Add auth email verification and reset JSON APIs

jwfing · jwfing · commit ffc85d9a1475 · 2026-03-28T12:58:04.000-07:00
diff --git a/insforge/auth/client.py b/insforge/auth/client.py
@@ -6,6 +6,9 @@
 from .._base_client import BaseClient
 from .._utils import quote_path_segment
 from ..exceptions import InsforgeAuthError
+from .models import AuthEmailActionResponse
+from .models import AuthEmailVerificationRequest
+from .models import AuthEmailVerifyRequest
 from .models import AdminSessionExchangeRequest
 from .models import AnonymousTokenResponse
 from .models import AuthConfigResponse
@@ -15,6 +18,9 @@
 from .models import AuthDeleteUsersResponse
 from .models import AuthSessionResponse
 from .models import AuthUserCreateRequest
+from .models import AuthResetPasswordExchangeRequest
+from .models import AuthResetPasswordExchangeResponse
+from .models import AuthResetPasswordRequest
 from .models import AuthUsersResponse
 from .models import CurrentProfileResponse
 from .models import LogoutResponse
@@ -47,6 +53,40 @@ async def sign_in_with_password(
         )
         return SignInResponse.model_validate(payload)
 
+    async def send_email_verification(
+        self,
+        *,
+        email: str,
+        redirect_to: str | None = None,
+    ) -> AuthEmailActionResponse:
+        payload = AuthEmailVerificationRequest(
+            email=email,
+            redirect_to=redirect_to,
+        ).model_dump(by_alias=True, exclude_none=True)
+        response = await self._client._request_json(
+            "POST",
+            "/api/auth/email/send-verification",
+            json=payload,
+            exception_cls=InsforgeAuthError,
+        )
+        return AuthEmailActionResponse.model_validate(response)
+
+    async def verify_email(
+        self,
+        *,
+        email: str,
+        otp: str,
+    ) -> AuthSessionResponse:
+        payload = AuthEmailVerifyRequest(email=email, otp=otp).model_dump(by_alias=True)
+        response = await self._client._request_json(
+            "POST",
+            "/api/auth/email/verify",
+            params=SERVER_CLIENT_TYPE_PARAMS,
+            json=payload,
+            exception_cls=InsforgeAuthError,
+        )
+        return AuthSessionResponse.model_validate(response)
+
     async def get_public_config(self) -> PublicAuthConfigResponse:
         payload = await self._client._request_json("GET", "/api/auth/public-config")
         return PublicAuthConfigResponse.model_validate(payload)
@@ -178,6 +218,57 @@ async def refresh(
         )
         return AuthSessionResponse.model_validate(payload)
 
+    async def send_reset_password_email(
+        self,
+        *,
+        email: str,
+        redirect_to: str | None = None,
+    ) -> AuthEmailActionResponse:
+        payload = AuthEmailVerificationRequest(
+            email=email,
+            redirect_to=redirect_to,
+        ).model_dump(by_alias=True, exclude_none=True)
+        response = await self._client._request_json(
+            "POST",
+            "/api/auth/email/send-reset-password",
+            json=payload,
+            exception_cls=InsforgeAuthError,
+        )
+        return AuthEmailActionResponse.model_validate(response)
+
+    async def exchange_reset_password_token(
+        self,
+        *,
+        email: str,
+        code: str,
+    ) -> AuthResetPasswordExchangeResponse:
+        payload = AuthResetPasswordExchangeRequest(email=email, code=code).model_dump(by_alias=True)
+        response = await self._client._request_json(
+            "POST",
+            "/api/auth/email/exchange-reset-password-token",
+            json=payload,
+            exception_cls=InsforgeAuthError,
+        )
+        return AuthResetPasswordExchangeResponse.model_validate(response)
+
+    async def reset_password(
+        self,
+        *,
+        new_password: str,
+        otp: str,
+    ) -> AuthEmailActionResponse:
+        payload = AuthResetPasswordRequest(new_password=new_password, otp=otp).model_dump(
+            by_alias=True,
+            exclude_none=True,
+        )
+        response = await self._client._request_json(
+            "POST",
+            "/api/auth/email/reset-password",
+            json=payload,
+            exception_cls=InsforgeAuthError,
+        )
+        return AuthEmailActionResponse.model_validate(response)
+
     async def logout(self) -> LogoutResponse:
         payload = await self._client._request_json("POST", "/api/auth/logout")
         return LogoutResponse.model_validate(payload)
diff --git a/insforge/auth/models.py b/insforge/auth/models.py
@@ -13,6 +13,48 @@ class SignInResponse(BaseModel):
     refresh_token: str = Field(alias="refreshToken")
 
 
+class AuthEmailActionResponse(BaseModel):
+    model_config = ConfigDict(extra="ignore", populate_by_name=True)
+
+    success: bool | None = None
+    message: str | None = None
+
+
+class AuthEmailVerificationRequest(BaseModel):
+    model_config = ConfigDict(extra="ignore", populate_by_name=True)
+
+    email: str
+    redirect_to: str | None = Field(default=None, alias="redirectTo")
+
+
+class AuthEmailVerifyRequest(BaseModel):
+    model_config = ConfigDict(extra="ignore", populate_by_name=True)
+
+    email: str
+    otp: str
+
+
+class AuthResetPasswordExchangeRequest(BaseModel):
+    model_config = ConfigDict(extra="ignore", populate_by_name=True)
+
+    email: str
+    code: str
+
+
+class AuthResetPasswordExchangeResponse(BaseModel):
+    model_config = ConfigDict(extra="ignore", populate_by_name=True)
+
+    token: str | None = None
+    expires_at: datetime | None = Field(default=None, alias="expiresAt")
+
+
+class AuthResetPasswordRequest(BaseModel):
+    model_config = ConfigDict(extra="ignore", populate_by_name=True)
+
+    new_password: str = Field(alias="newPassword")
+    otp: str
+
+
 class CurrentProfileResponse(BaseModel):
     model_config = ConfigDict(extra="ignore", populate_by_name=True)
 
diff --git a/tests/auth/test_auth_client.py b/tests/auth/test_auth_client.py
@@ -424,3 +424,119 @@ async def fake_request(method: str, url: httpx.URL, **kwargs: object) -> httpx.R
 
     assert exc_info.value.error == "UNAUTHORIZED"
     assert exc_info.value.message == "Invalid credentials"
+
+
+def test_email_verification_and_reset_password_json_endpoints_request_expected_payloads() -> None:
+    async def scenario() -> tuple[list[dict[str, object]], object, object, object, object, object]:
+        calls: list[dict[str, object]] = []
+
+        async def fake_request(method: str, url: httpx.URL, **kwargs: object) -> httpx.Response:
+            calls.append({"method": method, "url": str(url), "kwargs": kwargs})
+
+            if str(url).endswith("/api/auth/email/send-verification"):
+                return httpx.Response(202, json={"success": True, "message": "Verification email sent"})
+
+            if str(url).endswith("/api/auth/email/verify"):
+                return httpx.Response(
+                    200,
+                    json={
+                        "user": {
+                            "id": "u1",
+                            "email": "a@example.com",
+                            "profile": {"name": "Ada"},
+                            "emailVerified": True,
+                        },
+                        "accessToken": "access",
+                        "refreshToken": "refresh",
+                    },
+                )
+
+            if str(url).endswith("/api/auth/email/send-reset-password"):
+                return httpx.Response(202, json={"success": True, "message": "Reset email sent"})
+
+            if str(url).endswith("/api/auth/email/exchange-reset-password-token"):
+                return httpx.Response(200, json={"token": "reset-token", "expiresAt": "2026-03-28T12:34:56Z"})
+
+            return httpx.Response(200, json={"message": "Password reset successfully"})
+
+        async with InsforgeClient(
+            base_url="https://example.com",
+            api_key="ins_test",
+        ) as client:
+            client.http_client.request = fake_request  # type: ignore[method-assign]
+            send_verification = await client.auth.send_email_verification(
+                email="a@example.com",
+                redirect_to="https://app.example.com/sign-in",
+            )
+            verify = await client.auth.verify_email(
+                email="a@example.com",
+                otp="123456",
+            )
+            send_reset = await client.auth.send_reset_password_email(
+                email="a@example.com",
+                redirect_to="https://app.example.com/reset-password",
+            )
+            exchange = await client.auth.exchange_reset_password_token(
+                email="a@example.com",
+                code="123456",
+            )
+            reset = await client.auth.reset_password(
+                new_password="new-password",
+                otp="reset-token",
+            )
+
+            return calls, send_verification, verify, send_reset, exchange, reset
+
+    calls, send_verification, verify, send_reset, exchange, reset = asyncio.run(scenario())
+
+    assert calls[0]["method"] == "POST"
+    assert calls[0]["url"] == "https://example.com/api/auth/email/send-verification"
+    assert calls[0]["kwargs"]["json"] == {
+        "email": "a@example.com",
+        "redirectTo": "https://app.example.com/sign-in",
+    }
+    assert calls[0]["kwargs"]["headers"]["X-API-Key"] == "ins_test"
+    assert "Authorization" not in calls[0]["kwargs"]["headers"]
+
+    assert calls[1]["method"] == "POST"
+    assert calls[1]["url"] == "https://example.com/api/auth/email/verify"
+    assert calls[1]["kwargs"]["params"] == {"client_type": "server"}
+    assert calls[1]["kwargs"]["json"] == {"email": "a@example.com", "otp": "123456"}
+    assert calls[1]["kwargs"]["headers"]["X-API-Key"] == "ins_test"
+    assert "Authorization" not in calls[1]["kwargs"]["headers"]
+
+    assert calls[2]["method"] == "POST"
+    assert calls[2]["url"] == "https://example.com/api/auth/email/send-reset-password"
+    assert calls[2]["kwargs"]["json"] == {
+        "email": "a@example.com",
+        "redirectTo": "https://app.example.com/reset-password",
+    }
+    assert calls[2]["kwargs"]["headers"]["X-API-Key"] == "ins_test"
+    assert "Authorization" not in calls[2]["kwargs"]["headers"]
+
+    assert calls[3]["method"] == "POST"
+    assert calls[3]["url"] == "https://example.com/api/auth/email/exchange-reset-password-token"
+    assert calls[3]["kwargs"]["json"] == {"email": "a@example.com", "code": "123456"}
+    assert calls[3]["kwargs"]["headers"]["X-API-Key"] == "ins_test"
+    assert "Authorization" not in calls[3]["kwargs"]["headers"]
+
+    assert calls[4]["method"] == "POST"
+    assert calls[4]["url"] == "https://example.com/api/auth/email/reset-password"
+    assert calls[4]["kwargs"]["json"] == {"newPassword": "new-password", "otp": "reset-token"}
+    assert calls[4]["kwargs"]["headers"]["X-API-Key"] == "ins_test"
+    assert "Authorization" not in calls[4]["kwargs"]["headers"]
+
+    assert send_verification.success is True
+    assert send_verification.message == "Verification email sent"
+
+    assert verify.user.email == "a@example.com"
+    assert verify.access_token == "access"
+    assert verify.refresh_token == "refresh"
+
+    assert send_reset.success is True
+    assert send_reset.message == "Reset email sent"
+
+    assert exchange.token == "reset-token"
+    assert exchange.expires_at.isoformat() == "2026-03-28T12:34:56+00:00"
+
+    assert reset.message == "Password reset successfully"
