!fix: password reset flow#1566
Merged
tyler-dane merged 16 commits intomainfrom Mar 26, 2026
Merged
Conversation
…ogle Calendar access check - Updated the deleteCompassDataForMatchingUsers function to accept a second parameter, gcalAccess, indicating whether the user has Google Calendar access. - This change allows for more granular control over the deletion process based on the user's Google Calendar connection status.
…et flow - Introduced a new `RouteLocationMirror` component to synchronize URL state with the AuthModal. - Added `renderWithDayRedirectRoute` function to facilitate testing of the AuthModal with day-based routing. - Updated tests to verify that the reset password flow correctly preserves authentication parameters in the URL during redirects. - Implemented `updateCurrentUrlSearchParams` function to streamline URL parameter updates in the authentication flow. - Enhanced existing tests to ensure robust coverage of the new functionality and maintainability of the AuthModal component.
…aging - Introduced a new status message in the LogInForm to inform users of successful password resets. - Updated AuthModal logic to handle the new "loginAfterReset" view, improving user experience during the authentication process. - Enhanced tests for LogInForm to verify the display of status messages, ensuring accurate feedback for users. - Refactored related hooks and components to support the updated authentication flow and maintain clarity in the codebase.
…eset - Added a test to verify that clicking "Sign up" after a successful password reset correctly transitions the user to the sign-up view. - Updated error handling in the useZodForm hook to log errors in development mode, improving debugging capabilities during form submissions.
…and documentation
…ng and production URLs
tyler-dane
force-pushed
the
feat/email-pw-reset
branch
from
3ecdcb7 to
a735f6c
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…tecture, auth-sync, and recurring events guides
…tecture, auth-sync, and recurring events guides
…of hostname for non-local environments
- Added section on Google Series Splits to recurring events handling documentation to clarify handling of incremental sync payloads. - Deleted outdated recurring events overview and sync documentation to streamline content and avoid redundancy. - Updated frontend data flow documentation to consolidate information and clarify event flow. - Revised principles documentation to align with repo guidance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
!Breaking change: Renames an environment value
Fix password reset email URL and simplify environment configuration
Problem
Password reset emails sent from staging and production contained
http://localhost:9080as the base URL, making the reset link unusable. The variableLOCAL_WEB_URLwas hardcoded tolocalhost:9080in all env files — including staging and production — because its name implied it was only for local use. The correct domain values existed inSTAGING_WEB_URLandPROD_WEB_URL, but those were never wired into the backend schema or the reset link builder.A secondary issue: the CLI had three separate URL env vars (
LOCAL_WEB_URL,STAGING_WEB_URL,PROD_WEB_URL) that were mostly redundant with each other, adding cognitive overhead to env file setup.Changes
Rename
LOCAL_WEB_URL→FRONTEND_URLand fix values per environmentFRONTEND_URLnow holds the public-facing frontend URL for the current deployment —localhost:9080for local, the real domain for staging/prodenv.constants.ts) soENV.FRONTEND_URLis always the correct domainbuildResetPasswordLink()now uses this correct value, so reset emails link to the right domain in every environmentConsolidate CLI URL configuration
STAGING_WEB_URLandPROD_WEB_URLfrom all env files andCLI_ENV— they duplicatedFRONTEND_URL's valuegetCleanupUrl()now simply returns${FRONTEND_URL}/cleanup— no NODE_ENV branching neededgetDomainAnswer()extracts the hostname fromFRONTEND_URLwhen it's a real domain; falls back to an interactive prompt (with a tip to setFRONTEND_URL) when it's localhostPassword reset UI flow
AuthModalto handle the post-reset sign-up flow and show appropriate status messaginguseAuthFormHandlersduring the reset flowloaders.tsto detect and route reset password sessionsDelete user GCal access check
deleteCompassDataForMatchingUsersnow checks for a Google refresh token before attempting GCal cleanup, avoiding spurious errors for password-only usersTest plan
https://backend.compasscalendar.app/day?auth=reset&token=...pnpm testinpackages/backend— Zod schema + supertokens middleware testspnpm testinpackages/web— AuthModal testsdeletecommand cleanup URL resolves correctlyNote
Medium Risk
Medium risk because it renames a required backend/CLI env var (
LOCAL_WEB_URL→FRONTEND_URL) and refactors SuperTokens override handlers plus web router/auth modal logic, which could break auth flows or deployments if misconfigured.Overview
Fixes password reset links and simplifies URL env configuration by replacing
LOCAL_WEB_URL(and CLISTAGING_WEB_URL/PROD_WEB_URL) with a singleFRONTEND_URLused by the backend env schema, SuperTokens reset-email rewriting, and CLI domain/cleanup URL resolution.Refactors backend SuperTokens overrides into
supertokens.middleware.handlers.ts, centralizes “tag new user” email-list behavior inEmailService.tagNewUserIfEnabled, and adjusts tests accordingly (including avoiding a race inSyncDriver.createSync).Hardens the web password reset UX: loader redirects now preserve
?auth=...query params, reset tokens are managed via URL-safe helpers, the modal adds aloginAfterResetstate with a success message, and new tests cover redirects and view switching.Minor cleanups: remove a noisy
console.warnin core event mapping, stabilize RRULE tests, update CLI delete to skip Google watch cleanup when no refresh token exists, and reorganize/add internal docs plus ignore.claude/.Written by Cursor Bugbot for commit 3b8e877. This will update automatically on new commits. Configure here.