static", "resetPassword", "resetPassword.html"))
 		if err != nil {
+			s.log.Debug(err.Error())
 			s.serveError(w, req)
 		}
 
@@ -277,6 +283,18 @@ func (s *Server) passwordRecoveryHandler(w http.ResponseWriter, req *http.Reques
 	}
 }
 
+func (s *Server) cancelPasswordRecoveryHandler(w http.ResponseWriter, req *http.Request) {
+	recoveryToken := req.URL.Query().Get("token")
+	if len(recoveryToken) == 0 {
+		http.Redirect(w, req, "https://storjlabs.atlassian.net/servicedesk/customer/portals", http.StatusSeeOther)
+	}
+
+	// No need to check error as we anyway redirect user to support page
+	_ = s.service.RevokeResetPasswordToken(context.Background(), recoveryToken)
+
+	http.Redirect(w, req, "https://storjlabs.atlassian.net/servicedesk/customer/portals", http.StatusSeeOther)
+}
+
 func (s *Server) serveError(w http.ResponseWriter, req *http.Request) {
 	http.ServeFile(w, req, filepath.Join(s.config.StaticDir, "static", "errors", "404.html"))
 }
@@ -305,6 +323,7 @@ func (s *Server) grapqlHandler(w http.ResponseWriter, req *http.Request) {
 	rootObject["origin"] = s.config.ExternalAddress
 	rootObject[consoleql.ActivationPath] = "activation/?token="
 	rootObject[consoleql.PasswordRecoveryPath] = "password-recovery/?token="
+	rootObject[consoleql.CancelPasswordRecoveryPath] = "cancel-password-recovery/?token="
 	rootObject[consoleql.SignInPath] = "login"
 
 	result := graphql.Do(graphql.Params{
diff --git a/satellite/console/database.go b/satellite/console/database.go
index 8b68e8f4c..3577066c9 100644
--- a/satellite/console/database.go
+++ b/satellite/console/database.go
@@ -23,6 +23,8 @@ type DB interface {
 	BucketUsage() accounting.BucketUsage
 	// RegistrationTokens is a getter for RegistrationTokens repository
 	RegistrationTokens() RegistrationTokens
+	// ResetPasswordTokens is a getter for ResetPasswordTokens repository
+	ResetPasswordTokens() ResetPasswordTokens
 	// UsageRollups is a getter for UsageRollups repository
 	UsageRollups() UsageRollups
 
diff --git a/satellite/console/resetpasswordtoken.go b/satellite/console/resetpasswordtoken.go
new file mode 100644
index 000000000..fe1aa8286
--- /dev/null
+++ b/satellite/console/resetpasswordtoken.go
@@ -0,0 +1,70 @@
+// Copyright (C) 2018 Storj Labs, Inc.
+// See LICENSE for copying information.
+
+package console
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"time"
+
+	"github.com/skyrings/skyring-common/tools/uuid"
+	"github.com/zeebo/errs"
+)
+
+// ResetPasswordTokens is interface for working with reset password tokens
+type ResetPasswordTokens interface {
+	// Create creates new reset password token
+	Create(ctx context.Context, ownerID uuid.UUID) (*ResetPasswordToken, error)
+	// GetBySecret retrieves ResetPasswordToken with given secret
+	GetBySecret(ctx context.Context, secret ResetPasswordSecret) (*ResetPasswordToken, error)
+	// GetByOwnerID retrieves ResetPasswordToken by ownerID
+	GetByOwnerID(ctx context.Context, ownerID uuid.UUID) (*ResetPasswordToken, error)
+	// Delete deletes ResetPasswordToken by ResetPasswordSecret
+	Delete(ctx context.Context, secret ResetPasswordSecret) error
+}
+
+// ResetPasswordSecret stores secret of registration token
+type ResetPasswordSecret [32]byte
+
+// ResetPasswordToken describing reset password model in the database
+type ResetPasswordToken struct {
+	// Secret is PK of the table and keeps unique value for reset password token
+	Secret ResetPasswordSecret
+	// OwnerID stores current token owner ID
+	OwnerID *uuid.UUID
+
+	CreatedAt time.Time `json:"createdAt"`
+}
+
+// NewResetPasswordSecret creates new reset password secret
+func NewResetPasswordSecret() (ResetPasswordSecret, error) {
+	var b [32]byte
+
+	_, err := rand.Read(b[:])
+	if err != nil {
+		return b, errs.New("error creating registration secret")
+	}
+
+	return b, nil
+}
+
+// String implements Stringer
+func (secret ResetPasswordSecret) String() string {
+	return base64.URLEncoding.EncodeToString(secret[:])
+}
+
+// ResetPasswordSecretFromBase64 creates new reset password secret from base64 string
+func ResetPasswordSecretFromBase64(s string) (ResetPasswordSecret, error) {
+	var secret ResetPasswordSecret
+
+	b, err := base64.URLEncoding.DecodeString(s)
+	if err != nil {
+		return secret, err
+	}
+
+	copy(secret[:], b)
+
+	return secret, nil
+}
diff --git a/satellite/console/resetpasswordtoken_test.go b/satellite/console/resetpasswordtoken_test.go
new file mode 100644
index 000000000..74d31b17b
--- /dev/null
+++ b/satellite/console/resetpasswordtoken_test.go
@@ -0,0 +1,89 @@
+// Copyright (C) 2019 Storj Labs, Inc.
+// See LICENSE for copying information.
+
+package console_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"storj.io/storj/internal/testcontext"
+	"storj.io/storj/satellite"
+	"storj.io/storj/satellite/console"
+	"storj.io/storj/satellite/satellitedb/satellitedbtest"
+)
+
+func TestNewRegistrationSecret(t *testing.T) {
+	// testing constants
+	const (
+		// for user
+		shortName    = "lastName"
+		email        = "email@ukr.net"
+		pass         = "123456"
+		userFullName = "name"
+	)
+
+	satellitedbtest.Run(t, func(t *testing.T, db satellite.DB) {
+		ctx := testcontext.New(t)
+		defer ctx.Cleanup()
+
+		users := db.Console().Users()
+		rptokens := db.Console().ResetPasswordTokens()
+
+		var owner *console.User
+		var rptoken *console.ResetPasswordToken
+
+		t.Run("Insert reset password token successfully", func(t *testing.T) {
+			var err error
+			owner, err = users.Insert(ctx, &console.User{
+				FullName:     userFullName,
+				ShortName:    shortName,
+				Email:        email,
+				PasswordHash: []byte(pass),
+			})
+			assert.NoError(t, err)
+			assert.NotNil(t, owner)
+
+			rptoken, err = rptokens.Create(ctx, owner.ID)
+			assert.NotNil(t, rptoken)
+			assert.NoError(t, err)
+		})
+
+		t.Run("Get reset password token successfully", func(t *testing.T) {
+			tokenBySecret, err := rptokens.GetBySecret(ctx, rptoken.Secret)
+			assert.NoError(t, err)
+			assert.Equal(t, rptoken.Secret, tokenBySecret.Secret)
+			assert.Equal(t, rptoken.CreatedAt, tokenBySecret.CreatedAt)
+			assert.Equal(t, rptoken.OwnerID, tokenBySecret.OwnerID)
+		})
+
+		t.Run("Get reset password token by UUID and Secret equal", func(t *testing.T) {
+			tokenBySecret, err := rptokens.GetBySecret(ctx, rptoken.Secret)
+			assert.NoError(t, err)
+
+			tokenByUUID, err := rptokens.GetByOwnerID(ctx, *rptoken.OwnerID)
+			assert.NoError(t, err)
+
+			assert.Equal(t, tokenByUUID.Secret, tokenBySecret.Secret)
+			assert.Equal(t, tokenByUUID.CreatedAt, tokenBySecret.CreatedAt)
+			assert.Equal(t, tokenByUUID.OwnerID, tokenBySecret.OwnerID)
+		})
+
+		t.Run("Successful base64 encoding", func(t *testing.T) {
+			base64token := rptoken.Secret.String()
+			assert.NotEmpty(t, base64token)
+		})
+
+		t.Run("Successful base64 decoding", func(t *testing.T) {
+			base64token := rptoken.Secret.String()
+			assert.NotEmpty(t, base64token)
+
+			secretFromString, err := console.ResetPasswordSecretFromBase64(base64token)
+
+			assert.NoError(t, err)
+			assert.Equal(t, rptoken.Secret, secretFromString)
+		})
+
+	})
+}
diff --git a/satellite/console/service.go b/satellite/console/service.go
index 8b7346b52..ef81a2259 100644
--- a/satellite/console/service.go
+++ b/satellite/console/service.go
@@ -151,16 +151,23 @@ func (s *Service) GenerateActivationToken(ctx context.Context, id uuid.UUID, ema
 }
 
 // GeneratePasswordRecoveryToken - is a method for generating password recovery token
-func (s *Service) GeneratePasswordRecoveryToken(ctx context.Context, id uuid.UUID, email string) (token string, err error) {
+func (s *Service) GeneratePasswordRecoveryToken(ctx context.Context, id uuid.UUID) (token string, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	claims := &consoleauth.Claims{
-		ID:         id,
-		Email:      email,
-		Expiration: time.Now().Add(time.Hour),
+	resetPasswordToken, err := s.store.ResetPasswordTokens().GetByOwnerID(ctx, id)
+	if err == nil {
+		err := s.store.ResetPasswordTokens().Delete(ctx, resetPasswordToken.Secret)
+		if err != nil {
+			return "", err
+		}
 	}
 
-	return s.createToken(claims)
+	resetPasswordToken, err = s.store.ResetPasswordTokens().Create(ctx, id)
+	if err != nil {
+		return "", err
+	}
+
+	return resetPasswordToken.Secret.String(), nil
 }
 
 // ActivateAccount - is a method for activating user account after registration
@@ -211,17 +218,16 @@ func (s *Service) ActivateAccount(ctx context.Context, activationToken string) (
 func (s *Service) ResetPassword(ctx context.Context, resetPasswordToken, password string) (err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	token, err := consoleauth.FromBase64URLString(resetPasswordToken)
+	secret, err := ResetPasswordSecretFromBase64(resetPasswordToken)
+	if err != nil {
+		return
+	}
+	token, err := s.store.ResetPasswordTokens().GetBySecret(ctx, secret)
 	if err != nil {
 		return
 	}
 
-	claims, err := s.authenticate(token)
-	if err != nil {
-		return
-	}
-
-	user, err := s.store.Users().Get(ctx, claims.ID)
+	user, err := s.store.Users().Get(ctx, *token.OwnerID)
 	if err != nil {
 		return
 	}
@@ -230,7 +236,7 @@ func (s *Service) ResetPassword(ctx context.Context, resetPasswordToken, passwor
 		return err
 	}
 
-	if time.Since(claims.Expiration) > 0 {
+	if time.Since(token.CreatedAt) > tokenExpirationTime {
 		return errs.New(passwordRecoveryTokenIsExpiredErrMsg)
 	}
 
@@ -240,7 +246,25 @@ func (s *Service) ResetPassword(ctx context.Context, resetPasswordToken, passwor
 	}
 
 	user.PasswordHash = hash
-	return s.store.Users().Update(ctx, user)
+
+	err = s.store.Users().Update(ctx, user)
+	if err != nil {
+		return err
+	}
+
+	return s.store.ResetPasswordTokens().Delete(ctx, token.Secret)
+}
+
+// RevokeResetPasswordToken - is a method to revoke reset password token
+func (s *Service) RevokeResetPasswordToken(ctx context.Context, resetPasswordToken string) (err error) {
+	defer mon.Task()(&ctx)(&err)
+
+	secret, err := ResetPasswordSecretFromBase64(resetPasswordToken)
+	if err != nil {
+		return
+	}
+
+	return s.store.ResetPasswordTokens().Delete(ctx, secret)
 }
 
 // Token authenticates User by credentials and returns auth token
diff --git a/satellite/satellitedb/consoledb.go b/satellite/satellitedb/consoledb.go
index 02699b523..c626bd97e 100644
--- a/satellite/satellitedb/consoledb.go
+++ b/satellite/satellitedb/consoledb.go
@@ -51,6 +51,11 @@ func (db *ConsoleDB) RegistrationTokens() console.RegistrationTokens {
 	return &registrationTokens{db.methods}
 }
 
+// ResetPasswordTokens is a getter for ResetPasswordTokens repository
+func (db *ConsoleDB) ResetPasswordTokens() console.ResetPasswordTokens {
+	return &resetPasswordTokens{db.methods}
+}
+
 // UsageRollups is a getter for console.UsageRollups repository
 func (db *ConsoleDB) UsageRollups() console.UsageRollups {
 	return &usagerollups{db.db}
diff --git a/satellite/satellitedb/dbx/satellitedb.dbx b/satellite/satellitedb/dbx/satellitedb.dbx
index d9ab6c529..63e8b2842 100644
--- a/satellite/satellitedb/dbx/satellitedb.dbx
+++ b/satellite/satellitedb/dbx/satellitedb.dbx
@@ -519,3 +519,26 @@ read one (
     where  registration_token.owner_id = ?
 )
 update registration_token ( where registration_token.secret = ? )
+
+//--- satellite reset password token ---//
+
+model reset_password_token (
+    key    secret
+    unique owner_id
+
+    field secret blob
+    field owner_id blob        ( updatable )
+
+    field created_at timestamp ( autoinsert )
+)
+
+create reset_password_token ( )
+read one (
+    select reset_password_token
+    where reset_password_token.secret = ?
+)
+read one (
+    select reset_password_token
+    where reset_password_token.owner_id = ?
+)
+delete reset_password_token ( where reset_password_token.secret = ? )
diff --git a/satellite/satellitedb/dbx/satellitedb.dbx.go b/satellite/satellitedb/dbx/satellitedb.dbx.go
index 7eb2aaaa2..639fe7115 100644
--- a/satellite/satellitedb/dbx/satellitedb.dbx.go
+++ b/satellite/satellitedb/dbx/satellitedb.dbx.go
@@ -400,6 +400,13 @@ CREATE TABLE registration_tokens (
 	PRIMARY KEY ( secret ),
 	UNIQUE ( owner_id )
 );
+CREATE TABLE reset_password_tokens (
+	secret bytea NOT NULL,
+	owner_id bytea NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( secret ),
+	UNIQUE ( owner_id )
+);
 CREATE TABLE serial_numbers (
 	id serial NOT NULL,
 	serial_number bytea NOT NULL,
@@ -650,6 +657,13 @@ CREATE TABLE registration_tokens (
 	PRIMARY KEY ( secret ),
 	UNIQUE ( owner_id )
 );
+CREATE TABLE reset_password_tokens (
+	secret BLOB NOT NULL,
+	owner_id BLOB NOT NULL,
+	created_at TIMESTAMP NOT NULL,
+	PRIMARY KEY ( secret ),
+	UNIQUE ( owner_id )
+);
 CREATE TABLE serial_numbers (
 	id INTEGER NOT NULL,
 	serial_number BLOB NOT NULL,
@@ -2757,6 +2771,75 @@ func (f RegistrationToken_CreatedAt_Field) value() interface{} {
 
 func (RegistrationToken_CreatedAt_Field) _Column() string { return "created_at" }
 
+type ResetPasswordToken struct {
+	Secret    []byte
+	OwnerId   []byte
+	CreatedAt time.Time
+}
+
+func (ResetPasswordToken) _Table() string { return "reset_password_tokens" }
+
+type ResetPasswordToken_Update_Fields struct {
+	OwnerId ResetPasswordToken_OwnerId_Field
+}
+
+type ResetPasswordToken_Secret_Field struct {
+	_set   bool
+	_null  bool
+	_value []byte
+}
+
+func ResetPasswordToken_Secret(v []byte) ResetPasswordToken_Secret_Field {
+	return ResetPasswordToken_Secret_Field{_set: true, _value: v}
+}
+
+func (f ResetPasswordToken_Secret_Field) value() interface{} {
+	if !f._set || f._null {
+		return nil
+	}
+	return f._value
+}
+
+func (ResetPasswordToken_Secret_Field) _Column() string { return "secret" }
+
+type ResetPasswordToken_OwnerId_Field struct {
+	_set   bool
+	_null  bool
+	_value []byte
+}
+
+func ResetPasswordToken_OwnerId(v []byte) ResetPasswordToken_OwnerId_Field {
+	return ResetPasswordToken_OwnerId_Field{_set: true, _value: v}
+}
+
+func (f ResetPasswordToken_OwnerId_Field) value() interface{} {
+	if !f._set || f._null {
+		return nil
+	}
+	return f._value
+}
+
+func (ResetPasswordToken_OwnerId_Field) _Column() string { return "owner_id" }
+
+type ResetPasswordToken_CreatedAt_Field struct {
+	_set   bool
+	_null  bool
+	_value time.Time
+}
+
+func ResetPasswordToken_CreatedAt(v time.Time) ResetPasswordToken_CreatedAt_Field {
+	return ResetPasswordToken_CreatedAt_Field{_set: true, _value: v}
+}
+
+func (f ResetPasswordToken_CreatedAt_Field) value() interface{} {
+	if !f._set || f._null {
+		return nil
+	}
+	return f._value
+}
+
+func (ResetPasswordToken_CreatedAt_Field) _Column() string { return "created_at" }
+
 type SerialNumber struct {
 	Id           int
 	SerialNumber []byte
@@ -4132,6 +4215,30 @@ func (obj *postgresImpl) Create_RegistrationToken(ctx context.Context,
 
 }
 
+func (obj *postgresImpl) Create_ResetPasswordToken(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field,
+	reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	__now := obj.db.Hooks.Now().UTC()
+	__secret_val := reset_password_token_secret.value()
+	__owner_id_val := reset_password_token_owner_id.value()
+	__created_at_val := __now
+
+	var __embed_stmt = __sqlbundle_Literal("INSERT INTO reset_password_tokens ( secret, owner_id, created_at ) VALUES ( ?, ?, ? ) RETURNING reset_password_tokens.secret, reset_password_tokens.owner_id, reset_password_tokens.created_at")
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __secret_val, __owner_id_val, __created_at_val)
+
+	reset_password_token = &ResetPasswordToken{}
+	err = obj.driver.QueryRow(__stmt, __secret_val, __owner_id_val, __created_at_val).Scan(&reset_password_token.Secret, &reset_password_token.OwnerId, &reset_password_token.CreatedAt)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return reset_password_token, nil
+
+}
+
 func (obj *postgresImpl) Get_Irreparabledb_By_Segmentpath(ctx context.Context,
 	irreparabledb_segmentpath Irreparabledb_Segmentpath_Field) (
 	irreparabledb *Irreparabledb, err error) {
@@ -5102,6 +5209,48 @@ func (obj *postgresImpl) Get_RegistrationToken_By_OwnerId(ctx context.Context,
 
 }
 
+func (obj *postgresImpl) Get_ResetPasswordToken_By_Secret(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("SELECT reset_password_tokens.secret, reset_password_tokens.owner_id, reset_password_tokens.created_at FROM reset_password_tokens WHERE reset_password_tokens.secret = ?")
+
+	var __values []interface{}
+	__values = append(__values, reset_password_token_secret.value())
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __values...)
+
+	reset_password_token = &ResetPasswordToken{}
+	err = obj.driver.QueryRow(__stmt, __values...).Scan(&reset_password_token.Secret, &reset_password_token.OwnerId, &reset_password_token.CreatedAt)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return reset_password_token, nil
+
+}
+
+func (obj *postgresImpl) Get_ResetPasswordToken_By_OwnerId(ctx context.Context,
+	reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("SELECT reset_password_tokens.secret, reset_password_tokens.owner_id, reset_password_tokens.created_at FROM reset_password_tokens WHERE reset_password_tokens.owner_id = ?")
+
+	var __values []interface{}
+	__values = append(__values, reset_password_token_owner_id.value())
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __values...)
+
+	reset_password_token = &ResetPasswordToken{}
+	err = obj.driver.QueryRow(__stmt, __values...).Scan(&reset_password_token.Secret, &reset_password_token.OwnerId, &reset_password_token.CreatedAt)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return reset_password_token, nil
+
+}
+
 func (obj *postgresImpl) Update_Irreparabledb_By_Segmentpath(ctx context.Context,
 	irreparabledb_segmentpath Irreparabledb_Segmentpath_Field,
 	update Irreparabledb_Update_Fields) (
@@ -5846,6 +5995,32 @@ func (obj *postgresImpl) Delete_CertRecord_By_Id(ctx context.Context,
 
 }
 
+func (obj *postgresImpl) Delete_ResetPasswordToken_By_Secret(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field) (
+	deleted bool, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("DELETE FROM reset_password_tokens WHERE reset_password_tokens.secret = ?")
+
+	var __values []interface{}
+	__values = append(__values, reset_password_token_secret.value())
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __values...)
+
+	__res, err := obj.driver.Exec(__stmt, __values...)
+	if err != nil {
+		return false, obj.makeErr(err)
+	}
+
+	__count, err := __res.RowsAffected()
+	if err != nil {
+		return false, obj.makeErr(err)
+	}
+
+	return __count > 0, nil
+
+}
+
 func (impl postgresImpl) isConstraintError(err error) (
 	constraint string, ok bool) {
 	if e, ok := err.(*pq.Error); ok {
@@ -5924,6 +6099,16 @@ func (obj *postgresImpl) deleteAll(ctx context.Context) (count int64, err error)
 		return 0, obj.makeErr(err)
 	}
 
+	__count, err = __res.RowsAffected()
+	if err != nil {
+		return 0, obj.makeErr(err)
+	}
+	count += __count
+	__res, err = obj.driver.Exec("DELETE FROM reset_password_tokens;")
+	if err != nil {
+		return 0, obj.makeErr(err)
+	}
+
 	__count, err = __res.RowsAffected()
 	if err != nil {
 		return 0, obj.makeErr(err)
@@ -6549,6 +6734,33 @@ func (obj *sqlite3Impl) Create_RegistrationToken(ctx context.Context,
 
 }
 
+func (obj *sqlite3Impl) Create_ResetPasswordToken(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field,
+	reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	__now := obj.db.Hooks.Now().UTC()
+	__secret_val := reset_password_token_secret.value()
+	__owner_id_val := reset_password_token_owner_id.value()
+	__created_at_val := __now
+
+	var __embed_stmt = __sqlbundle_Literal("INSERT INTO reset_password_tokens ( secret, owner_id, created_at ) VALUES ( ?, ?, ? )")
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __secret_val, __owner_id_val, __created_at_val)
+
+	__res, err := obj.driver.Exec(__stmt, __secret_val, __owner_id_val, __created_at_val)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	__pk, err := __res.LastInsertId()
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return obj.getLastResetPasswordToken(ctx, __pk)
+
+}
+
 func (obj *sqlite3Impl) Get_Irreparabledb_By_Segmentpath(ctx context.Context,
 	irreparabledb_segmentpath Irreparabledb_Segmentpath_Field) (
 	irreparabledb *Irreparabledb, err error) {
@@ -7519,6 +7731,48 @@ func (obj *sqlite3Impl) Get_RegistrationToken_By_OwnerId(ctx context.Context,
 
 }
 
+func (obj *sqlite3Impl) Get_ResetPasswordToken_By_Secret(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("SELECT reset_password_tokens.secret, reset_password_tokens.owner_id, reset_password_tokens.created_at FROM reset_password_tokens WHERE reset_password_tokens.secret = ?")
+
+	var __values []interface{}
+	__values = append(__values, reset_password_token_secret.value())
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __values...)
+
+	reset_password_token = &ResetPasswordToken{}
+	err = obj.driver.QueryRow(__stmt, __values...).Scan(&reset_password_token.Secret, &reset_password_token.OwnerId, &reset_password_token.CreatedAt)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return reset_password_token, nil
+
+}
+
+func (obj *sqlite3Impl) Get_ResetPasswordToken_By_OwnerId(ctx context.Context,
+	reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("SELECT reset_password_tokens.secret, reset_password_tokens.owner_id, reset_password_tokens.created_at FROM reset_password_tokens WHERE reset_password_tokens.owner_id = ?")
+
+	var __values []interface{}
+	__values = append(__values, reset_password_token_owner_id.value())
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __values...)
+
+	reset_password_token = &ResetPasswordToken{}
+	err = obj.driver.QueryRow(__stmt, __values...).Scan(&reset_password_token.Secret, &reset_password_token.OwnerId, &reset_password_token.CreatedAt)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return reset_password_token, nil
+
+}
+
 func (obj *sqlite3Impl) Update_Irreparabledb_By_Segmentpath(ctx context.Context,
 	irreparabledb_segmentpath Irreparabledb_Segmentpath_Field,
 	update Irreparabledb_Update_Fields) (
@@ -8343,6 +8597,32 @@ func (obj *sqlite3Impl) Delete_CertRecord_By_Id(ctx context.Context,
 
 }
 
+func (obj *sqlite3Impl) Delete_ResetPasswordToken_By_Secret(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field) (
+	deleted bool, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("DELETE FROM reset_password_tokens WHERE reset_password_tokens.secret = ?")
+
+	var __values []interface{}
+	__values = append(__values, reset_password_token_secret.value())
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, __values...)
+
+	__res, err := obj.driver.Exec(__stmt, __values...)
+	if err != nil {
+		return false, obj.makeErr(err)
+	}
+
+	__count, err := __res.RowsAffected()
+	if err != nil {
+		return false, obj.makeErr(err)
+	}
+
+	return __count > 0, nil
+
+}
+
 func (obj *sqlite3Impl) getLastIrreparabledb(ctx context.Context,
 	pk int64) (
 	irreparabledb *Irreparabledb, err error) {
@@ -8613,6 +8893,24 @@ func (obj *sqlite3Impl) getLastRegistrationToken(ctx context.Context,
 
 }
 
+func (obj *sqlite3Impl) getLastResetPasswordToken(ctx context.Context,
+	pk int64) (
+	reset_password_token *ResetPasswordToken, err error) {
+
+	var __embed_stmt = __sqlbundle_Literal("SELECT reset_password_tokens.secret, reset_password_tokens.owner_id, reset_password_tokens.created_at FROM reset_password_tokens WHERE _rowid_ = ?")
+
+	var __stmt = __sqlbundle_Render(obj.dialect, __embed_stmt)
+	obj.logStmt(__stmt, pk)
+
+	reset_password_token = &ResetPasswordToken{}
+	err = obj.driver.QueryRow(__stmt, pk).Scan(&reset_password_token.Secret, &reset_password_token.OwnerId, &reset_password_token.CreatedAt)
+	if err != nil {
+		return nil, obj.makeErr(err)
+	}
+	return reset_password_token, nil
+
+}
+
 func (impl sqlite3Impl) isConstraintError(err error) (
 	constraint string, ok bool) {
 	if e, ok := err.(sqlite3.Error); ok {
@@ -8696,6 +8994,16 @@ func (obj *sqlite3Impl) deleteAll(ctx context.Context) (count int64, err error)
 		return 0, obj.makeErr(err)
 	}
 
+	__count, err = __res.RowsAffected()
+	if err != nil {
+		return 0, obj.makeErr(err)
+	}
+	count += __count
+	__res, err = obj.driver.Exec("DELETE FROM reset_password_tokens;")
+	if err != nil {
+		return 0, obj.makeErr(err)
+	}
+
 	__count, err = __res.RowsAffected()
 	if err != nil {
 		return 0, obj.makeErr(err)
@@ -9151,6 +9459,18 @@ func (rx *Rx) Create_RegistrationToken(ctx context.Context,
 
 }
 
+func (rx *Rx) Create_ResetPasswordToken(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field,
+	reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+	var tx *Tx
+	if tx, err = rx.getTx(ctx); err != nil {
+		return
+	}
+	return tx.Create_ResetPasswordToken(ctx, reset_password_token_secret, reset_password_token_owner_id)
+
+}
+
 func (rx *Rx) Create_SerialNumber(ctx context.Context,
 	serial_number_serial_number SerialNumber_SerialNumber_Field,
 	serial_number_bucket_id SerialNumber_BucketId_Field,
@@ -9285,6 +9605,16 @@ func (rx *Rx) Delete_Project_By_Id(ctx context.Context,
 	return tx.Delete_Project_By_Id(ctx, project_id)
 }
 
+func (rx *Rx) Delete_ResetPasswordToken_By_Secret(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field) (
+	deleted bool, err error) {
+	var tx *Tx
+	if tx, err = rx.getTx(ctx); err != nil {
+		return
+	}
+	return tx.Delete_ResetPasswordToken_By_Secret(ctx, reset_password_token_secret)
+}
+
 func (rx *Rx) Delete_SerialNumber_By_ExpiresAt_LessOrEqual(ctx context.Context,
 	serial_number_expires_at_less_or_equal SerialNumber_ExpiresAt_Field) (
 	count int64, err error) {
@@ -9471,6 +9801,26 @@ func (rx *Rx) Get_RegistrationToken_By_Secret(ctx context.Context,
 	return tx.Get_RegistrationToken_By_Secret(ctx, registration_token_secret)
 }
 
+func (rx *Rx) Get_ResetPasswordToken_By_OwnerId(ctx context.Context,
+	reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+	var tx *Tx
+	if tx, err = rx.getTx(ctx); err != nil {
+		return
+	}
+	return tx.Get_ResetPasswordToken_By_OwnerId(ctx, reset_password_token_owner_id)
+}
+
+func (rx *Rx) Get_ResetPasswordToken_By_Secret(ctx context.Context,
+	reset_password_token_secret ResetPasswordToken_Secret_Field) (
+	reset_password_token *ResetPasswordToken, err error) {
+	var tx *Tx
+	if tx, err = rx.getTx(ctx); err != nil {
+		return
+	}
+	return tx.Get_ResetPasswordToken_By_Secret(ctx, reset_password_token_secret)
+}
+
 func (rx *Rx) Get_StoragenodeStorageTally_By_Id(ctx context.Context,
 	storagenode_storage_tally_id StoragenodeStorageTally_Id_Field) (
 	storagenode_storage_tally *StoragenodeStorageTally, err error) {
@@ -9794,6 +10144,11 @@ type Methods interface {
 		optional RegistrationToken_Create_Fields) (
 		registration_token *RegistrationToken, err error)
 
+	Create_ResetPasswordToken(ctx context.Context,
+		reset_password_token_secret ResetPasswordToken_Secret_Field,
+		reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+		reset_password_token *ResetPasswordToken, err error)
+
 	Create_SerialNumber(ctx context.Context,
 		serial_number_serial_number SerialNumber_SerialNumber_Field,
 		serial_number_bucket_id SerialNumber_BucketId_Field,
@@ -9852,6 +10207,10 @@ type Methods interface {
 		project_id Project_Id_Field) (
 		deleted bool, err error)
 
+	Delete_ResetPasswordToken_By_Secret(ctx context.Context,
+		reset_password_token_secret ResetPasswordToken_Secret_Field) (
+		deleted bool, err error)
+
 	Delete_SerialNumber_By_ExpiresAt_LessOrEqual(ctx context.Context,
 		serial_number_expires_at_less_or_equal SerialNumber_ExpiresAt_Field) (
 		count int64, err error)
@@ -9929,6 +10288,14 @@ type Methods interface {
 		registration_token_secret RegistrationToken_Secret_Field) (
 		registration_token *RegistrationToken, err error)
 
+	Get_ResetPasswordToken_By_OwnerId(ctx context.Context,
+		reset_password_token_owner_id ResetPasswordToken_OwnerId_Field) (
+		reset_password_token *ResetPasswordToken, err error)
+
+	Get_ResetPasswordToken_By_Secret(ctx context.Context,
+		reset_password_token_secret ResetPasswordToken_Secret_Field) (
+		reset_password_token *ResetPasswordToken, err error)
+
 	Get_StoragenodeStorageTally_By_Id(ctx context.Context,
 		storagenode_storage_tally_id StoragenodeStorageTally_Id_Field) (
 		storagenode_storage_tally *StoragenodeStorageTally, err error)
diff --git a/satellite/satellitedb/dbx/satellitedb.dbx.postgres.sql b/satellite/satellitedb/dbx/satellitedb.dbx.postgres.sql
index 1a78f0b38..e3861d384 100644
--- a/satellite/satellitedb/dbx/satellitedb.dbx.postgres.sql
+++ b/satellite/satellitedb/dbx/satellitedb.dbx.postgres.sql
@@ -128,6 +128,13 @@ CREATE TABLE registration_tokens (
 	PRIMARY KEY ( secret ),
 	UNIQUE ( owner_id )
 );
+CREATE TABLE reset_password_tokens (
+	secret bytea NOT NULL,
+	owner_id bytea NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( secret ),
+	UNIQUE ( owner_id )
+);
 CREATE TABLE serial_numbers (
 	id serial NOT NULL,
 	serial_number bytea NOT NULL,
diff --git a/satellite/satellitedb/dbx/satellitedb.dbx.sqlite3.sql b/satellite/satellitedb/dbx/satellitedb.dbx.sqlite3.sql
index d036f49bb..de7e9c204 100644
--- a/satellite/satellitedb/dbx/satellitedb.dbx.sqlite3.sql
+++ b/satellite/satellitedb/dbx/satellitedb.dbx.sqlite3.sql
@@ -128,6 +128,13 @@ CREATE TABLE registration_tokens (
 	PRIMARY KEY ( secret ),
 	UNIQUE ( owner_id )
 );
+CREATE TABLE reset_password_tokens (
+	secret BLOB NOT NULL,
+	owner_id BLOB NOT NULL,
+	created_at TIMESTAMP NOT NULL,
+	PRIMARY KEY ( secret ),
+	UNIQUE ( owner_id )
+);
 CREATE TABLE serial_numbers (
 	id INTEGER NOT NULL,
 	serial_number BLOB NOT NULL,
diff --git a/satellite/satellitedb/locked.go b/satellite/satellitedb/locked.go
index be5052ba1..f19f179a8 100644
--- a/satellite/satellitedb/locked.go
+++ b/satellite/satellitedb/locked.go
@@ -361,6 +361,47 @@ func (m *lockedRegistrationTokens) UpdateOwner(ctx context.Context, secret conso
 	return m.db.UpdateOwner(ctx, secret, ownerID)
 }
 
+// ResetPasswordTokens is a getter for ResetPasswordTokens repository
+func (m *lockedConsole) ResetPasswordTokens() console.ResetPasswordTokens {
+	m.Lock()
+	defer m.Unlock()
+	return &lockedResetPasswordTokens{m.Locker, m.db.ResetPasswordTokens()}
+}
+
+// lockedResetPasswordTokens implements locking wrapper for console.ResetPasswordTokens
+type lockedResetPasswordTokens struct {
+	sync.Locker
+	db console.ResetPasswordTokens
+}
+
+// Create creates new reset password token
+func (m *lockedResetPasswordTokens) Create(ctx context.Context, ownerID uuid.UUID) (*console.ResetPasswordToken, error) {
+	m.Lock()
+	defer m.Unlock()
+	return m.db.Create(ctx, ownerID)
+}
+
+// Delete deletes ResetPasswordToken by ResetPasswordSecret
+func (m *lockedResetPasswordTokens) Delete(ctx context.Context, secret console.ResetPasswordSecret) error {
+	m.Lock()
+	defer m.Unlock()
+	return m.db.Delete(ctx, secret)
+}
+
+// GetByOwnerID retrieves ResetPasswordToken by ownerID
+func (m *lockedResetPasswordTokens) GetByOwnerID(ctx context.Context, ownerID uuid.UUID) (*console.ResetPasswordToken, error) {
+	m.Lock()
+	defer m.Unlock()
+	return m.db.GetByOwnerID(ctx, ownerID)
+}
+
+// GetBySecret retrieves ResetPasswordToken with given secret
+func (m *lockedResetPasswordTokens) GetBySecret(ctx context.Context, secret console.ResetPasswordSecret) (*console.ResetPasswordToken, error) {
+	m.Lock()
+	defer m.Unlock()
+	return m.db.GetBySecret(ctx, secret)
+}
+
 // UsageRollups is a getter for UsageRollups repository
 func (m *lockedConsole) UsageRollups() console.UsageRollups {
 	m.Lock()
diff --git a/satellite/satellitedb/migrate.go b/satellite/satellitedb/migrate.go
index 688a33ae4..2b917a6de 100644
--- a/satellite/satellitedb/migrate.go
+++ b/satellite/satellitedb/migrate.go
@@ -620,6 +620,19 @@ func (db *DB) PostgresMigration() *migrate.Migration {
 					`ALTER TABLE storagenode_storage_tallies DROP COLUMN created_at`,
 				},
 			},
+			{
+				Description: "Added new table to store reset password tokens",
+				Version:     19,
+				Action: migrate.SQL{`
+					CREATE TABLE reset_password_tokens (
+						secret bytea NOT NULL,
+						owner_id bytea NOT NULL,
+						created_at timestamp with time zone NOT NULL,
+						PRIMARY KEY ( secret ),
+						UNIQUE ( owner_id )
+					);`,
+				},
+			},
 		},
 	}
 }
diff --git a/satellite/satellitedb/resetpasstokens.go b/satellite/satellitedb/resetpasstokens.go
new file mode 100644
index 000000000..442e84729
--- /dev/null
+++ b/satellite/satellitedb/resetpasstokens.go
@@ -0,0 +1,101 @@
+// Copyright (C) 2018 Storj Labs, Inc.
+// See LICENSE for copying information.
+
+package satellitedb
+
+import (
+	"context"
+	"errors"
+
+	"github.com/skyrings/skyring-common/tools/uuid"
+
+	"storj.io/storj/satellite/console"
+	dbx "storj.io/storj/satellite/satellitedb/dbx"
+)
+
+type resetPasswordTokens struct {
+	db dbx.Methods
+}
+
+// Create creates new reset password token
+func (rpt *resetPasswordTokens) Create(ctx context.Context, ownerID uuid.UUID) (*console.ResetPasswordToken, error) {
+	secret, err := console.NewResetPasswordSecret()
+	if err != nil {
+		return nil, err
+	}
+
+	resToken, err := rpt.db.Create_ResetPasswordToken(
+		ctx,
+		dbx.ResetPasswordToken_Secret(secret[:]),
+		dbx.ResetPasswordToken_OwnerId(ownerID[:]),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return resetPasswordTokenFromDBX(resToken)
+}
+
+// GetBySecret retrieves ResetPasswordToken with given Secret
+func (rpt *resetPasswordTokens) GetBySecret(ctx context.Context, secret console.ResetPasswordSecret) (*console.ResetPasswordToken, error) {
+	resToken, err := rpt.db.Get_ResetPasswordToken_By_Secret(
+		ctx,
+		dbx.ResetPasswordToken_Secret(secret[:]),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return resetPasswordTokenFromDBX(resToken)
+}
+
+// GetByOwnerID retrieves ResetPasswordToken by ownerID
+func (rpt *resetPasswordTokens) GetByOwnerID(ctx context.Context, ownerID uuid.UUID) (*console.ResetPasswordToken, error) {
+	resToken, err := rpt.db.Get_ResetPasswordToken_By_OwnerId(
+		ctx,
+		dbx.ResetPasswordToken_OwnerId(ownerID[:]),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return resetPasswordTokenFromDBX(resToken)
+}
+
+// Delete deletes ResetPasswordToken by ResetPasswordSecret
+func (rpt *resetPasswordTokens) Delete(ctx context.Context, secret console.ResetPasswordSecret) error {
+	_, err := rpt.db.Delete_ResetPasswordToken_By_Secret(
+		ctx,
+		dbx.ResetPasswordToken_Secret(secret[:]),
+	)
+
+	return err
+}
+
+// resetPasswordTokenFromDBX is used for creating ResetPasswordToken entity from autogenerated dbx.ResetPasswordToken struct
+func resetPasswordTokenFromDBX(resetToken *dbx.ResetPasswordToken) (*console.ResetPasswordToken, error) {
+	if resetToken == nil {
+		return nil, errors.New("token parameter is nil")
+	}
+
+	var secret [32]byte
+
+	copy(secret[:], resetToken.Secret)
+
+	result := &console.ResetPasswordToken{
+		Secret:    secret,
+		OwnerID:   nil,
+		CreatedAt: resetToken.CreatedAt,
+	}
+
+	if resetToken.OwnerId != nil {
+		ownerID, err := bytesToUUID(resetToken.OwnerId)
+		if err != nil {
+			return nil, err
+		}
+
+		result.OwnerID = &ownerID
+	}
+
+	return result, nil
+}
diff --git a/satellite/satellitedb/testdata/postgres.v19.sql b/satellite/satellitedb/testdata/postgres.v19.sql
new file mode 100644
index 000000000..563e9a732
--- /dev/null
+++ b/satellite/satellitedb/testdata/postgres.v19.sql
@@ -0,0 +1,242 @@
+-- Copied from the corresponding version of dbx generated schema
+CREATE TABLE accounting_rollups (
+	id bigserial NOT NULL,
+	node_id bytea NOT NULL,
+	start_time timestamp with time zone NOT NULL,
+	put_total bigint NOT NULL,
+	get_total bigint NOT NULL,
+	get_audit_total bigint NOT NULL,
+	get_repair_total bigint NOT NULL,
+	put_repair_total bigint NOT NULL,
+	at_rest_total double precision NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE accounting_timestamps (
+	name text NOT NULL,
+	value timestamp with time zone NOT NULL,
+	PRIMARY KEY ( name )
+);
+CREATE TABLE bucket_bandwidth_rollups (
+	bucket_name bytea NOT NULL,
+	project_id bytea NOT NULL,
+	interval_start timestamp NOT NULL,
+	interval_seconds integer NOT NULL,
+	action integer NOT NULL,
+	inline bigint NOT NULL,
+	allocated bigint NOT NULL,
+	settled bigint NOT NULL,
+	PRIMARY KEY ( bucket_name, project_id, interval_start, action )
+);
+CREATE TABLE bucket_storage_tallies (
+	bucket_name bytea NOT NULL,
+	project_id bytea NOT NULL,
+	interval_start timestamp NOT NULL,
+	inline bigint NOT NULL,
+	remote bigint NOT NULL,
+	remote_segments_count integer NOT NULL,
+	inline_segments_count integer NOT NULL,
+	object_count integer NOT NULL,
+	metadata_size bigint NOT NULL,
+	PRIMARY KEY ( bucket_name, project_id, interval_start )
+);
+CREATE TABLE bucket_usages (
+	id bytea NOT NULL,
+	bucket_id bytea NOT NULL,
+	rollup_end_time timestamp with time zone NOT NULL,
+	remote_stored_data bigint NOT NULL,
+	inline_stored_data bigint NOT NULL,
+	remote_segments integer NOT NULL,
+	inline_segments integer NOT NULL,
+	objects integer NOT NULL,
+	metadata_size bigint NOT NULL,
+	repair_egress bigint NOT NULL,
+	get_egress bigint NOT NULL,
+	audit_egress bigint NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE bwagreements (
+	serialnum text NOT NULL,
+	storage_node_id bytea NOT NULL,
+	uplink_id bytea NOT NULL,
+	action bigint NOT NULL,
+	total bigint NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	expires_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( serialnum )
+);
+CREATE TABLE certRecords (
+	publickey bytea NOT NULL,
+	id bytea NOT NULL,
+	update_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE injuredsegments (
+	path text NOT NULL,
+	data bytea NOT NULL,
+	attempted timestamp,
+	PRIMARY KEY ( path )
+);
+CREATE TABLE irreparabledbs (
+	segmentpath bytea NOT NULL,
+	segmentdetail bytea NOT NULL,
+	pieces_lost_count bigint NOT NULL,
+	seg_damaged_unix_sec bigint NOT NULL,
+	repair_attempt_count bigint NOT NULL,
+	PRIMARY KEY ( segmentpath )
+);
+CREATE TABLE nodes (
+	id bytea NOT NULL,
+	address text NOT NULL,
+	protocol integer NOT NULL,
+	type integer NOT NULL,
+	email text NOT NULL,
+	wallet text NOT NULL,
+	free_bandwidth bigint NOT NULL,
+	free_disk bigint NOT NULL,
+	major bigint NOT NULL,
+	minor bigint NOT NULL,
+	patch bigint NOT NULL,
+	hash text NOT NULL,
+	timestamp timestamp with time zone NOT NULL,
+	release boolean NOT NULL,
+	latency_90 bigint NOT NULL,
+	audit_success_count bigint NOT NULL,
+	total_audit_count bigint NOT NULL,
+	audit_success_ratio double precision NOT NULL,
+	uptime_success_count bigint NOT NULL,
+	total_uptime_count bigint NOT NULL,
+	uptime_ratio double precision NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	updated_at timestamp with time zone NOT NULL,
+	last_contact_success timestamp with time zone NOT NULL,
+	last_contact_failure timestamp with time zone NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE projects (
+	id bytea NOT NULL,
+	name text NOT NULL,
+	description text NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE registration_tokens (
+	secret bytea NOT NULL,
+	owner_id bytea,
+	project_limit integer NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( secret ),
+	UNIQUE ( owner_id )
+);
+CREATE TABLE serial_numbers (
+	id serial NOT NULL,
+	serial_number bytea NOT NULL,
+	bucket_id bytea NOT NULL,
+	expires_at timestamp NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE storagenode_bandwidth_rollups (
+	storagenode_id bytea NOT NULL,
+	interval_start timestamp NOT NULL,
+	interval_seconds integer NOT NULL,
+	action integer NOT NULL,
+	allocated bigint NOT NULL,
+	settled bigint NOT NULL,
+	PRIMARY KEY ( storagenode_id, interval_start, action )
+);
+CREATE TABLE storagenode_storage_tallies (
+	id bigserial NOT NULL,
+	node_id bytea NOT NULL,
+	interval_end_time timestamp with time zone NOT NULL,
+	data_total double precision NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE users (
+	id bytea NOT NULL,
+	full_name text NOT NULL,
+	short_name text,
+	email text NOT NULL,
+	password_hash bytea NOT NULL,
+	status integer NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( id )
+);
+CREATE TABLE api_keys (
+	id bytea NOT NULL,
+	project_id bytea NOT NULL REFERENCES projects( id ) ON DELETE CASCADE,
+	key bytea NOT NULL,
+	name text NOT NULL,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( id ),
+	UNIQUE ( key ),
+	UNIQUE ( name, project_id )
+);
+CREATE TABLE project_members (
+	member_id bytea NOT NULL REFERENCES users( id ) ON DELETE CASCADE,
+	project_id bytea NOT NULL REFERENCES projects( id ) ON DELETE CASCADE,
+	created_at timestamp with time zone NOT NULL,
+	PRIMARY KEY ( member_id, project_id )
+);
+CREATE TABLE used_serials (
+	serial_number_id integer NOT NULL REFERENCES serial_numbers( id ) ON DELETE CASCADE,
+	storage_node_id bytea NOT NULL,
+	PRIMARY KEY ( serial_number_id, storage_node_id )
+);
+CREATE TABLE reset_password_tokens (
+  secret bytea NOT NULL,
+  owner_id bytea NOT NULL,
+  created_at timestamp with time zone NOT NULL,
+  PRIMARY KEY ( secret ),
+  UNIQUE ( owner_id )
+);
+CREATE INDEX bucket_name_project_id_interval_start_interval_seconds ON bucket_bandwidth_rollups ( bucket_name, project_id, interval_start, interval_seconds );
+CREATE UNIQUE INDEX bucket_id_rollup ON bucket_usages ( bucket_id, rollup_end_time );
+CREATE UNIQUE INDEX serial_number ON serial_numbers ( serial_number );
+CREATE INDEX serial_numbers_expires_at_index ON serial_numbers ( expires_at );
+CREATE INDEX storagenode_id_interval_start_interval_seconds ON storagenode_bandwidth_rollups ( storagenode_id, interval_start, interval_seconds );
+
+---
+
+INSERT INTO "accounting_rollups"("id", "node_id", "start_time", "put_total", "get_total", "get_audit_total", "get_repair_total", "put_repair_total", "at_rest_total") VALUES (1, E'\\367M\\177\\251]t/\\022\\256\\214\\265\\025\\224\\204:\\217\\212\\0102<\\321\\374\\020&\\271Qc\\325\\261\\354\\246\\233'::bytea, '2019-02-09 00:00:00+00', 1000, 2000, 3000, 4000, 0, 5000);
+
+INSERT INTO "accounting_timestamps" VALUES ('LastAtRestTally', '0001-01-01 00:00:00+00');
+INSERT INTO "accounting_timestamps" VALUES ('LastRollup', '0001-01-01 00:00:00+00');
+INSERT INTO "accounting_timestamps" VALUES ('LastBandwidthTally', '0001-01-01 00:00:00+00');
+
+INSERT INTO "nodes"("id", "address", "protocol", "type", "email", "wallet", "free_bandwidth", "free_disk", "major", "minor", "patch", "hash", "timestamp", "release","latency_90", "audit_success_count", "total_audit_count", "audit_success_ratio", "uptime_success_count", "total_uptime_count", "uptime_ratio", "created_at", "updated_at", "last_contact_success", "last_contact_failure") VALUES (E'\\153\\313\\233\\074\\327\\177\\136\\070\\346\\001', '127.0.0.1:55516', 0, 4, '', '', -1, -1, 0, 1, 0, '', 'epoch', false, 0, 0, 5, 0, 0, 5, 0, '2019-02-14 08:07:31.028103+00', '2019-02-14 08:07:31.108963+00', 'epoch', 'epoch');
+INSERT INTO "nodes"("id", "address", "protocol", "type", "email", "wallet", "free_bandwidth", "free_disk", "major", "minor", "patch", "hash", "timestamp", "release","latency_90", "audit_success_count", "total_audit_count", "audit_success_ratio", "uptime_success_count", "total_uptime_count", "uptime_ratio", "created_at", "updated_at", "last_contact_success", "last_contact_failure") VALUES (E'\\006\\223\\250R\\221\\005\\365\\377v>0\\266\\365\\216\\255?\\347\\244\\371?2\\264\\262\\230\\007<\\001\\262\\263\\237\\247n', '127.0.0.1:55518', 0, 4, '', '', -1, -1, 0, 1, 0, '', 'epoch', false, 0, 0, 0, 1, 3, 3, 1, '2019-02-14 08:07:31.028103+00', '2019-02-14 08:07:31.108963+00', 'epoch', 'epoch');
+INSERT INTO "nodes"("id", "address", "protocol", "type", "email", "wallet", "free_bandwidth", "free_disk", "major", "minor", "patch", "hash", "timestamp", "release","latency_90", "audit_success_count", "total_audit_count", "audit_success_ratio", "uptime_success_count", "total_uptime_count", "uptime_ratio", "created_at", "updated_at", "last_contact_success", "last_contact_failure") VALUES (E'\\363\\342\\363\\371>+F\\256\\263\\300\\273|\\342N\\347\\014', '127.0.0.1:55517', 0, 4, '', '', -1, -1, 0, 1, 0, '', 'epoch', false, 0, 0, 0, 1, 0, 0, 1, '2019-02-14 08:07:31.028103+00', '2019-02-14 08:07:31.108963+00', 'epoch', 'epoch');
+
+
+INSERT INTO "projects"("id", "name", "description", "created_at") VALUES (E'\\022\\217/\\014\\376!K\\023\\276\\031\\311}m\\236\\205\\300'::bytea, 'ProjectName', 'projects description', '2019-02-14 08:28:24.254934+00');
+INSERT INTO "api_keys"("id", "project_id", "key", "name", "created_at") VALUES (E'\\334/\\302;\\225\\355O\\323\\276f\\247\\354/6\\241\\033'::bytea, E'\\022\\217/\\014\\376!K\\023\\276\\031\\311}m\\236\\205\\300'::bytea, E'\\000]\\326N \\343\\270L\\327\\027\\337\\242\\240\\322mOl\\0318\\251.P I'::bytea, 'key 2', '2019-02-14 08:28:24.267934+00');
+
+INSERT INTO "users"("id", "full_name", "short_name", "email", "password_hash", "status", "created_at") VALUES (E'\\363\\311\\033w\\222\\303Ci\\265\\343U\\303\\312\\204",'::bytea, 'Noahson', 'William', '1email1@ukr.net', E'some_readable_hash'::bytea, 1, '2019-02-14 08:28:24.614594+00');
+INSERT INTO "projects"("id", "name", "description", "created_at") VALUES (E'\\363\\342\\363\\371>+F\\256\\263\\300\\273|\\342N\\347\\014'::bytea, 'projName1', 'Test project 1', '2019-02-14 08:28:24.636949+00');
+INSERT INTO "project_members"("member_id", "project_id", "created_at") VALUES (E'\\363\\311\\033w\\222\\303Ci\\265\\343U\\303\\312\\204",'::bytea, E'\\363\\342\\363\\371>+F\\256\\263\\300\\273|\\342N\\347\\014'::bytea, '2019-02-14 08:28:24.677953+00');
+
+INSERT INTO "bwagreements"("serialnum", "storage_node_id", "action", "total", "created_at", "expires_at", "uplink_id") VALUES ('8fc0ceaa-984c-4d52-bcf4-b5429e1e35e812FpiifDbcJkePa12jxjDEutKrfLmwzT7sz2jfVwpYqgtM8B74c', E'\\245Z[/\\333\\022\\011\\001\\036\\003\\204\\005\\032.\\206\\333E\\261\\342\\227=y,}aRaH6\\240\\370\\000'::bytea, 1, 666, '2019-02-14 15:09:54.420181+00', '2019-02-14 16:09:54+00', E'\\253Z+\\374eFm\\245$\\036\\206\\335\\247\\263\\350x\\\\\\304+\\364\\343\\364+\\276fIJQ\\361\\014\\232\\000'::bytea);
+INSERT INTO "irreparabledbs" ("segmentpath", "segmentdetail", "pieces_lost_count", "seg_damaged_unix_sec", "repair_attempt_count") VALUES ('\x49616d5365676d656e746b6579696e666f30', '\x49616d5365676d656e7464657461696c696e666f30', 10, 1550159554, 10);
+
+INSERT INTO "injuredsegments" ("path", "data") VALUES ('0', '\x0a0130120100');
+INSERT INTO "injuredsegments" ("path", "data") VALUES ('here''s/a/great/path', '\x0a136865726527732f612f67726561742f70617468120a0102030405060708090a');
+INSERT INTO "injuredsegments" ("path", "data") VALUES ('yet/another/cool/path', '\x0a157965742f616e6f746865722f636f6f6c2f70617468120a0102030405060708090a');
+INSERT INTO "injuredsegments" ("path", "data") VALUES ('so/many/iconic/paths/to/choose/from', '\x0a23736f2f6d616e792f69636f6e69632f70617468732f746f2f63686f6f73652f66726f6d120a0102030405060708090a');
+
+INSERT INTO "certrecords" VALUES (E'0Y0\\023\\006\\007*\\206H\\316=\\002\\001\\006\\010*\\206H\\316=\\003\\001\\007\\003B\\000\\004\\360\\267\\227\\377\\253u\\222\\337Y\\324C:GQ\\010\\277v\\010\\315D\\271\\333\\337.\\203\\023=C\\343\\014T%6\\027\\362?\\214\\326\\017U\\334\\000\\260\\224\\260J\\221\\304\\331F\\304\\221\\236zF,\\325\\326l\\215\\306\\365\\200\\022', E'L\\301|\\200\\247}F|1\\320\\232\\037n\\335\\241\\206\\244\\242\\207\\204.\\253\\357\\326\\352\\033Dt\\202`\\022\\325', '2019-02-14 08:07:31.335028+00');
+
+INSERT INTO "bucket_usages" ("id", "bucket_id", "rollup_end_time", "remote_stored_data", "inline_stored_data", "remote_segments", "inline_segments", "objects", "metadata_size", "repair_egress", "get_egress", "audit_egress") VALUES (E'\\153\\313\\233\\074\\327\\177\\136\\070\\346\\001",'::bytea, E'\\366\\146\\032\\321\\316\\161\\070\\133\\302\\271",'::bytea, '2019-03-06 08:28:24.677953+00', 10, 11, 12, 13, 14, 15, 16, 17, 18);
+
+INSERT INTO "registration_tokens" ("secret", "owner_id", "project_limit", "created_at") VALUES (E'\\070\\127\\144\\013\\332\\344\\102\\376\\306\\056\\303\\130\\106\\132\\321\\276\\321\\274\\170\\264\\054\\333\\221\\116\\154\\221\\335\\070\\220\\146\\344\\216'::bytea, null, 1, '2019-02-14 08:28:24.677953+00');
+
+INSERT INTO "serial_numbers" ("id", "serial_number", "bucket_id", "expires_at") VALUES (1, E'0123456701234567'::bytea, E'\\363\\342\\363\\371>+F\\256\\263\\300\\273|\\342N\\347\\014/testbucket'::bytea, '2019-03-06 08:28:24.677953+00');
+INSERT INTO "used_serials" ("serial_number_id", "storage_node_id") VALUES (1, E'\\006\\223\\250R\\221\\005\\365\\377v>0\\266\\365\\216\\255?\\347\\244\\371?2\\264\\262\\230\\007<\\001\\262\\263\\237\\247n');
+
+INSERT INTO "storagenode_bandwidth_rollups" ("storagenode_id", "interval_start", "interval_seconds", "action", "allocated", "settled") VALUES (E'\\006\\223\\250R\\221\\005\\365\\377v>0\\266\\365\\216\\255?\\347\\244\\371?2\\264\\262\\230\\007<\\001\\262\\263\\237\\247n', '2019-03-06 08:00:00.000000+00', 3600, 1, 1024, 2024);
+INSERT INTO "storagenode_storage_tallies" VALUES (1, E'\\3510\\323\\225"~\\036<\\342\\330m\\0253Jhr\\246\\233K\\246#\\2303\\351\\256\\275j\\212UM\\362\\207', '2019-02-14 08:16:57.812849+00', 1000);
+
+INSERT INTO "bucket_bandwidth_rollups" ("bucket_name", "project_id", "interval_start", "interval_seconds", "action", "inline", "allocated", "settled") VALUES (E'testbucket'::bytea, E'\\363\\342\\363\\371>+F\\256\\263\\300\\273|\\342N\\347\\014'::bytea,'2019-03-06 08:00:00.000000+00', 3600, 1, 1024, 2024, 3024);
+INSERT INTO "bucket_storage_tallies" ("bucket_name", "project_id", "interval_start", "inline", "remote", "remote_segments_count", "inline_segments_count", "object_count", "metadata_size") VALUES (E'testbucket'::bytea, E'\\363\\342\\363\\371>+F\\256\\263\\300\\273|\\342N\\347\\014'::bytea,'2019-03-06 08:00:00.000000+00', 4024, 5024, 0, 0, 0, 0);
+
+-- NEW DATA --
+
+INSERT INTO "reset_password_tokens" ("secret", "owner_id", "created_at") VALUES (E'\\070\\127\\144\\013\\332\\344\\102\\376\\306\\056\\303\\130\\106\\132\\321\\276\\321\\274\\170\\264\\054\\333\\221\\116\\154\\221\\335\\070\\220\\146\\344\\216'::bytea, E'\\363\\311\\033w\\222\\303Ci\\265\\343U\\303\\312\\204",'::bytea, '2019-05-08 08:28:24.677953+00');
diff --git a/web/satellite/static/emails/Forgot.html b/web/satellite/static/emails/Forgot.html
index c755c0b55..5c016649b 100644
--- a/web/satellite/static/emails/Forgot.html
+++ b/web/satellite/static/emails/Forgot.html
@@ -532,7 +532,8 @@ To reset your password, click the following link and follow the instructions. &#
                         <div style="mso-line-height-rule: exactly;mso-text-raise: 4px;">
                             <p class="size-16" style="Margin-top: 0;Margin-bottom: 0;font-family: montserrat,dejavu sans,verdana,sans-serif;font-size: 16px;line-height: 24px;" lang="x-size-16"><span class="font-montserrat">Didn’t request this change?
<br /></span></p>
                             <p class="size-16" style="Margin-top: 0;Margin-bottom: 0;font-family: montserrat,dejavu sans,verdana,sans-serif;font-size: 16px;line-height: 24px;" lang="x-size-16"><span class="font-montserrat">If you didn’t request a new password
-                                <a href="mailto:support@storj.io" style="color: #2683ff; text-decoration: none; font-weight: bold">let us know</a><br /></span></p>
+                                <a href="{{ .CancelPasswordRecoveryLink }}" style="color: #2683ff; text-decoration: none; font-weight: bold">let us know</a><br /></span></p>
+                            <p style="Margin-top: 0;Margin-bottom: 0;font-family: montserrat,dejavu sans,verdana,sans-serif;font-size: 12px;line-height: 24px;" lang="x-size-16"><span class="font-montserrat">Please Note: After clicking on «Let us Know» we will automatically deactivate this reset password link and redirect you to our Support Desk.
<br /></span></p>
                         </div>
                     </div>
 
diff --git a/web/satellite/static/resetPassword/success.css b/web/satellite/static/resetPassword/success.css
new file mode 100644
index 000000000..7a31c7c81
--- /dev/null
+++ b/web/satellite/static/resetPassword/success.css
@@ -0,0 +1,66 @@
+/*Copyright (C) 2019 Storj Labs, Inc.*/
+/*See LICENSE for copying information.*/
+
+.container {
+    position: fixed;
+    top: 0;
+    left: 0;
+    z-index: 1000;
+    width: 100%;
+    height: 100vh;
+    background-color: #fff;
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    justify-content: center;
+    -webkit-touch-callout: none;
+    -webkit-user-select: none;
+    -khtml-user-select: none;
+    -moz-user-select: none;
+    -ms-user-select: none;
+    user-select: none;
+
+}
+
+a {
+    text-decoration: none;
+}
+
+    .container__title {
+        font-family: 'font', sans-serif;
+        font-weight: bold;
+        font-size: 32px;
+        line-height: 39px;
+    }
+
+    .container__info {
+        width: 566px;
+        text-align: center;
+        font-family: 'font', sans-serif;
+        font-size: 18px;
+        line-height: 26px;
+    }
+
+    .container__button {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        background-color: #2683FF;
+        border-radius: 6px;
+        cursor: pointer;
+        width: 216px;
+        height: 48px;
+        margin-top: 30px;
+    }
+
+        .container__button p {
+            font-family: 'font', sans-serif;
+            font-weight: bold;
+            font-size: 16px;
+            line-height: 23px;
+            color: #fff;
+        }
+
+        .container__button:hover {
+            box-shadow: 0px 4px 20px rgba(35, 121, 236, 0.4);
+        }
diff --git a/web/satellite/static/resetPassword/success.html b/web/satellite/static/resetPassword/success.html
new file mode 100644
index 000000000..f5dcfc3d8
--- /dev/null
+++ b/web/satellite/static/resetPassword/success.html
@@ -0,0 +1,34 @@
+<!--Copyright (C) 2019 Storj Labs, Inc.-->
+<!--See LICENSE for copying information.-->
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<title>Tardigrade Satellite - Mars</title>
+
+    <link href="/static/static/fonts/font_regular.ttf" rel="stylesheet">
+	<link rel="stylesheet" type="text/css" href="/static/static/activation/success.css">
+</head>
+<body>
+	<div class="container">
+		<svg class="container__img" width="54" height="60" viewBox="0 0 54 60" fill="none" xmlns="http://www.w3.org/2000/svg">
+			<path d="M54 17.4399C53.9172 19.3141 53.0892 20.6993 51.5161 21.6771C51.1849 21.8401 51.1021 22.003 51.1021 22.329C51.1021 27.4625 51.1021 32.596 51.1021 37.7295C51.1021 38.0555 51.1849 38.2184 51.4333 38.3814C53.2548 39.4407 54.2484 41.3963 53.9172 43.4334C53.586 45.389 52.0129 47.0187 49.9429 47.3447C48.7837 47.5891 47.6246 47.4262 46.5482 46.7743C46.217 46.6113 45.9686 46.6113 45.7202 46.7743C41.2491 49.3003 36.7781 51.9078 32.307 54.4338C31.9758 54.5968 31.893 54.7597 31.893 55.1672C31.893 57.6117 29.9887 59.8118 27.5875 59.9747C25.0208 60.2192 22.7025 58.671 22.2057 56.145C22.1229 55.7376 22.1229 55.4116 22.1229 55.0042C22.1229 54.7597 22.0401 54.5968 21.7917 54.4338C17.2378 51.8263 12.6839 49.3003 8.13005 46.6928C7.88166 46.5298 7.71606 46.5298 7.46767 46.6928C4.48695 48.4854 0.678253 46.7743 0.0986687 43.5149C-0.31532 41.4778 0.595455 39.5222 2.41701 38.3814C2.7482 38.2184 2.83099 38.0555 2.83099 37.648C2.83099 32.5145 2.83099 27.381 2.83099 22.2475C2.83099 21.9216 2.7482 21.7586 2.4998 21.5956C0.595455 20.5363 -0.31532 18.6622 0.0986687 16.5436C0.42986 14.425 2.08581 12.8768 4.23856 12.6323C5.39772 12.4694 6.4741 12.7138 7.46767 13.2842C7.71606 13.4472 7.88166 13.4472 8.13005 13.2842C12.6839 10.6767 17.155 8.15071 21.7089 5.54321C21.9573 5.38024 22.1229 5.21727 22.1229 4.89133C22.1229 2.03938 24.3584 -0.0792115 27.2563 0.00227286C29.4919 0.0837572 31.5618 1.87641 31.893 4.07649C31.893 4.23946 31.9758 4.40243 31.9758 4.64688C31.9758 5.21727 32.2242 5.54321 32.6382 5.78766C37.0265 8.23219 41.4147 10.7582 45.803 13.2842C46.1342 13.4472 46.2998 13.4472 46.631 13.2842C49.6117 11.573 53.2548 13.2027 53.9172 16.5436C54 16.8695 54 17.1955 54 17.4399ZM15.1679 35.0405C15.0851 35.0405 15.0851 35.122 15.0851 35.122C12.6011 36.5073 10.1172 37.8925 7.63326 39.3592C7.46767 39.4407 7.21927 39.4407 7.05368 39.3592C6.3913 38.9518 5.72892 38.7073 4.90094 38.7073C2.33421 38.6258 0.843848 40.663 0.761051 42.4556C0.761051 44.4927 2.33421 46.6113 4.90094 46.6113C7.13648 46.6113 8.87523 44.8187 8.87523 42.6186C8.87523 42.2112 8.95803 41.9667 9.37202 41.8037C12.0215 40.337 14.5883 38.8703 17.2378 37.3221C17.4862 37.1591 17.7346 37.1591 17.983 37.2406C19.6389 37.974 21.2949 38.1369 23.0336 37.648C23.1992 37.5665 23.4476 37.648 23.6132 37.7295C24.11 37.974 24.6068 38.2184 25.1036 38.3814C25.4348 38.4629 25.5176 38.6258 25.5176 38.9518C25.5176 43.026 25.5176 47.0187 25.5176 51.0929C25.5176 51.3374 25.4348 51.5004 25.1864 51.6633C23.7788 52.3152 22.7852 54.0264 23.0336 55.819C23.3648 57.9376 25.5176 59.4858 27.6703 59.0784C29.5747 58.7525 30.7338 57.4487 31.065 55.5746C31.2306 54.2708 30.5682 52.5597 28.9123 51.6633C28.6639 51.5819 28.5811 51.4189 28.5811 51.1744C28.5811 47.2632 28.5811 43.3519 28.5811 39.4407C28.5811 39.1147 28.7467 39.0333 29.0779 38.9518C29.9059 38.7888 30.7338 38.6258 31.479 38.4629C31.8102 38.3814 32.1414 38.3814 32.4726 38.4629C34.2113 39.1962 35.9501 39.1147 37.606 38.1369C37.8544 37.974 38.02 37.974 38.2684 38.1369C40.4212 39.3592 42.5739 40.5815 44.7267 41.8037C45.0578 41.9667 45.2234 42.2112 45.2234 42.6186C44.975 44.9001 47.1278 46.7743 49.5289 46.5298C51.9301 46.2854 53.586 44.0038 53.0064 41.7222C52.344 38.9518 49.3633 37.7295 46.8794 39.1962C46.631 39.3592 46.4654 39.3592 46.1342 39.1962C44.0643 37.974 41.9943 36.8332 39.9244 35.6924C39.5932 35.5294 39.5932 35.3665 39.676 35.0405C40.3384 33.0034 39.8416 31.1293 38.3512 29.5811C38.02 29.2551 36.6953 27.1366 36.4469 26.7291C36.2813 26.4032 36.3641 26.2402 36.6953 26.0773C39.8416 24.2846 42.9879 22.5734 46.0514 20.7808C46.2998 20.6178 46.4654 20.6178 46.7138 20.7808C47.6246 21.3512 48.6181 21.5141 49.6117 21.3512C51.5989 21.0252 53.0892 19.2326 52.9236 17.114C52.758 14.8324 50.4397 13.1212 48.1214 13.6102C46.1342 14.0176 44.8094 15.5658 44.8922 17.6029C44.8922 17.9288 44.8094 18.1733 44.4783 18.3362C41.3319 20.1289 38.1028 21.9216 34.9565 23.7142C34.7081 23.8772 34.5425 23.8772 34.2941 23.6327C32.8038 22.2475 30.9822 21.4326 28.9951 21.1882C28.3327 21.1067 28.3327 21.1067 28.3327 20.3734C28.3327 16.7066 28.3327 13.0398 28.3327 9.37297C28.3327 8.88406 28.4155 8.55813 28.9123 8.31367C30.651 7.33586 31.3134 5.21727 30.5682 3.34313C29.7403 1.55048 27.6703 0.491179 25.766 1.14305C24.0272 1.63196 23.0336 2.93571 22.868 4.64688C22.7025 6.03211 23.3648 7.58031 25.0208 8.39516C25.2692 8.55813 25.4348 8.63961 25.4348 8.96555C25.4348 13.0398 25.4348 17.0325 25.4348 21.1067C25.4348 21.4326 25.2692 21.5141 25.0208 21.6771C24.1928 22.0845 23.3648 22.4105 22.7025 22.9809C21.9573 23.6327 21.2121 23.9587 20.1357 23.9587C20.0529 23.9587 19.9701 23.9587 19.8873 23.9587C19.6389 23.9587 19.3077 23.9587 19.0594 23.7957C15.8302 22.003 12.6839 20.2104 9.45481 18.4177C8.95803 18.1733 8.79243 17.8473 8.87523 17.3584C8.87523 17.114 8.87523 16.951 8.79243 16.7066C8.46124 14.7509 6.55689 13.1212 4.23856 13.5287C1.92022 13.9361 0.512657 15.9732 0.843848 18.0918C1.34063 20.8623 4.56975 22.2475 6.97088 20.7808C7.21927 20.6178 7.46767 20.6178 7.71606 20.7808C10.1172 22.166 12.5183 23.5512 15.0023 24.9365C15.4163 25.1809 15.8302 25.4254 16.2442 25.6698C13.5119 28.5218 13.1807 31.6182 15.1679 35.0405Z" fill="#2683FF"/>
+			<path d="M22.4933 25.5491C23.1511 25.6323 23.3978 25.3828 23.8912 24.9671C25.8648 23.0547 28.2495 22.5558 30.7987 23.3873C33.3479 24.2188 34.9103 26.048 35.4037 28.7088C35.4859 29.2077 35.7326 29.5403 36.1438 29.7898C37.4595 30.5381 38.1996 32.2011 37.9529 33.5315C37.624 35.2776 36.4727 36.5249 34.8281 36.7743C33.9235 36.9406 33.1012 36.7743 32.3611 36.3586C32.0322 36.1091 31.7855 36.1923 31.3743 36.3586C29.0718 37.3564 26.9338 37.1901 24.7958 35.8597C24.4668 35.6934 24.2201 35.6102 23.8912 35.7765C20.9308 36.7743 17.8882 35.0282 17.1482 32.1179C16.3258 28.7088 19.0395 25.3828 22.4933 25.5491Z" fill="#2683FF"/>
+			<path d="M48 43C48 42.4286 48.4286 42 49 42C49.5714 42 50 42.4286 50 43C50 43.5 49.5 44 49 44C48.4286 44 48 43.5714 48 43Z" fill="#2683FF"/>
+			<path d="M26 5C26 4.42857 26.4444 4 27.037 4C27.5556 4 28 4.42857 28 5C28 5.5 27.5556 6 26.963 6C26.4444 5.92857 26 5.5 26 5Z" fill="#2683FF"/>
+			<path d="M6 43C6 43.5714 5.57143 44 5 44C4.5 44 4 43.5 4 43C4 42.5 4.5 42 5 42C5.57143 42 6 42.4286 6 43Z" fill="#2683FF"/>
+			<path d="M27 54C27.5714 54 28 54.6667 28 55.5556C28 56.4444 27.5714 57 27 57C26.4286 57 26 56.3333 26 55.4444C26 54.6667 26.4286 54 27 54Z" fill="#2683FF"/>
+			<path d="M5 19C4.42857 19 4 18.3333 4 17.5556C4 16.7778 4.42857 16 5 16C5.57143 16 6 16.5556 6 17.4444C5.92857 18.3333 5.57143 19 5 19Z" fill="#2683FF"/>
+			<path d="M48.9327 19C48.3635 19 47.9366 18.3333 48.0078 17.4444C48.0078 16.5556 48.4347 16 49.0039 16C49.5731 16 50 16.6667 50 17.5556C49.9288 18.3333 49.4308 19 48.9327 19Z" fill="#2683FF"/>
+		</svg>
+		<p class="container__title">You have successfully changed your password.</p>
+		<p class="container__info">Now you can use new credentials to work with your Satellite Account.</p>
+		<a href="/login">
+			<div class="container__button">
+				<p>Go To Log In</p>
+			</div>
+		</a>
+	</div>
+</body>
+</html>