// Email verification + password reset pages. // // Backend contract — see apps/frontend/public/api-client.js: // forgotPassword({ email }) → POST /v1/auth/password-reset → 204 // resetPassword({ token, newPassword }) → POST /v1/auth/password-reset/confirm → 204 // verifyEmail({ token }) → POST /v1/auth/email/verify → 204 // // Token comes from the email link's `?token=` query string. main.jsx // reads `?route=` on initial load so the email link can route directly // to auth:reset or auth:verify. const _AuthShell = ({ eyebrow, title, subtitle, children }) => (
{eyebrow &&
{eyebrow}
}

{title}

{subtitle && (

{subtitle}

)} {children}
); const _StatusBox = ({ tone, children }) => { const palette = { info: { bg: 'var(--coral-bg)', fg: 'var(--t-ink)', border: 'var(--t-line)' }, error: { bg: '#FBE9E9', fg: '#7A2A2A', border: '#D64545' }, success: { bg: 'var(--mint-light)', fg: 'var(--mint-dark)', border: 'var(--mint)' }, }[tone] || { bg: '#F6EDDF', fg: 'var(--t-ink-muted)', border: '#D9CABA' }; return (
{children}
); }; // Tokens arrive via the email link as `?token=...`. Reset / verify pages // read it once on mount. Returns null if absent or empty. const _readUrlToken = () => { try { return new URLSearchParams(window.location.search).get('token') || null; } catch (e) { return null; } }; // ============================ ForgotPasswordPage ============================ const ForgotPasswordPage = ({ go }) => { const { t } = window.useI18n(); const [email, setEmail] = useState(''); const [phase, setPhase] = useState('form'); // form | submitting | sent const [error, setError] = useState(''); const submit = async (e) => { if (e?.preventDefault) e.preventDefault(); if (!email || phase === 'submitting') return; setError(''); setPhase('submitting'); try { // API always returns 204 to avoid enumeration — we show the confirmation // regardless of whether the email is registered. await window.HelperMatchApi.forgotPassword({ email }); setPhase('sent'); } catch (err) { // Only surface a real error (network down, 5xx) — never indicate // whether the email was found. setError(err?.message || 'Unable to send reset link. Please try again.'); setPhase('form'); } }; if (phase === 'sent') { return ( <_AuthShell eyebrow={t('auth.forgot.eyebrow')} title={t('auth.forgot.sentTitle')} subtitle={t('auth.forgot.sentSub').replace('{email}', email)} > ); } return ( <_AuthShell eyebrow={t('auth.forgot.eyebrow')} title={t('auth.forgot.title')} subtitle={t('auth.forgot.sub')} > {error && <_StatusBox tone="error">{error}}
setEmail(e.target.value)} placeholder="you@example.com" required />
go && go('auth:login')}> {t('auth.backToLogin')}
); }; // ============================ ResetPasswordPage ============================= const ResetPasswordPage = ({ go }) => { const { t } = window.useI18n(); const [token] = useState(_readUrlToken); const [pw, setPw] = useState(''); const [pw2, setPw2] = useState(''); const [phase, setPhase] = useState('form'); // form | submitting | done const [error, setError] = useState(''); const tooShort = pw.length > 0 && pw.length < 8; const mismatch = pw2.length > 0 && pw !== pw2; const canSubmit = !!token && pw.length >= 8 && pw === pw2 && phase === 'form'; const submit = async (e) => { if (e?.preventDefault) e.preventDefault(); if (!canSubmit) return; setError(''); setPhase('submitting'); try { await window.HelperMatchApi.resetPassword({ token, newPassword: pw }); setPhase('done'); } catch (err) { setError(err?.message || t('auth.reset.invalidToken')); setPhase('form'); } }; if (phase === 'done') { return ( <_AuthShell eyebrow={t('auth.reset.eyebrow')} title={t('auth.reset.doneTitle')} subtitle={t('auth.reset.doneSub')} > ); } return ( <_AuthShell eyebrow={t('auth.reset.eyebrow')} title={t('auth.reset.title')} subtitle={t('auth.reset.sub')} > {!token && <_StatusBox tone="error">{t('auth.reset.invalidToken')}} {error && <_StatusBox tone="error">{error}}
setPw(e.target.value)} placeholder="••••••••" minLength={8} required /> {tooShort && (
{t('auth.passwordTooShort')}
)}
setPw2(e.target.value)} placeholder="••••••••" required /> {mismatch && (
{t('auth.passwordMismatch')}
)}
); }; // ============================ VerifyEmailPage =============================== // API returns 204 on success without a session, so post-verify we send the // user to the login page rather than the dashboard. const VerifyEmailPage = ({ go }) => { const { t } = window.useI18n(); const [phase, setPhase] = useState('verifying'); // verifying | verified | failed useEffect(() => { const token = _readUrlToken(); if (!token) { setPhase('failed'); return; } let cancelled = false; window.HelperMatchApi.verifyEmail({ token }) .then(() => { if (!cancelled) setPhase('verified'); }) .catch(() => { if (!cancelled) setPhase('failed'); }); return () => { cancelled = true; }; }, []); if (phase === 'verifying') { return ( <_AuthShell eyebrow={t('auth.verify.eyebrow')} title={t('auth.verify.verifying')} subtitle={t('auth.verify.verifyingSub')} /> ); } if (phase === 'failed') { return ( <_AuthShell eyebrow={t('auth.verify.eyebrow')} title={t('auth.verify.failedTitle')} subtitle={t('auth.verify.failedSub')} > ); } return ( <_AuthShell eyebrow={t('auth.verify.eyebrow')} title={t('auth.verify.successTitle')} subtitle={t('auth.verify.successSub')} > ); }; Object.assign(window, { ForgotPasswordPage, ResetPasswordPage, VerifyEmailPage });