feat: password-reset rate limiting, ARIA labels, form label associations, keyboard navigation#830
Open
jasmine874 wants to merge 1 commit into
Open
Conversation
… keyboard nav - Issue 735: Add POST /auth/password-reset with per-IP (10/hr) and per-email (3/hr) rate limiting, 200ms minimum delay to prevent timing enumeration, token invalidation and 15-min TTL, identical response for registered/unregistered emails. Adds /auth/password-reset/confirm endpoint. - Issue 736: Add aria-label to icon-only ✕ remove-contact button in AddressBook. - Issue 737: Fix FormField to auto-associate <label htmlFor> with child input using useId + cloneElement; add explicit id/aria-label to all unlabeled inputs in AdvancedSearch, AddressBook, and AccountDashboardPage. - Issue 738: Implement ARIA combobox keyboard navigation in SearchableSelect — ArrowDown/Up/Home/End/Enter/Escape/Tab, aria-expanded, aria-controls, aria-activedescendant, role=listbox/option, visual highlight tracking. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@jasmine874 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
POST /auth/password-resetwith per-IP (10 req/hr) and per-email (3 req/hr) rate limits, a 200ms minimum response delay to prevent timing-based enumeration, previous-token invalidation, 15-min token TTL, and an identical response body regardless of whether the email is registered. Also adds/auth/password-reset/confirmto complete the flow.aria-labelto the icon-only ✕ remove-contact button inAddressBook.jsx. Confirmed all other icon-only buttons (QR close, copy, notification bell, settings gear) already carried labels.FormField.jsxto use ReactuseId+cloneElementto automatically injectidinto child inputs and wirehtmlForon the wrapping<label>, fixing label associations for everyFormFieldusage (KYCForm, NotificationPreferences, etc.). Also added explicitid/aria-labelto all unlabeled inputs inAdvancedSearch,AddressBook, and the account-label edit field inAccountDashboardPage.SearchableSelect.jsxwith the ARIA combobox pattern:role="combobox",aria-expanded,aria-controls,aria-activedescendant,role="listbox",role="option". Keyboard support:ArrowDown/ArrowUpto move highlight,Home/Endfor first/last,Enterto select,Escapeto dismiss,Tabto close. Visual highlight tracks active index.Test plan
POST /auth/password-resetwith the same email 4+ times within an hour returns 429 after the 3rd call, but the response body matches the success bodyFormField-wrapped inputs are announced with their label in a screen reader or axe auditSearchableSelectcan be fully operated with keyboard alone (open → navigate → select → close)AddressBookremove buttons announce "Remove [name]" to a screen reader🤖 Generated with Claude Code