Feat: Add authentication methods#83
Conversation
…gotPassword,ResetPassword)
…_at for password reset functionality
nazarli-shabnam
added
bug
There was a problem hiding this comment.
Pull request overview
Implements a full “forgot password” + “reset password” flow across the Go API (token persistence, endpoints, email queuing) and the React UI (request/reset pages + login entry point), plus a small navigation UI tweak.
Changes:
- Add password reset token model/store + DB migration, and expose
/auth/forgot-password/+/auth/reset-password/endpoints. - Add UI pages and client service methods for requesting and completing password resets; update login page UX and routing.
- Add Vite dev proxy for
/apiand/auth, and replace a nav chevron with a slash divider.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/vite.config.ts | Add dev server proxy to forward /api and /auth to the Go server. |
| ui/src/services/authService.ts | Add client methods for forgot/reset password endpoints. |
| ui/src/routes/index.tsx | Register routes for forgot/reset password pages. |
| ui/src/pages/ForgotPasswordPage.tsx | New “request reset link” form with resend cooldown. |
| ui/src/pages/ResetPasswordPage.tsx | New “set new password” form with strength checks. |
| ui/src/pages/LoginPage.tsx | Add forgot-password link + combined sign-in/sign-up UI. |
| ui/src/components/layout/PageHeader.tsx | Replace chevron component with a slash divider. |
| ui/src/components/layout/ModuleDetailHeader.tsx | Replace chevron component with slash dividers. |
| ui/src/api/types.ts | Add request types for forgot/reset password calls. |
| api/migrations/000002_password_reset_tokens.up.sql | Create password_reset_tokens table + indexes. |
| api/migrations/000002_password_reset_tokens.down.sql | Drop password_reset_tokens table. |
| api/internal/store/password_reset_token.go | Token generation, lookup, and single-use marking. |
| api/internal/router/router.go | Wire token store + queue/base URL into AuthHandler; add new routes. |
| api/internal/model/password_reset_token.go | New Gorm model for password reset tokens. |
| api/internal/handler/auth.go | Implement /auth/forgot-password/ and /auth/reset-password/ handlers + email enqueue. |
| api/internal/auth/service.go | Add ForgotPassword/ResetPassword service methods and reset token store injection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
martian56
left a comment
martian56
left a comment
There was a problem hiding this comment.
when email settings are not set, worker gets stuck in infinite loop
…aner/devlane into forgot-password-in-login
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 65 out of 66 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…t-password-in-login
|
@BugBot run |
…orks behind proxies if API_PUBLIC_URL is set in prod)
…ed_at/refresh_token_expired_at
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 64 out of 65 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- the browser would not attach oauth_state on the top-level GET from the IdP back to your callback - Lax still sends the cookie on that kind of redirect, while avoiding sending it on cross-site subrequests
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 64 out of 65 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (2)
ui/src/components/RootRedirect.tsx:51
- If either workspaceService.list() or authService.getAuthConfig() rejects, the catch only sets setupRequired=false, leaving firstSlug=null and noWorkspaces=false. That causes an indefinite loading state (PageFallback) instead of a deterministic redirect/message. Consider using Promise.allSettled (or separate try/catch) and ensure you set either firstSlug or noWorkspaces in failure cases (e.g., treat auth config failure as wsCreationDisabled=true/false default, or fall back to listing workspaces only).
ui/src/contexts/AuthContext.tsx:84 - AuthProvider sets a global Axios Authorization header from the OAuth URL fragment, but logout() does not clear that header. If /auth/sign-out/ fails (network/error), the UI will mark the user logged out while subsequent requests may still authenticate via the Bearer session key. Clear apiClient.defaults.headers.common.Authorization in logout (and possibly also when signOut succeeds) to avoid stale auth state.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
…s error when isnt configured
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 64 out of 65 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ndant index removed
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 64 out of 65 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
closes #82
This pull request introduces major improvements to the authentication service, focusing on enhanced passwordless (magic code) and password reset flows, as well as increased test coverage and developer experience improvements. Key changes include the addition of robust "magic code" authentication utilities, a comprehensive password reset implementation, and extensive unit tests for all major authentication flows. There are also updates to environment configuration and developer tooling.
Authentication and Magic Code Enhancements
magic_code.gowith utilities for normalizing codes and generating HMACs for secure, deterministic magic code authentication, plus corresponding unit tests inmagic_code_test.go. [1] [2]service.gofor magic code-based sign-up and login (SignUpMagic,SessionForEmailUser), and improved error handling for timing-safe responses. [1] [2]Password Reset and Email Verification
ForgotPasswordandResetPasswordmethods, including secure token generation, validation, and invalidation, as well as anEmailCheckmethod to verify registration status.Test Coverage
service_test.gowith comprehensive unit tests for sign-up/sign-in, email checking, password reset, and magic code flows, using an in-memory SQLite database for isolation.Configuration and Developer Experience
.env.examplewith new variables and clearer documentation for magic code secrets, API public URLs, and improved default values. [1] [2].github/workflows/ui-ci.yml) to install root dependencies and verify Husky setup for better pre-commit hook management.Dependency and Codebase Updates
go.modfor test support. [1] [2] [3] [4]main.go.AppBaseURL,MagicCodeSecret) to the API server.