feat: password reset flow with welcome emails

- POST /auth/forgot-password with welcome/reset email templates - POST /auth/reset-password with Zod validation, 4-hour tokens - Per-email rate limiting (3/hr) via Valkey, no user enumeration - Login page "Forgot password?" toggle with inline form - /reset-password page for setting new password from email link - Initial user seed sends welcome email instead of requiring password - CLI script for force-resetting passwords via kubectl exec - APP_URL env var in chart, removed INITIAL_USER_PASSWORD Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 17:09:23 +00:00
parent a1dc4b0e47
commit bc8613bbbc
10 changed files with 491 additions and 59 deletions
--- a/packages/admin/src/api/auth.ts
+++ b/packages/admin/src/api/auth.ts
@@ -14,3 +14,11 @@ interface LoginResponse {
 export async function login(email: string, password: string): Promise<LoginResponse> {
  return api.post<LoginResponse>('/v1/auth/login', { email, password })
 }
+
+export async function forgotPassword(email: string): Promise<{ message: string }> {
+  return api.post<{ message: string }>('/v1/auth/forgot-password', { email })
+}
+
+export async function resetPassword(token: string, newPassword: string): Promise<{ message: string }> {
+  return api.post<{ message: string }>('/v1/auth/reset-password', { token, newPassword })
+}
--- a/packages/admin/src/routeTree.gen.ts
+++ b/packages/admin/src/routeTree.gen.ts
@@ -9,6 +9,7 @@
 // Additionally, you should also exclude this file from your linter and/or formatter to prevent it from being checked or modified.

 import { Route as rootRouteImport } from './routes/__root'
+import { Route as ResetPasswordRouteImport } from './routes/reset-password'
 import { Route as PosRouteImport } from './routes/pos'
 import { Route as LoginRouteImport } from './routes/login'
 import { Route as AuthenticatedRouteImport } from './routes/_authenticated'
@@ -58,6 +59,11 @@ import { Route as AuthenticatedAccountsAccountIdMembersRouteImport } from './rou
 import { Route as AuthenticatedAccountsAccountIdEnrollmentsRouteImport } from './routes/_authenticated/accounts/$accountId/enrollments'
 import { Route as AuthenticatedLessonsScheduleInstructorsInstructorIdRouteImport } from './routes/_authenticated/lessons/schedule/instructors/$instructorId'

+const ResetPasswordRoute = ResetPasswordRouteImport.update({
+  id: '/reset-password',
+  path: '/reset-password',
+  getParentRoute: () => rootRouteImport,
+} as any)
 const PosRoute = PosRouteImport.update({
  id: '/pos',
  path: '/pos',
@@ -337,6 +343,7 @@ export interface FileRoutesByFullPath {
  '/': typeof AuthenticatedIndexRoute
  '/login': typeof LoginRoute
  '/pos': typeof PosRoute
+  '/reset-password': typeof ResetPasswordRoute
  '/help': typeof AuthenticatedHelpRoute
  '/profile': typeof AuthenticatedProfileRoute
  '/settings': typeof AuthenticatedSettingsRoute
@@ -385,6 +392,7 @@ export interface FileRoutesByFullPath {
 export interface FileRoutesByTo {
  '/login': typeof LoginRoute
  '/pos': typeof PosRoute
+  '/reset-password': typeof ResetPasswordRoute
  '/help': typeof AuthenticatedHelpRoute
  '/profile': typeof AuthenticatedProfileRoute
  '/settings': typeof AuthenticatedSettingsRoute
@@ -435,6 +443,7 @@ export interface FileRoutesById {
  '/_authenticated': typeof AuthenticatedRouteWithChildren
  '/login': typeof LoginRoute
  '/pos': typeof PosRoute
+  '/reset-password': typeof ResetPasswordRoute
  '/_authenticated/help': typeof AuthenticatedHelpRoute
  '/_authenticated/profile': typeof AuthenticatedProfileRoute
  '/_authenticated/settings': typeof AuthenticatedSettingsRoute
@@ -487,6 +496,7 @@ export interface FileRouteTypes {
    | '/'
    | '/login'
    | '/pos'
+    | '/reset-password'
    | '/help'
    | '/profile'
    | '/settings'
@@ -535,6 +545,7 @@ export interface FileRouteTypes {
  to:
    | '/login'
    | '/pos'
+    | '/reset-password'
    | '/help'
    | '/profile'
    | '/settings'
@@ -584,6 +595,7 @@ export interface FileRouteTypes {
    | '/_authenticated'
    | '/login'
    | '/pos'
+    | '/reset-password'
    | '/_authenticated/help'
    | '/_authenticated/profile'
    | '/_authenticated/settings'
@@ -635,10 +647,18 @@ export interface RootRouteChildren {
  AuthenticatedRoute: typeof AuthenticatedRouteWithChildren
  LoginRoute: typeof LoginRoute
  PosRoute: typeof PosRoute
+  ResetPasswordRoute: typeof ResetPasswordRoute
 }

 declare module '@tanstack/react-router' {
  interface FileRoutesByPath {
+    '/reset-password': {
+      id: '/reset-password'
+      path: '/reset-password'
+      fullPath: '/reset-password'
+      preLoaderRoute: typeof ResetPasswordRouteImport
+      parentRoute: typeof rootRouteImport
+    }
    '/pos': {
      id: '/pos'
      path: '/pos'
@@ -1112,6 +1132,7 @@ const rootRouteChildren: RootRouteChildren = {
  AuthenticatedRoute: AuthenticatedRouteWithChildren,
  LoginRoute: LoginRoute,
  PosRoute: PosRoute,
+  ResetPasswordRoute: ResetPasswordRoute,
 }
 export const routeTree = rootRouteImport
  ._addFileChildren(rootRouteChildren)
--- a/packages/admin/src/routes/login.tsx
+++ b/packages/admin/src/routes/login.tsx
@@ -1,7 +1,7 @@
 import { useState, useEffect } from 'react'
 import { createFileRoute, useRouter, redirect } from '@tanstack/react-router'
 import { useAuthStore } from '@/stores/auth.store'
-import { login } from '@/api/auth'
+import { login, forgotPassword } from '@/api/auth'

 interface Branding {
  name: string | null
@@ -26,6 +26,8 @@ function LoginPage() {
  const [error, setError] = useState('')
  const [loading, setLoading] = useState(false)
  const [branding, setBranding] = useState<Branding | null>(null)
+  const [forgotMode, setForgotMode] = useState(false)
+  const [forgotSent, setForgotSent] = useState(false)

  useEffect(() => {
    fetch('/v1/store/branding')
@@ -72,42 +74,117 @@ function LoginPage() {
            <p className="text-sm mt-1" style={{ color: '#6b7a8d' }}>Small Business Management</p>
          )}
        </div>
-        <form onSubmit={handleSubmit} className="space-y-4">
-          <div className="space-y-2">
-            <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>Email</label>
-            <input
-              type="email"
-              placeholder="you@example.com"
-              value={email}
-              onChange={(e) => setEmail(e.target.value)}
-              required
-              className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
-            />
-          </div>
-          <div className="space-y-2">
-            <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>Password</label>
-            <input
-              type="password"
-              value={password}
-              onChange={(e) => setPassword(e.target.value)}
-              required
-              className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
-            />
-          </div>
-          {error && (
-            <p className="text-sm" style={{ color: '#e57373' }}>{error}</p>
-          )}
-          <button
-            type="submit"
-            disabled={loading}
-            className="h-9 w-full rounded-md border text-sm font-medium transition-colors disabled:opacity-50"
-            style={{ backgroundColor: 'transparent', color: '#d0d8e0', borderColor: '#3a4a62' }}
-            onMouseEnter={(e) => { (e.target as HTMLElement).style.backgroundColor = '#1e2d45' }}
-            onMouseLeave={(e) => { (e.target as HTMLElement).style.backgroundColor = 'transparent' }}
-          >
-            {loading ? 'Signing in...' : 'Sign in'}
-          </button>
-        </form>
+        {forgotMode ? (
+          forgotSent ? (
+            <div className="text-center space-y-4">
+              <p className="text-sm" style={{ color: '#b0bec5' }}>If an account exists with that email, you will receive a password reset link.</p>
+              <button
+                onClick={() => { setForgotMode(false); setForgotSent(false); setError('') }}
+                className="text-xs"
+                style={{ color: '#6b7a8d' }}
+              >
+                Back to sign in
+              </button>
+            </div>
+          ) : (
+            <form onSubmit={async (e) => {
+              e.preventDefault()
+              setError('')
+              setLoading(true)
+              try {
+                await forgotPassword(email)
+                setForgotSent(true)
+              } catch (err) {
+                setError(err instanceof Error ? err.message : 'Something went wrong')
+              } finally {
+                setLoading(false)
+              }
+            }} className="space-y-4">
+              <p className="text-sm" style={{ color: '#b0bec5' }}>Enter your email and we'll send you a reset link.</p>
+              <div className="space-y-2">
+                <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>Email</label>
+                <input
+                  type="email"
+                  placeholder="you@example.com"
+                  value={email}
+                  onChange={(e) => setEmail(e.target.value)}
+                  required
+                  className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
+                />
+              </div>
+              {error && (
+                <p className="text-sm" style={{ color: '#e57373' }}>{error}</p>
+              )}
+              <button
+                type="submit"
+                disabled={loading}
+                className="h-9 w-full rounded-md border text-sm font-medium transition-colors disabled:opacity-50"
+                style={{ backgroundColor: 'transparent', color: '#d0d8e0', borderColor: '#3a4a62' }}
+                onMouseEnter={(e) => { (e.target as HTMLElement).style.backgroundColor = '#1e2d45' }}
+                onMouseLeave={(e) => { (e.target as HTMLElement).style.backgroundColor = 'transparent' }}
+              >
+                {loading ? 'Sending...' : 'Send reset link'}
+              </button>
+              <div className="text-center">
+                <button
+                  type="button"
+                  onClick={() => { setForgotMode(false); setError('') }}
+                  className="text-xs"
+                  style={{ color: '#6b7a8d' }}
+                >
+                  Back to sign in
+                </button>
+              </div>
+            </form>
+          )
+        ) : (
+          <form onSubmit={handleSubmit} className="space-y-4">
+            <div className="space-y-2">
+              <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>Email</label>
+              <input
+                type="email"
+                placeholder="you@example.com"
+                value={email}
+                onChange={(e) => setEmail(e.target.value)}
+                required
+                className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
+              />
+            </div>
+            <div className="space-y-2">
+              <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>Password</label>
+              <input
+                type="password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                required
+                className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
+              />
+            </div>
+            {error && (
+              <p className="text-sm" style={{ color: '#e57373' }}>{error}</p>
+            )}
+            <button
+              type="submit"
+              disabled={loading}
+              className="h-9 w-full rounded-md border text-sm font-medium transition-colors disabled:opacity-50"
+              style={{ backgroundColor: 'transparent', color: '#d0d8e0', borderColor: '#3a4a62' }}
+              onMouseEnter={(e) => { (e.target as HTMLElement).style.backgroundColor = '#1e2d45' }}
+              onMouseLeave={(e) => { (e.target as HTMLElement).style.backgroundColor = 'transparent' }}
+            >
+              {loading ? 'Signing in...' : 'Sign in'}
+            </button>
+            <div className="text-center">
+              <button
+                type="button"
+                onClick={() => { setForgotMode(true); setError('') }}
+                className="text-xs"
+                style={{ color: '#6b7a8d' }}
+              >
+                Forgot password?
+              </button>
+            </div>
+          </form>
+        )}
      </div>
    </div>
  )
--- a/packages/admin/src/routes/reset-password.tsx
+++ b/packages/admin/src/routes/reset-password.tsx
@@ -0,0 +1,154 @@
+import { useState, useEffect } from 'react'
+import { createFileRoute, Link } from '@tanstack/react-router'
+import { resetPassword } from '@/api/auth'
+
+interface Branding {
+  name: string | null
+  hasLogo: boolean
+}
+
+export const Route = createFileRoute('/reset-password')({
+  component: ResetPasswordPage,
+})
+
+function ResetPasswordPage() {
+  const { token } = Route.useSearch() as { token?: string }
+  const [password, setPassword] = useState('')
+  const [confirmPassword, setConfirmPassword] = useState('')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+  const [success, setSuccess] = useState(false)
+  const [branding, setBranding] = useState<Branding | null>(null)
+
+  useEffect(() => {
+    fetch('/v1/store/branding')
+      .then((r) => r.ok ? r.json() : null)
+      .then((data) => { if (data) setBranding(data) })
+      .catch(() => {})
+  }, [])
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault()
+    setError('')
+
+    if (!token) {
+      setError('Missing reset token. Please use the link from your email.')
+      return
+    }
+
+    if (password !== confirmPassword) {
+      setError('Passwords do not match')
+      return
+    }
+
+    if (password.length < 12) {
+      setError('Password must be at least 12 characters')
+      return
+    }
+
+    setLoading(true)
+    try {
+      await resetPassword(token, password)
+      setSuccess(true)
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Reset failed. The link may have expired.')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div
+      className="flex min-h-screen items-center justify-center"
+      style={{ background: 'linear-gradient(135deg, #0f1724 0%, #142038 100%)' }}
+    >
+      <div
+        className="w-full max-w-sm rounded-xl border p-8 shadow-2xl"
+        style={{ backgroundColor: '#131c2e', borderColor: '#1e2d45' }}
+      >
+        <div className="text-center mb-8">
+          {branding?.hasLogo ? (
+            <img src="/v1/store/logo" alt={branding.name ?? 'Store'} className="max-h-14 max-w-[220px] object-contain mx-auto" />
+          ) : (
+            <h1 className="text-3xl font-bold" style={{ color: '#d8dfe9' }}>{branding?.name ?? 'LunarFront'}</h1>
+          )}
+          {branding?.name ? (
+            <p className="text-[10px] mt-2" style={{ color: '#4a5568' }}>Powered by <span style={{ color: '#6b7a8d' }}>LunarFront</span></p>
+          ) : (
+            <p className="text-sm mt-1" style={{ color: '#6b7a8d' }}>Small Business Management</p>
+          )}
+        </div>
+
+        {success ? (
+          <div className="text-center space-y-4">
+            <p style={{ color: '#81c784' }}>Password reset successfully.</p>
+            <Link
+              to="/login"
+              className="inline-block h-9 rounded-md border px-4 py-2 text-sm font-medium transition-colors"
+              style={{ color: '#d0d8e0', borderColor: '#3a4a62' }}
+            >
+              Sign in
+            </Link>
+          </div>
+        ) : !token ? (
+          <div className="text-center space-y-4">
+            <p style={{ color: '#e57373' }}>Invalid reset link. Please request a new one.</p>
+            <Link
+              to="/login"
+              className="inline-block h-9 rounded-md border px-4 py-2 text-sm font-medium transition-colors"
+              style={{ color: '#d0d8e0', borderColor: '#3a4a62' }}
+            >
+              Back to sign in
+            </Link>
+          </div>
+        ) : (
+          <>
+            <h2 className="text-lg font-semibold text-center mb-4" style={{ color: '#d8dfe9' }}>Set new password</h2>
+            <form onSubmit={handleSubmit} className="space-y-4">
+              <div className="space-y-2">
+                <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>New password</label>
+                <input
+                  type="password"
+                  value={password}
+                  onChange={(e) => setPassword(e.target.value)}
+                  required
+                  minLength={12}
+                  placeholder="At least 12 characters"
+                  className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
+                />
+              </div>
+              <div className="space-y-2">
+                <label className="text-sm font-medium" style={{ color: '#b0bec5' }}>Confirm password</label>
+                <input
+                  type="password"
+                  value={confirmPassword}
+                  onChange={(e) => setConfirmPassword(e.target.value)}
+                  required
+                  className="h-9 w-full rounded-md border px-3 py-1 text-sm outline-none login-input"
+                />
+              </div>
+              {error && (
+                <p className="text-sm" style={{ color: '#e57373' }}>{error}</p>
+              )}
+              <button
+                type="submit"
+                disabled={loading}
+                className="h-9 w-full rounded-md border text-sm font-medium transition-colors disabled:opacity-50"
+                style={{ backgroundColor: 'transparent', color: '#d0d8e0', borderColor: '#3a4a62' }}
+                onMouseEnter={(e) => { (e.target as HTMLElement).style.backgroundColor = '#1e2d45' }}
+                onMouseLeave={(e) => { (e.target as HTMLElement).style.backgroundColor = 'transparent' }}
+              >
+                {loading ? 'Resetting...' : 'Reset password'}
+              </button>
+              <div className="text-center">
+                <Link to="/login" className="text-xs" style={{ color: '#6b7a8d' }}>
+                  Back to sign in
+                </Link>
+              </div>
+            </form>
+          </>
+        )}
+      </div>
+    </div>
+  )
+}