feat: user management — admin create, password reset, archive/delete, quick invite

Phase 1: must_change_password enforcement + change password endpoint/page Phase 2: Admin user creation (M365-style) with temp password Phase 3: Password reset (self-service forgot + admin-triggered) Phase 4: User archive (soft delete) + hard delete with precheck Phase 5: Quick invite from admin Users page Also fixes: - Auto-create subscription for accounts missing one - Hard delete precheck ignores sole-member personal accounts - Seed script patches tree nodes for validation compliance Migrations: 031 (must_change_password), 032 (password_reset_tokens), 033 (user soft delete) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 01:42:51 -05:00
parent b8f25f19eb
commit ad59446332
32 changed files with 3064 additions and 38 deletions
--- a/frontend/src/pages/ResetPasswordPage.tsx
+++ b/frontend/src/pages/ResetPasswordPage.tsx
@@ -0,0 +1,187 @@
+import { useState, useEffect } from 'react'
+import { Link, useSearchParams, useNavigate } from 'react-router-dom'
+import { authApi } from '@/api/auth'
+import { toast } from '@/lib/toast'
+import { BrandLogo } from '@/components/common/BrandLogo'
+import { cn } from '@/lib/utils'
+
+export function ResetPasswordPage() {
+  const [searchParams] = useSearchParams()
+  const navigate = useNavigate()
+  const token = searchParams.get('token') || ''
+
+  const [verifying, setVerifying] = useState(true)
+  const [valid, setValid] = useState(false)
+  const [email, setEmail] = useState<string | null>(null)
+
+  const [newPassword, setNewPassword] = useState('')
+  const [confirmPassword, setConfirmPassword] = useState('')
+  const [isLoading, setIsLoading] = useState(false)
+  const [error, setError] = useState('')
+
+  useEffect(() => {
+    if (!token) {
+      setVerifying(false)
+      return
+    }
+    authApi.verifyResetToken(token).then((res) => {
+      setValid(res.valid)
+      setEmail(res.email || null)
+    }).catch(() => {
+      setValid(false)
+    }).finally(() => {
+      setVerifying(false)
+    })
+  }, [token])
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    setError('')
+
+    if (!newPassword || !confirmPassword) {
+      setError('Please fill in all fields')
+      return
+    }
+
+    if (newPassword !== confirmPassword) {
+      setError('Passwords do not match')
+      return
+    }
+
+    if (newPassword.length < 10) {
+      setError('Password must be at least 10 characters')
+      return
+    }
+
+    setIsLoading(true)
+    try {
+      await authApi.resetPassword(token, newPassword)
+      toast.success('Password reset successfully. Please sign in.')
+      navigate('/login', { replace: true })
+    } catch (err: unknown) {
+      if (err && typeof err === 'object' && 'response' in err) {
+        const axiosErr = err as { response?: { data?: { detail?: string } } }
+        setError(axiosErr.response?.data?.detail || 'Failed to reset password')
+      } else {
+        setError('Failed to reset password')
+      }
+    } finally {
+      setIsLoading(false)
+    }
+  }
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-black px-4">
+      <div className="pointer-events-none fixed inset-0 bg-[radial-gradient(circle_at_50%_0%,rgba(100,100,120,0.03),transparent_50%)]" />
+
+      <div className="relative w-full max-w-md space-y-8">
+        <div className="text-center">
+          <div className="mb-4 flex justify-center sm:mb-6">
+            <div className="w-16 h-16 rounded-2xl bg-white flex items-center justify-center sm:w-20 sm:h-20">
+              <BrandLogo size="lg" className="h-10 w-10 invert sm:h-12 sm:w-12" />
+            </div>
+          </div>
+          <h1 className="text-3xl font-bold text-white tracking-tight">
+            Reset Password
+          </h1>
+        </div>
+
+        {verifying ? (
+          <div className="glass-card rounded-2xl p-6 text-center">
+            <p className="text-white/60">Verifying reset link...</p>
+          </div>
+        ) : !token || !valid ? (
+          <div className="glass-card rounded-2xl p-6 space-y-4">
+            <div className="rounded-xl border border-red-400/20 bg-red-400/10 p-4 text-sm text-red-400">
+              This reset link is invalid or has expired. Please request a new one.
+            </div>
+            <div className="text-center">
+              <Link
+                to="/forgot-password"
+                className="text-sm text-white/60 hover:text-white transition-colors"
+              >
+                Request new reset link
+              </Link>
+            </div>
+          </div>
+        ) : (
+          <form onSubmit={handleSubmit} className="mt-8 space-y-6">
+            <div className="glass-card rounded-2xl p-6 space-y-4">
+              {email && (
+                <p className="text-sm text-white/60">
+                  Resetting password for <span className="font-medium text-white">{email}</span>
+                </p>
+              )}
+
+              {error && (
+                <div className="rounded-xl border border-red-400/20 bg-red-400/10 p-3 text-sm text-red-400">
+                  {error}
+                </div>
+              )}
+
+              <div>
+                <label htmlFor="new-password" className="mb-1 block text-sm font-medium text-white">
+                  New Password
+                </label>
+                <input
+                  id="new-password"
+                  type="password"
+                  autoComplete="new-password"
+                  required
+                  value={newPassword}
+                  onChange={(e) => setNewPassword(e.target.value)}
+                  className={cn(
+                    'block w-full rounded-xl border border-white/10 bg-black/50 px-3 py-2',
+                    'text-white placeholder:text-white/30',
+                    'focus:border-white/30 focus:outline-none focus:ring-1 focus:ring-white/20',
+                    'transition-colors'
+                  )}
+                  placeholder="At least 10 characters"
+                />
+                <p className="mt-1 text-xs text-white/40">
+                  Must include uppercase, lowercase, and a digit.
+                </p>
+              </div>
+
+              <div>
+                <label htmlFor="confirm-password" className="mb-1 block text-sm font-medium text-white">
+                  Confirm New Password
+                </label>
+                <input
+                  id="confirm-password"
+                  type="password"
+                  autoComplete="new-password"
+                  required
+                  value={confirmPassword}
+                  onChange={(e) => setConfirmPassword(e.target.value)}
+                  className={cn(
+                    'block w-full rounded-xl border border-white/10 bg-black/50 px-3 py-2',
+                    'text-white placeholder:text-white/30',
+                    'focus:border-white/30 focus:outline-none focus:ring-1 focus:ring-white/20',
+                    'transition-colors'
+                  )}
+                />
+              </div>
+
+              <button
+                type="submit"
+                disabled={isLoading}
+                className={cn(
+                  'w-full rounded-xl px-4 py-2.5 text-sm font-semibold btn-press',
+                  'bg-white text-black hover:bg-white/90',
+                  'focus:outline-none focus:ring-2 focus:ring-white/30 focus:ring-offset-2 focus:ring-offset-black',
+                  'disabled:cursor-not-allowed disabled:opacity-50',
+                  'transition-all'
+                )}
+              >
+                {isLoading ? 'Resetting...' : 'Reset Password'}
+              </button>
+            </div>
+          </form>
+        )}
+      </div>
+    </div>
+  )
+}
+
+export default ResetPasswordPage