Skip to content

[auth] Update login page, add token refresh, and fix password reset flow#495

Open
amahuli03 wants to merge 13 commits intoCodeForPhilly:developfrom
amahuli03:auth-login-ux-token-refresh
Open

[auth] Update login page, add token refresh, and fix password reset flow#495
amahuli03 wants to merge 13 commits intoCodeForPhilly:developfrom
amahuli03:auth-login-ux-token-refresh

Conversation

@amahuli03
Copy link
Copy Markdown
Collaborator

@amahuli03 amahuli03 commented Apr 12, 2026
edited
Loading

Related Issue

Closes #486
Part of #483
Blocked by #484 and #485

Description

Updates the login page, header, and session management for non-admin users now that registration and activation are working.

  • the login page previously had an admin-only warning banner and no way for users to navigate to registration or password reset. That banner is removed and links to register and reset password are added
Screenshot 2026-04-12 at 1 47 38 PM
  • the password reset request and confirmation states previously redirected silently to home with no confirmation. Both now show confirmation page with appropriate message for password reset request confirmation and for password reset confirmation
Screenshot 2026-04-12 at 1 49 31 PM Screenshot 2026-04-12 at 1 49 52 PM
  • Header: unauthenticated users now see a "Log In" button in the header. Previously there was no way to reach the login page from the navigation. The change is on both web and mobile navs.
  • Token refresh: Sessions previously expired silently after 60 minutes with no recovery. A response interceptor is added to adminApi that catches 401 responses, attempts a silent token refresh using the refresh token, and retries the original request. If the refresh token is expired or missing, tokens are cleared and the user is redirected to login. A queue handles concurrent requests that fail simultaneously during a refresh, preventing multiple refresh attempts.

Manual Tests

Manually tested that everything is working:

  • Login page no longer show admin-only messaging, now shows working links to create account and reset password
  • Password reset request shows confirmation state instead of redirecting
  • Password reset confirm shows success state instead of redirecting
  • Verified password reset works as intended. The work here was also done in the /resetPassword route
  • Unauthenticated users see "Log In" in header on desktop and mobile
  • Token refresh verified by shortening access token lifetime to 30 seconds. Expired token triggers silent refresh and original request retries successfully

Reviewers

@sahilds1 @taichan03

Notes

EMAIL_HOST_USER and EMAIL_HOST_PASSWORD must be set to valid Gmail SMTP credentials. Without these, activation and password reset emails will not send in production.

amahuli03 added 13 commits March 31, 2026 14:25
@amahuli03
fix isSuperuser hardcoded to true on page reload
b4d70f5
@amahuli03
add IsSuperuser permission class and apply to admin-only endpoints
23a045b
@amahuli03
add AdminRoute component and applly to admin-only pages
21a4205
@amahuli03
lock down CORS to environment-driven allowlist (only dev right now)
8879f34
@amahuli03
Merge branch 'develop' into auth-bugs-permission-boundaries
9d22066
@amahuli03
configure console email backend for local development
06ce32e
@amahuli03
wire up signup form and email activation Redux actions
e532915
@amahuli03
build registration form with validation and email sent success state
99ac077
@amahuli03
build email activation page and add route
3d64d76
@amahuli03
update login page for non-admin users
bf2a601 
login page no longer says "This login page is for Code for philly administrators"
page now includes options to reset password and create an account
@amahuli03
add success states to password reset flow
f55c1c3
@amahuli03
add "Log In" button to header for unauthenticated users
fca027a
@amahuli03
add token refresh interceptor to adminApi
52c9efb 
On 401 responses, attempts a silent token refresh using
the refresh token from localStorage. On success, retries
the original request. On failure (expired or missing
refresh token), clears tokens and redirects to /login.
Uses a queue to handle concurrent requests during refresh.
@amahuli03 amahuli03 self-assigned this Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@amahuli03 amahuli03

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[auth]: update login page, add login button, add token refresh

1 participant

@amahuli03