add resetting password flow

Author: ItsEricSun

apps/backend/src/auth/auth.controller.spec.ts

@@ -13,6 +13,7 @@ describe('AuthController', () => {
 
   const mockUsersService = {
     create: jest.fn(),
+    find: jest.fn(),
   };
 
   beforeEach(async () => {
@@ -36,4 +37,12 @@ describe('AuthController', () => {
   it('should be defined', () => {
     expect(controller).toBeDefined();
   });
+
+  it('rejects forgot password for unregistered email', async () => {
+    mockUsersService.find.mockResolvedValue([]);
+
+    await expect(
+      controller.forgotPassword({ email: 'random@example.com' } as any),
+    ).rejects.toThrow('Account is not registered.');
+  });
 });

apps/backend/src/auth/auth.controller.ts

@@ -131,8 +131,19 @@ export class AuthController {
   }
 
   @Post('/forgotPassword')
-  forgotPassword(@Body() body: ForgotPasswordDto): Promise<void> {
-    return this.authService.forgotPassword(body.email);
+  async forgotPassword(@Body() body: ForgotPasswordDto): Promise<void> {
+    const registeredUsers = await this.usersService.find(body.email);
+
+    if (!registeredUsers.length) {
+      throw new BadRequestException('Account is not registered.');
+    }
+
+    try {
+      await this.authService.forgotPassword(body.email);
+    } catch (e) {
+      console.error('Forgot password error:', e);
+      throw new BadRequestException(e.message);
+    }
   }
 
   @Post('/confirmPassword')

apps/frontend/src/api/apiClient.ts

@@ -29,6 +29,11 @@ export type AuthResponse = {
   idToken: string;
 };
 export type RefreshRequest = { refreshToken: string; userSub: string };
+export type ConfirmPasswordRequest = {
+  email: string;
+  confirmationCode: string;
+  newPassword: string;
+};
 
 type ApiError = { error?: string; message?: string };
 
@@ -81,6 +86,22 @@ export class ApiClient {
     }
   }
 
+  public async forgotPassword(email: string): Promise<void> {
+    try {
+      await this.axiosInstance.post('/api/auth/forgotPassword', { email });
+    } catch (err: unknown) {
+      this.handleAxiosError(err, 'Failed to send password reset email');
+    }
+  }
+
+  public async confirmPassword(body: ConfirmPasswordRequest): Promise<void> {
+    try {
+      await this.axiosInstance.post('/api/auth/confirmPassword', body);
+    } catch (err: unknown) {
+      this.handleAxiosError(err, 'Failed to reset password');
+    }
+  }
+
   private handleAxiosError(err: unknown, defaultMsg: string): never {
     if (axios.isAxiosError<ApiError>(err)) {
       const data = err.response?.data;

apps/frontend/src/app.tsx

@@ -11,7 +11,7 @@ import { AuthProvider } from '@components/AuthProvider';
 import { ProtectedRoute } from '@components/ProtectedRoute';
 import { AdminRoute } from '@components/AdminRoute';
 import { LoginPage } from '@containers/auth/LoginPage';
-import { ConfirmSentEmailPage } from '@containers/auth/ConfirmSentEmailPage';
+import { ResetPasswordPage } from '@containers/auth/ResetPasswordPage';
 import { ConfirmRegisteredPage } from '@containers/auth/ConfirmRegisteredPage';
 import { DashboardPage } from '@containers/dashboard/DashboardPage';
 import { DonorStatsChart } from '@components/DonorStatsChart';
@@ -27,8 +27,8 @@ const router = createBrowserRouter([
     element: <LoginPage />,
   },
   {
-    path: '/confirm-sent-email',
-    element: <ConfirmSentEmailPage />,
+    path: '/reset-password',
+    element: <ResetPasswordPage />,
   },
   {
     path: '/confirm-registered',

apps/frontend/src/containers/auth/LoginPage.tsx

@@ -14,6 +14,7 @@ import {
 } from '@components/ui/input-group';
 import { EyeIcon, EyeOffIcon } from 'lucide-react';
 import { PasswordCriterion } from './PasswordCriterion';
+import apiClient from '@api/apiClient';
 
 enum AuthPage {
   Login,
@@ -30,6 +31,7 @@ export const LoginPage: React.FC = () => {
   const [showConfirmPassword, setShowConfirmPassword] = useState(false);
 
   const [error, setError] = useState('');
+  const [success, setSuccess] = useState('');
   const [isLoading, setIsLoading] = useState(false);
   const [authPage, setAuthPage] = useState<AuthPage>(AuthPage.Login);
 
@@ -39,9 +41,16 @@ export const LoginPage: React.FC = () => {
 
   const locationState = location.state as {
     from?: { pathname: string };
+    message?: string;
   } | null;
   const from = locationState?.from?.pathname || '/dashboard';
 
+  React.useEffect(() => {
+    if (locationState?.message) {
+      setSuccess(locationState.message);
+    }
+  }, [locationState?.message]);
+
   const hasMinLength = password.length >= 8;
   const hasUppercase = /[A-Z]/.test(password);
   const hasLowercase = /[a-z]/.test(password);
@@ -62,7 +71,8 @@ export const LoginPage: React.FC = () => {
   const showAuthFieldError =
     authPage === AuthPage.Login &&
     !!error &&
-    error !== 'Account created successfully! Please sign in.';
+    error !== 'Account created successfully! Please sign in.' &&
+    !success;
 
   const headerText = (() => {
     switch (authPage) {
@@ -103,7 +113,8 @@ export const LoginPage: React.FC = () => {
         navigate('/confirm-registered', { replace: true });
         setError('Account created successfully! Please sign in.');
       } else if (authPage === AuthPage.ForgotPassword) {
-        navigate('/confirm-sent-email', { replace: true });
+        await apiClient.forgotPassword(email);
+        navigate('/reset-password', { replace: true, state: { email } });
       }
     } catch (err: unknown) {
       if (err instanceof Error) {
@@ -152,6 +163,12 @@ export const LoginPage: React.FC = () => {
             className="flex flex-col gap-4 mt-10"
             noValidate
           >
+            {success && (
+              <p className="text-sm text-[#12BA82] font-medium" role="status">
+                {success}
+              </p>
+            )}
+
             {authPage === AuthPage.Signup && (
               <div>
                 <Label
@@ -198,6 +215,12 @@ export const LoginPage: React.FC = () => {
               </span>
             </div>
 
+            {authPage === AuthPage.ForgotPassword && error && (
+              <p className="-mt-2 text-sm text-[#B4444D]" role="alert">
+                {error}
+              </p>
+            )}
+
             {authPage !== AuthPage.ForgotPassword && (
               <div>
                 <Label

apps/frontend/src/containers/auth/ResetPasswordForm.tsx

@@ -0,0 +1,177 @@
+import React, { useState } from 'react';
+import { Input } from '@components/ui/input';
+import { Label } from '@components/ui/label';
+import { Button } from '@components/ui/button';
+import {
+  InputGroup,
+  InputGroupAddon,
+  InputGroupInput,
+} from '@components/ui/input-group';
+import { EyeIcon, EyeOffIcon } from 'lucide-react';
+import { PasswordCriterion } from './PasswordCriterion';
+import apiClient from '@api/apiClient';
+
+interface ResetPasswordFormProps {
+  email: string;
+  onSuccess?: () => void;
+}
+
+export const ResetPasswordForm: React.FC<ResetPasswordFormProps> = ({
+  email,
+  onSuccess,
+}) => {
+  const [confirmationCode, setConfirmationCode] = useState('');
+  const [newPassword, setNewPassword] = useState('');
+  const [confirmPassword, setConfirmPassword] = useState('');
+  const [showPassword, setShowPassword] = useState(false);
+  const [showConfirmPassword, setShowConfirmPassword] = useState(false);
+  const [error, setError] = useState('');
+  const [isLoading, setIsLoading] = useState(false);
+
+  const hasMinLength = newPassword.length >= 8;
+  const hasUppercase = /[A-Z]/.test(newPassword);
+  const hasLowercase = /[a-z]/.test(newPassword);
+  const hasNumber = /\d/.test(newPassword);
+  const hasSpecialChar = /[^A-Za-z0-9]/.test(newPassword);
+  const passwordsMatch =
+    newPassword.length > 0 &&
+    confirmPassword.length > 0 &&
+    newPassword === confirmPassword;
+  const allCriteriaMet =
+    hasMinLength &&
+    hasUppercase &&
+    hasLowercase &&
+    hasNumber &&
+    hasSpecialChar &&
+    passwordsMatch;
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    setIsLoading(true);
+
+    try {
+      await apiClient.confirmPassword({
+        email,
+        confirmationCode,
+        newPassword,
+      });
+      onSuccess?.();
+    } catch (err: unknown) {
+      if (err instanceof Error) {
+        setError(err.message);
+      } else {
+        setError('Failed to reset password');
+      }
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <form onSubmit={handleSubmit} className="flex flex-col gap-4" noValidate>
+      <div>
+        <Label
+          htmlFor="confirmation-code"
+          className="font-semibold mb-1 text-[#404040]"
+        >
+          Confirmation Code
+        </Label>
+        <Input
+          id="confirmation-code"
+          type="text"
+          placeholder="Enter code from email"
+          required
+          value={confirmationCode}
+          onChange={(e) => setConfirmationCode(e.target.value)}
+          className={`w-full py-5 focus:ring-[2.5px] focus:ring-[#007B64] ${
+            error ? 'ring-[2.5px] ring-[#B4444D] bg-[#FFFAFA]' : ''
+          }`}
+        />
+      </div>
+
+      <div>
+        <Label
+          htmlFor="new-password"
+          className="font-semibold mb-1 text-[#404040]"
+        >
+          New Password
+        </Label>
+        <InputGroup
+          className={`w-full focus-within:border-[#007B64] focus-within:ring-[2.5px] focus-within:ring-[#007B64] py-5 ${
+            error ? 'border-[#B4444D] ring-[2px] ring-[#B4444D]' : ''
+          }`}
+        >
+          <InputGroupInput
+            id="new-password"
+            type={showPassword ? 'text' : 'password'}
+            value={newPassword}
+            onChange={(e) => setNewPassword(e.target.value)}
+            placeholder="Password"
+            className={`focus:ring-[#007B64] ${error ? 'bg-[#FFFAFA]' : ''}`}
+          />
+          <InputGroupAddon
+            align="inline-end"
+            className="hover:cursor-pointer"
+            onClick={() => setShowPassword(!showPassword)}
+          >
+            {showPassword ? <EyeIcon /> : <EyeOffIcon />}
+          </InputGroupAddon>
+        </InputGroup>
+      </div>
+
+      <div>
+        <Label
+          htmlFor="confirm-password"
+          className="font-semibold mb-1 text-[#404040]"
+        >
+          Confirm Password
+        </Label>
+        <InputGroup className="w-full focus-within:border-[#007B64] focus-within:ring-[2.5px] focus-within:ring-[#007B64] py-5">
+          <InputGroupInput
+            id="confirm-password"
+            type={showConfirmPassword ? 'text' : 'password'}
+            value={confirmPassword}
+            onChange={(e) => setConfirmPassword(e.target.value)}
+            placeholder="Re-enter Password"
+            className="focus:ring-[#007B64]"
+          />
+          <InputGroupAddon
+            align="inline-end"
+            className="hover:cursor-pointer"
+            onClick={() => setShowConfirmPassword(!showConfirmPassword)}
+          >
+            {showConfirmPassword ? <EyeIcon /> : <EyeOffIcon />}
+          </InputGroupAddon>
+        </InputGroup>
+      </div>
+
+      <div className="flex gap-1 flex-wrap w-full">
+        <PasswordCriterion name="8+ characters" criterionMet={hasMinLength} />
+        <PasswordCriterion name="Uppercase" criterionMet={hasUppercase} />
+        <PasswordCriterion name="Lowercase" criterionMet={hasLowercase} />
+        <PasswordCriterion
+          name="Special character"
+          criterionMet={hasSpecialChar}
+        />
+        <PasswordCriterion name="Number" criterionMet={hasNumber} />
+        <PasswordCriterion name="Matching" criterionMet={passwordsMatch} />
+      </div>
+
+      {error && <p className="text-sm text-[#B4444D]">{error}</p>}
+
+      <Button
+        id="reset-password-submit-btn"
+        type="submit"
+        disabled={!confirmationCode || !allCriteriaMet || isLoading}
+        className={`py-5 h-14 rounded-full font-semibold text-xl text-white ${
+          !confirmationCode || !allCriteriaMet || isLoading
+            ? 'bg-[#737373] cursor-not-allowed'
+            : 'bg-[#007B64]'
+        }`}
+      >
+        {isLoading ? '...' : 'Reset Password'}
+      </Button>
+    </form>
+  );
+};