Once user clicks on email link, you can decode the resetCode from url.

Then send that resetCode to server to find user by that resetCode.

If found allow him to access his account.

Once logged in (account is accessible), he can update his password.

// routes/auth
router.post("/access-account", auth.accessAccount);

// controllers/auth
export const accessAccount = async (req, res) => {
  try {
    // verify token and check expiry
    const { resetCode } = jwt.verify(req.body.token, config.JWT_SECRET);

    const user = await User.findOneAndUpdate(
      { resetCode },
      { resetCode: "" }
    );

    console.log("user", user, resetCode);
    // return;

    // generate token
    const token = jwt.sign({ _id: user._id }, config.JWT_SECRET, {
      expiresIn: "1d",
    });
    // generate refresh token
    const refreshToken = jwt.sign({ _id: user._id }, config.JWT_SECRET, {
      expiresIn: "30d",
    });

    user.password = undefined;
    user.resetCode = undefined;
    return res.json({
      token,
      refreshToken,
      user,
    });
  } catch (err) {
    console.log(err);
    res.json({ error: "Expired or invalid token. Try again." });
  }
};