Open
Conversation
…ogle Calendar access check - Updated the deleteCompassDataForMatchingUsers function to accept a second parameter, gcalAccess, indicating whether the user has Google Calendar access. - This change allows for more granular control over the deletion process based on the user's Google Calendar connection status.
…et flow - Introduced a new `RouteLocationMirror` component to synchronize URL state with the AuthModal. - Added `renderWithDayRedirectRoute` function to facilitate testing of the AuthModal with day-based routing. - Updated tests to verify that the reset password flow correctly preserves authentication parameters in the URL during redirects. - Implemented `updateCurrentUrlSearchParams` function to streamline URL parameter updates in the authentication flow. - Enhanced existing tests to ensure robust coverage of the new functionality and maintainability of the AuthModal component.
…aging - Introduced a new status message in the LogInForm to inform users of successful password resets. - Updated AuthModal logic to handle the new "loginAfterReset" view, improving user experience during the authentication process. - Enhanced tests for LogInForm to verify the display of status messages, ensuring accurate feedback for users. - Refactored related hooks and components to support the updated authentication flow and maintain clarity in the codebase.
…eset - Added a test to verify that clicking "Sign up" after a successful password reset correctly transitions the user to the sign-up view. - Updated error handling in the useZodForm hook to log errors in development mode, improving debugging capabilities during form submissions.
…and documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix password reset email URL and simplify environment configuration
Problem
Password reset emails sent from staging and production contained
http://localhost:9080as the base URL, making the reset link unusable. The variableLOCAL_WEB_URLwas hardcoded tolocalhost:9080in all env files — including staging and production — because its name implied it was only for local use. The correct domain values existed inSTAGING_WEB_URLandPROD_WEB_URL, but those were never wired into the backend schema or the reset link builder.A secondary issue: the CLI had three separate URL env vars (
LOCAL_WEB_URL,STAGING_WEB_URL,PROD_WEB_URL) that were mostly redundant with each other, adding cognitive overhead to env file setup.Changes
Rename
LOCAL_WEB_URL→FRONTEND_URLand fix values per environmentFRONTEND_URLnow holds the public-facing frontend URL for the current deployment —localhost:9080for local, the real domain for staging/prodenv.constants.ts) soENV.FRONTEND_URLis always the correct domainbuildResetPasswordLink()now uses this correct value, so reset emails link to the right domain in every environmentConsolidate CLI URL configuration
STAGING_WEB_URLandPROD_WEB_URLfrom all env files andCLI_ENV— they duplicatedFRONTEND_URL's valuegetCleanupUrl()now simply returns${FRONTEND_URL}/cleanup— no NODE_ENV branching neededgetDomainAnswer()extracts the hostname fromFRONTEND_URLwhen it's a real domain; falls back to an interactive prompt (with a tip to setFRONTEND_URL) when it's localhostPassword reset UI flow
AuthModalto handle the post-reset sign-up flow and show appropriate status messaginguseAuthFormHandlersduring the reset flowloaders.tsto detect and route reset password sessionsDelete user GCal access check
deleteCompassDataForMatchingUsersnow checks for a Google refresh token before attempting GCal cleanup, avoiding spurious errors for password-only usersTest plan
https://backend.compasscalendar.app/day?auth=reset&token=...pnpm testinpackages/backend— Zod schema + supertokens middleware testspnpm testinpackages/web— AuthModal testsdeletecommand cleanup URL resolves correctlyNote
Medium Risk
Touches password reset and auth URL handling across web routing, modal state, and backend email link generation; misconfiguration of the renamed
FRONTEND_URLenv var or redirect/query handling could break reset links or login UX.Overview
Fixes the password-reset flow end-to-end by preserving
?auth=reset&token=...through/→/day→/day/:dateredirects and by making the reset submit resilient to URL changes (token is re-injected before submit, then removed afterward).Updates the auth modal to introduce a
loginAfterResetview and show a success status message on the login form after a successful reset, with new/updated tests covering redirect preservation and view switching.Renames backend/CLI configuration from
LOCAL_WEB_URLtoFRONTEND_URLfor building reset-password links and local CLI cleanup URLs, updating env schema, examples, and docs accordingly.Written by Cursor Bugbot for commit 3ecdcb7. This will update automatically on new commits. Configure here.