[masterbots.ai] feat: Create Password Recovery

[Bran18]

Summary

Introduce a password recovery feature with endpoints for requesting and resetting passwords, along with UI components for user interaction. Implement email functionality to facilitate password reset requests. Update Hasura metadata to support the new feature and refactor Taskfile.yml for improved consistency.

New Features:

• Implement password recovery feature, including endpoints for requesting and resetting passwords.
• Add user interface components for 'Forgot Password' and 'Reset Password' forms.
• Introduce email functionality to send password reset emails using nodemailer.

Enhancements:

• Update Hasura metadata to include new tables and relationships for managing password reset tokens.
• Refactor Taskfile.yml to use 'docker compose' instead of 'docker-compose' for consistency.

Note: MAILTRAP_USER and MAILTRAP_PASS are added as env variables and are crucial for testing

Summary by CodeRabbit

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced password reset functionality with new API endpoints for requesting and processing password resets.
  • Added user interface components for "Forgot Password" and "Reset Password" processes.
  • Implemented a password strength meter to assist users in creating strong passwords.
  • Enhanced email sending capability for password reset notifications.

• Bug Fixes

  • Improved error handling and response messages for password reset operations.

• Chores

  • Added environment variable for Hasura GraphQL admin secret.

• Dependencies

  • Added nodemailer for email handling functionality.

Preview video:

Screen.Recording.2024-10-07.at.11.42.04.PM.mov

Password Strength - UX

Screen.Recording.2024-10-08.at.1.26.55.AM.mov

Password Reveal - UX

Screen.Recording.2024-10-08.at.2.36.53.PM.mov

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
masterbots	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 10, 2024 3:56pm

[coderabbitai]

Walkthrough

The changes in this pull request introduce new API endpoints for handling password reset functionality, including a password reset request and a password reset process. Additionally, new React components for the user interface are created, allowing users to submit their email for password recovery and to reset their password using a token. The implementation also includes utility functions for email validation and password strength assessment, alongside email handling for sending password reset emails.

Changes

File	Change Summary
apps/masterbots.ai/app/api/auth/forgot-password/route.ts	Added new API endpoint for handling password reset requests.
apps/masterbots.ai/app/api/auth/reset-password/route.ts	Added new API endpoint for resetting passwords.
apps/masterbots.ai/components/auth/forgot-password-form.tsx	Added ForgotPasswordForm component for email input and submission.
apps/masterbots.ai/components/auth/reset-password-form.tsx	Added ResetPasswordForm component for new password input.
apps/masterbots.ai/components/shared/password-strength-meter.tsx	Introduced PasswordStrengthMeter component to visualize password strength.
apps/masterbots.ai/lib/email.ts	Introduced email functionality for sending password reset emails using nodemailer.
apps/masterbots.ai/lib/password.ts	Added functions for calculating and assessing password strength.
apps/masterbots.ai/lib/utils.ts	Added validateEmail function for email format validation.
apps/.env_sample	Added environment variable HASURA_GRAPHQL_ADMIN_SECRET=lfg.
apps/masterbots.ai/components/auth/signin-form.tsx	Modified SignInForm to include a link to the "Forgot Password?" page.

Possibly related PRs

• Add chat publicity trigger #258: The main PR introduces a password reset API endpoint, while this PR adds a feature for managing thread visibility, which may involve similar user authentication and state management processes. Both PRs deal with user-related functionalities in the application.
• fix(masterbots): google signIn #260: This PR modifies the authentication logic, which is relevant to the main PR's password reset functionality as it involves user authentication and management. Changes in authentication can directly impact how password reset requests are processed.

🐇 In the fields where bunnies hop,
New tokens bloom, and passwords swap.
With forms to fill and emails sent,
A reset journey, all well-meant.
So hop along, don’t delay,
For fresh beginnings start today! 🌼✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 03aa2d6 and d21c04d.

📒 Files selected for processing (3)

• apps/.env_sample (1 hunks)
• apps/masterbots.ai/components/auth/reset-password-form.tsx (1 hunks)
• apps/masterbots.ai/components/shared/password-strength-meter.tsx (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• apps/.env_sample

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/masterbots.ai/components/auth/reset-password-form.tsx
• apps/masterbots.ai/components/shared/password-strength-meter.tsx

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request implements a password recovery feature for the Masterbots.ai application. It includes changes to the backend infrastructure, API routes for forgot password and reset password functionality, email sending capabilities, and frontend components for the password recovery process.

Sequence diagram for password reset process

sequenceDiagram
    actor User
    participant Frontend
    participant Backend
    participant EmailService
    User->>Frontend: Clicks 'Forgot Password'
    Frontend->>Backend: POST /api/auth/forgot-password
    Backend->>Database: Check if user exists
    alt User exists
        Backend->>EmailService: Send password reset email
        EmailService-->>User: Password reset email
    end
    User->>Frontend: Clicks link in email
    Frontend->>Backend: POST /api/auth/reset-password
    Backend->>Database: Validate token and update password
    Backend-->>Frontend: Password reset successful
    Frontend-->>User: Display success message

Loading

User journey diagram for password recovery

journey
    title Password Recovery User Journey
    section Forgot Password
      User: Clicks 'Forgot Password' - 5: User
      User: Enters email and submits form - 4: User
      System: Sends password reset email - 3: System
    section Reset Password
      User: Clicks link in email - 5: User
      User: Enters new password and submits form - 4: User
      System: Validates token and updates password - 3: System
      User: Receives confirmation of password reset - 5: User

Loading

ER diagram for new token and user_token tables

erDiagram
    USER {
        UUID user_id
        TEXT email
        TEXT password
        BOOLEAN is_verified
    }
    TOKEN {
        TEXT token
        TIMESTAMPTZ token_expiry
    }
    USER_TOKEN {
        UUID user_id
        TEXT token
    }
    USER ||--o{ USER_TOKEN : "has"
    TOKEN ||--o{ USER_TOKEN : "has"
    USER_TOKEN }|..|{ TOKEN : "references"
    USER_TOKEN }|..|{ USER : "references"

Loading

File-Level Changes

Change	Details	Files
Implemented password recovery feature	Added API routes for forgot password and reset password Created email sending functionality for password reset Added frontend components for forgot password and reset password forms Updated database schema to support password recovery tokens	apps/masterbots.ai/app/api/auth/forgot-password/route.ts apps/masterbots.ai/app/api/auth/reset-password/route.ts apps/masterbots.ai/lib/email.ts apps/masterbots.ai/components/auth/forgot-password-form.tsx apps/masterbots.ai/components/auth/reset-password-form.tsx apps/masterbots.ai/app/auth/forgot-password/page.tsx apps/masterbots.ai/app/auth/reset-password/page.tsx apps/hasura/metadata/databases/masterbots/tables/public_token.yaml apps/hasura/metadata/databases/masterbots/tables/public_user_token.yaml
Updated Hasura database schema and metadata	Added new tables for tokens and user tokens Updated user table schema Added migrations for schema changes	apps/hasura/metadata/databases/masterbots/tables/public_user.yaml apps/hasura/metadata/databases/masterbots/tables/tables.yaml apps/hasura/migrations/masterbots/1728339304083_create_table_public_token/up.sql apps/hasura/migrations/masterbots/1728339501024_create_table_public_user_token/up.sql apps/hasura/migrations/masterbots/1728339597164_alter_table_public_user_add_column_is_verified/up.sql
Updated Taskfile.yml for improved development workflow	Refactored task commands for better clarity and consistency Added admin secret to Hasura commands for improved security	Taskfile.yml
Updated signin form to include forgot password link	Added 'Forgot Password?' link to the signin form	apps/masterbots.ai/components/auth/signin-form.tsx

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @Bran18 - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• Hardcoded Hasura admin secret found. (link)

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🔴 Security: 1 blocking issue, 2 other issues
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 19

🧹 Outside diff range and nitpick comments (27)

apps/hasura/migrations/masterbots/1728339597164_alter_table_public_user_add_column_is_verified/up.sql (1)

1-2: LGTM! Consider the following suggestions for a smooth integration.

The SQL migration to add the "is_verified" column to the "public"."user" table looks good. The column definition is appropriate, using a boolean type with a not null constraint and a default value of 'false'.

Here are some considerations for the team:

1. Ensure that corresponding application code is updated to utilize this new column where necessary.
2. Consider creating a "down" migration file to revert this change if needed in the future.
3. Review and update any API endpoints or application logic related to user verification to incorporate this new column.
4. If there's a need to verify existing users, plan for a separate data migration task.

apps/hasura/migrations/masterbots/1728335312982_alter_table_public_user_add_column_resetTokenExpiry/down.sql (1)

1-4: Security considerations for password reset feature

While implementing the password reset feature, please consider the following security best practices:

1. Ensure that reset tokens are sufficiently long and random to prevent guessing attacks.
2. Implement rate limiting on the password reset request endpoint to prevent abuse.
3. Use secure communication (HTTPS) for all password reset related operations.
4. Invalidate the reset token immediately after it's used.
5. Notify the user via email when a password reset is requested and when it's completed.
6. Log all password reset attempts for auditing purposes.

Consider implementing a separate service or module to handle password reset logic, ensuring separation of concerns and easier maintenance of security-related code.

Would you like me to provide a code snippet or outline for implementing these security measures?

apps/hasura/metadata/databases/masterbots/tables/public_token.yaml (1)

1-3: LGTM! Consider using a separate schema for authentication-related tables.

The table definition looks good. The name token is appropriate for its purpose. However, for better organization and potentially improved security, consider creating a separate schema (e.g., auth) for authentication-related tables instead of using the public schema.

apps/hasura/migrations/masterbots/1728339569387_alter_table_public_user_drop_column_resetTokenExpiry/down.sql (1)

1-3: Review and revise the migration strategy

After reviewing this "down" migration file, several concerns have been identified:

1. Incorrect comment placement for the table description.
2. Potential issues with dropping the NOT NULL constraint.
3. Unusual sequence of operations for a "down" migration.

These issues suggest that the overall migration strategy for this change might need revision.

Consider the following recommendations:

1. Review the corresponding "up" migration to ensure that this "down" migration correctly reverts all changes.
2. Evaluate if the operations in this file achieve the intended purpose of the "down" migration.
3. Consider reordering or modifying the operations to ensure they correctly and safely revert the database schema.
4. Update comments to accurately describe the purpose of specific columns rather than the entire table.
5. Assess the impact of allowing NULL values in the "resetTokenExpiry" column on the application logic.

A careful review and possible revision of this migration will help maintain data integrity and prevent potential issues during schema updates or rollbacks.

apps/masterbots.ai/app/auth/forgot-password/page.tsx (1)

5-7: LGTM: Styling and layout are appropriate, with room for enhancement.

The use of Tailwind CSS utility classes is consistent with modern React development practices and creates a clean, centered layout. The styling is minimal but effective for a simple form page.

For potential improvement:

Consider adding more padding or margin to the container for better spacing on larger screens. For example:

-    <div className="container max-w-md mx-auto mt-10">
+    <div className="container max-w-md mx-auto mt-10 p-6">

This change would add padding around the content, improving readability and visual appeal.

apps/hasura/migrations/masterbots/1728339501024_create_table_public_user_token/up.sql (1)

1-1: LGTM! Consider enhancing the table comment.

The SQL statement for creating the user_token table is well-structured and aligns with the PR objective of implementing password recovery functionality. The composite primary key and foreign key constraints are appropriately defined, ensuring data integrity and preventing orphaned records.

Consider slightly modifying the table comment to be more explicit:

COMMENT ON TABLE "public"."user_token" IS E'Stores the relationship between users and tokens for one-time operations (password reset/account activation)';

This change provides a clearer explanation of the table's purpose and the nature of the tokens stored.

apps/masterbots.ai/app/auth/reset-password/page.tsx (2)

9-17: Good use of Suspense, consider adding error boundary.

The component structure is clean and the use of Suspense for handling loading states is excellent. However, consider wrapping the Suspense component with an error boundary to gracefully handle any errors that might occur during the password reset process.

Here's a suggested improvement:

+import { ErrorBoundary } from 'react-error-boundary'

 export default function ResetPasswordPage({
   searchParams
 }: {
   searchParams: { token: string }
 }) {
   return (
     <div className="container max-w-md mx-auto mt-10">
       <h1 className="mb-4 text-2xl font-bold">Reset Password</h1>
+      <ErrorBoundary fallback={<div>Error occurred. Please try again.</div>}>
         <Suspense fallback={<div>Loading...</div>}>
           <ResetPasswordForm token={searchParams.token} />
         </Suspense>
+      </ErrorBoundary>
     </div>
   )
 }

Don't forget to install and import the react-error-boundary package if it's not already in use in your project.

---

1-17: Overall, good implementation with room for security enhancements.

The ResetPasswordPage component is well-structured and makes good use of React features like Suspense. To further improve this implementation:

1. Add input validation for the token parameter to enhance security.
2. Implement an error boundary to gracefully handle potential errors.
3. Consider adding logging or monitoring for password reset attempts to track any suspicious activities.

These enhancements will make the password reset functionality more robust and secure.

packages/mb-genql/package.json (1)

9-9: Acknowledge local development improvements while ensuring secure configurations

The change to use a local GraphQL endpoint is beneficial for developers working on the project locally. It allows for easier testing and debugging without relying on external services.

However, it's crucial to maintain secure and appropriate configurations for different environments (local, test, production). Please ensure that:

1. The production build process uses the correct, secure HTTPS endpoint.
2. Sensitive information like admin secrets are properly managed and not exposed in the codebase.
3. The changes are consistent across all related scripts and configurations.

Consider documenting the local setup process, including any necessary environment variables, in the project's README or a dedicated developer guide. This will help maintain consistency across the development team and ease the onboarding process for new developers.

Taskfile.yml (5)

7-10: LGTM! Consider adding a description comment.

The change to use the cmds key and the introduction of Turbo repo for running the dev script are good improvements. They enhance the structure of the Taskfile and suggest a more efficient monorepo setup.

Consider adding a brief description comment above the task to explain what "masterbots.ai" refers to, for better clarity:

  # Run the main app (masterbots.ai) with Turbo repo
  app:
    cmds:
      - turbo run dev --scope="masterbots.ai"

---

13-15: LGTM! Consider using cmds key for consistency.

The addition of the --admin-secret parameter enhances security for the Hasura console access. Sourcing the secret from an environment variable is a good practice.

For consistency with other tasks, consider using the cmds key:

  console:
    cmds:
      - hasura console --project apps/hasura --admin-secret ${HASURA_GRAPHQL_ADMIN_SECRET}

---

18-25: LGTM! Consider using docker compose health checks.

The update to docker compose syntax and the addition of sleep commands are good improvements. They ensure proper sequencing of service startup.

While the sleep commands work, consider using Docker Compose's built-in health checks for a more robust solution. This would allow services to wait for dependencies to be truly ready, not just started. Here's an example of how you might modify your docker-compose.yml:

services:
  database:
    # ... other configuration ...
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "postgres"]
      interval: 5s
      timeout: 5s
      retries: 5

  hasura:
    # ... other configuration ...
    depends_on:
      database:
        condition: service_healthy

This approach would eliminate the need for arbitrary sleep durations in your Taskfile.

---

56-63: LGTM! Consider using docker compose up with specific services.

The updates to use docker compose syntax and the addition of separate postgres startup and Hasura logging are good improvements. They provide more control over the startup process and better visibility into Hasura's state.

Instead of using separate commands to start postgres and then all services, consider using docker compose up with specific service names. This approach is more idiomatic and easier to maintain. Here's a suggested modification:

  reload:
    cmds:
      - task down
      - docker compose up -d postgres
      - sleep 5
      - docker compose up -d hasura
      - docker compose logs -f hasura
      - task migrate
      - task seed

This change makes the startup sequence more explicit and easier to modify if new services are added in the future.

🧰 Tools

🪛 yamllint

[error] 63-63: no new line character at the end of file

(new-line-at-end-of-file)

---

63-63: Add a newline at the end of the file.

To adhere to common coding standards and prevent potential issues with certain tools, add a newline character at the end of the file.

🧰 Tools

🪛 yamllint

[error] 63-63: no new line character at the end of file

(new-line-at-end-of-file)

apps/masterbots.ai/components/auth/signin-form.tsx (1)

62-67: LGTM: Addition of "Forgot Password?" link enhances user experience.

The new "Forgot Password?" link is a valuable addition to the sign-in form, providing users with a clear path to password recovery. The use of the Next.js Link component ensures efficient client-side navigation.

Consider adding an aria-label to the link for improved accessibility:

 <Link
   href="/auth/forgot-password"
   className="flex justify-end mt-6 text-sm text-purple-700 hover:underline"
+  aria-label="Forgot Password? Click here to reset"
 >
   Forgot Password?
 </Link>

apps/hasura/metadata/databases/masterbots/tables/public_user.yaml (1)

47-53: Consider potential performance implications of the new relationship.

While the addition of the userTokens relationship is beneficial for the password recovery feature, be mindful of its usage in GraphQL queries. Fetching user tokens along with user data in every query could impact performance unnecessarily.

Consider implementing the following best practices:

1. Use selective querying: Only request the userTokens when specifically needed for password recovery operations.
2. Implement pagination if the number of tokens per user could grow large over time.
3. Monitor query performance after deployment and optimize if necessary.

apps/masterbots.ai/components/auth/reset-password-form.tsx (3)

11-24: Consider adding password strength validation.

While the current implementation checks if the passwords match, it doesn't validate the strength of the new password. Consider adding password strength validation to ensure users create secure passwords.

You could implement this by adding a function to check password strength and calling it before the password match check. For example:

const isPasswordStrong = (password: string): boolean => {
  // Implement your password strength logic here
  // e.g., check for minimum length, presence of uppercase, lowercase, numbers, and special characters
  return password.length >= 8 && /[A-Z]/.test(password) && /[a-z]/.test(password) && /[0-9]/.test(password) && /[^A-Za-z0-9]/.test(password);
}

// In handleSubmit function:
if (!isPasswordStrong(password)) {
  toast.error('Password is not strong enough. It should be at least 8 characters long and contain uppercase, lowercase, numbers, and special characters.');
  setIsLoading(false);
  return;
}

---

26-47: Enhance error handling for network errors.

The current implementation uses a generic error message for all types of errors. Consider providing more specific error messages for different types of errors, especially for network-related issues.

You could modify the catch block to differentiate between network errors and other types of errors:

} catch (error) {
  console.error('Error:', error);
  if (error instanceof TypeError && error.message === 'Failed to fetch') {
    toast.error('Network error. Please check your internet connection.');
  } else {
    toast.error('An unexpected error occurred. Please try again later.');
  }
} finally {
  setIsLoading(false);
}

This will provide more informative error messages to the user, improving the overall user experience.

---

1-78: LGTM: Well-implemented password reset component. Consider adding tests.

The ResetPasswordForm component is well-structured and implements the necessary functionality for a password reset flow. It follows React best practices and provides a good user experience with loading states and error handling.

To further improve the reliability of this component, consider adding unit tests to cover different scenarios such as:

• Successful password reset
• Password mismatch
• API error handling
• Network error handling

Would you like assistance in setting up a test file for this component?

apps/masterbots.ai/app/api/auth/forgot-password/route.ts (3)

10-10: Use consistent error responses

The error message "Email is required" is clear, but consider standardizing the error response format across your APIs. This could include consistent error codes, messages, and response structures to improve client-side error handling.

---

42-42: Use constants for configuration values

Hardcoding the token expiry duration as 3600000 milliseconds can reduce code readability and maintainability. Consider defining a constant or using an environment variable to make the code clearer and easier to configure.

Apply this diff to introduce a constant for the token expiry duration:

+ const TOKEN_EXPIRY_MS = 3600000; // 1 hour
- const resetTokenExpiry = new Date(Date.now() + 3600000) // 1 hour from now
+ const resetTokenExpiry = new Date(Date.now() + TOKEN_EXPIRY_MS)

---

77-81: Improve error handling for insertion failures

Throwing a generic error with the message "Failed to insert token" may not provide enough context for debugging. Consider capturing and logging specific error details or rethrowing the caught error to aid in troubleshooting.

Apply this diff to enhance error handling:

 if (
   !result.insertToken?.returning.length ||
   !result.insertUserToken?.returning.length
 ) {
-  throw new Error('Failed to insert token')
+  throw new Error('Failed to insert token or associate it with the user')
 }

apps/masterbots.ai/app/api/auth/reset-password/route.ts (2)

106-112: Ensure consistent error responses

When an unexpected error occurs, the error message returned to the client is generic. Providing more specific error messages can help the client understand what went wrong.

Consider returning the error message or a specific code that indicates the nature of the error, while still avoiding the exposure of sensitive information.

Example modification:

107|     console.error('Error resetting password:', error)
-108|     return NextResponse.json(
-109|       { error: 'An error occurred while resetting the password' },
-110|       { status: 500 }
-111|     )
+108|     return NextResponse.json(
+109|       { error: error.message || 'An internal server error occurred' },
+110|       { status: 500 }
+111|     )

---

5-113: Add unit tests for the password reset endpoint

To ensure the reliability and correctness of the new password reset functionality, it's important to have unit tests that cover various scenarios, including success cases and error handling.

Would you like assistance in creating unit tests for this endpoint or opening a GitHub issue to track this task?

apps/masterbots.ai/lib/email.ts (3)

19-19: Address the TODO: Update SendGrid configuration

The TODO comment indicates that the SendGrid configuration needs to be updated for the chosen email provider. It's important to update this configuration to ensure emails are sent correctly in the production environment.

Would you like assistance in updating the SendGrid configuration? I can help generate the updated code based on the chosen email provider.

---

90-90: Avoid logging sensitive user information

Logging the recipient's email address may expose sensitive user information in logs. Consider modifying the log statement to enhance user privacy.

Apply this diff to remove the email address from the log:

     await transporter.sendMail(mailOptions)
-    console.log(`Password reset email sent to ${email}`)
+    console.log('Password reset email sent successfully')

---

92-93: Include the original error message when throwing

When re-throwing an error, including the original error message can aid in debugging and provide more context about the failure.

Apply this diff to include the original error message:

     console.error('Error sending password reset email:', error)
-    throw new Error('Failed to send password reset email')
+    throw new Error(`Failed to send password reset email: ${error.message}`)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 9463de8 and 8184f87.

⛔ Files ignored due to path filters (5)

• bun.lockb is excluded by !**/bun.lockb
• packages/mb-genql/generated/index.ts is excluded by !**/generated/**
• packages/mb-genql/generated/schema.graphql is excluded by !**/generated/**
• packages/mb-genql/generated/schema.ts is excluded by !**/generated/**
• packages/mb-genql/generated/types.ts is excluded by !**/generated/**

📒 Files selected for processing (35)

• .env_sample (0 hunks)
• Taskfile.yml (2 hunks)
• apps/hasura/metadata/databases/masterbots/tables/public_token.yaml (1 hunks)
• apps/hasura/metadata/databases/masterbots/tables/public_user.yaml (1 hunks)
• apps/hasura/metadata/databases/masterbots/tables/public_user_token.yaml (1 hunks)
• apps/hasura/metadata/databases/masterbots/tables/tables.yaml (1 hunks)
• apps/hasura/migrations/masterbots/1728335280788_alter_table_public_user_add_column_resetToken/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728335280788_alter_table_public_user_add_column_resetToken/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728335312982_alter_table_public_user_add_column_resetTokenExpiry/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728335312982_alter_table_public_user_add_column_resetTokenExpiry/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339304083_create_table_public_token/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339304083_create_table_public_token/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339501024_create_table_public_user_token/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339501024_create_table_public_user_token/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339524677_alter_table_public_token_update_comment/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339524677_alter_table_public_token_update_comment/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339560012_alter_table_public_user_drop_column_resetToken/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339560012_alter_table_public_user_drop_column_resetToken/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339569387_alter_table_public_user_drop_column_resetTokenExpiry/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339569387_alter_table_public_user_drop_column_resetTokenExpiry/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339597164_alter_table_public_user_add_column_is_verified/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339597164_alter_table_public_user_add_column_is_verified/up.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339605396_alter_table_public_user_alter_column_is_verified/down.sql (1 hunks)
• apps/hasura/migrations/masterbots/1728339605396_alter_table_public_user_alter_column_is_verified/up.sql (1 hunks)
• apps/masterbots.ai/app/api/auth/forgot-password/route.ts (1 hunks)
• apps/masterbots.ai/app/api/auth/reset-password/route.ts (1 hunks)
• apps/masterbots.ai/app/auth/forgot-password/page.tsx (1 hunks)
• apps/masterbots.ai/app/auth/reset-password/page.tsx (1 hunks)
• apps/masterbots.ai/components/auth/forgot-password-form.tsx (1 hunks)
• apps/masterbots.ai/components/auth/reset-password-form.tsx (1 hunks)
• apps/masterbots.ai/components/auth/signin-form.tsx (3 hunks)
• apps/masterbots.ai/lib/email.ts (1 hunks)
• apps/masterbots.ai/package.json (2 hunks)
• packages/mb-genql/.env-sample (0 hunks)
• packages/mb-genql/package.json (1 hunks)

💤 Files with no reviewable changes (2)

• .env_sample
• packages/mb-genql/.env-sample

✅ Files skipped from review due to trivial changes (11)

• apps/hasura/migrations/masterbots/1728335280788_alter_table_public_user_add_column_resetToken/down.sql
• apps/hasura/migrations/masterbots/1728335280788_alter_table_public_user_add_column_resetToken/up.sql
• apps/hasura/migrations/masterbots/1728335312982_alter_table_public_user_add_column_resetTokenExpiry/up.sql
• apps/hasura/migrations/masterbots/1728339304083_create_table_public_token/down.sql
• apps/hasura/migrations/masterbots/1728339304083_create_table_public_token/up.sql
• apps/hasura/migrations/masterbots/1728339501024_create_table_public_user_token/down.sql
• apps/hasura/migrations/masterbots/1728339524677_alter_table_public_token_update_comment/down.sql
• apps/hasura/migrations/masterbots/1728339524677_alter_table_public_token_update_comment/up.sql
• apps/hasura/migrations/masterbots/1728339560012_alter_table_public_user_drop_column_resetToken/up.sql
• apps/hasura/migrations/masterbots/1728339569387_alter_table_public_user_drop_column_resetTokenExpiry/up.sql
• apps/hasura/migrations/masterbots/1728339597164_alter_table_public_user_add_column_is_verified/down.sql

🧰 Additional context used

🪛 yamllint

Taskfile.yml

[error] 63-63: no new line character at the end of file

(new-line-at-end-of-file)

🪛 Biome

apps/masterbots.ai/lib/email.ts

[error] 10-10: Useless case clause.

because the default clause is present:

Unsafe fix: Remove the useless case.

(lint/complexity/noUselessSwitchCase)

🔇 Additional comments (31)

apps/hasura/migrations/masterbots/1728339605396_alter_table_public_user_alter_column_is_verified/down.sql (1)

1-1: Verify data integrity and application logic for is_verified column

The SQL statement alters the is_verified column in the public.user table to be NOT NULL. This change enforces data integrity by ensuring every user record has a value for is_verified. However, please consider the following points:

1. Existing Data: Ensure there are no null values in the is_verified column before applying this migration. If null values exist, they need to be updated first.

2. Application Logic: Verify that all code paths in the application that create or update user records set a value for is_verified.

3. Rollback Strategy: As this is a 'down' migration, it's reverting the column to be non-nullable. Ensure this aligns with your rollback strategy and doesn't conflict with application expectations.

To check for existing null values and verify the current state of the column, you can run the following script:

This script will show the count of null values (if any) and display the current table structure.

apps/hasura/migrations/masterbots/1728339605396_alter_table_public_user_alter_column_is_verified/up.sql (1)

1-1: Clarify the implications of making is_verified nullable

The change to drop the NOT NULL constraint on the is_verified column in the public.user table could have significant implications:

1. It may impact data integrity if the application logic relies on this column always having a value.
2. Existing queries or application code might need updates to handle potential NULL values.
3. This could affect the user verification process and potentially have security implications depending on how is_verified is used in the application.

Given that this PR is about password recovery, could you please clarify:

1. What is the reasoning behind allowing NULL values for is_verified?
2. How will this change be reflected in the application logic, especially in terms of user verification and authentication processes?
3. Are there any security considerations that need to be addressed with this change?
4. Will existing queries and application code be updated to handle potential NULL values?

To help assess the impact, let's check for usage of is_verified in the codebase:

This will help us understand where updates might be needed to accommodate the new nullable status of is_verified.

✅ Verification successful

Confirmed: Making is_verified nullable does not impact application code.

• The is_verified column is only altered in migration SQL files.
• No usage found in TypeScript/JavaScript files.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for usage of 'is_verified' in SQL files and TypeScript/JavaScript files
echo "SQL usage:"
rg --type sql "is_verified"
echo "TypeScript/JavaScript usage:"
rg --type ts --type js "is_verified"

Length of output: 842

apps/hasura/metadata/databases/masterbots/tables/public_user_token.yaml (4)

1-3: LGTM: Table definition is clear and follows conventions.

The table name user_token in the public schema is appropriate for storing user tokens, which aligns with the password recovery feature being implemented.

---

8-10: LGTM: user relationship is well-defined.

The relationship is correctly set up using a foreign key constraint on the user_id field, ensuring referential integrity.

Please verify that the referenced user table exists and has a matching primary key. Run the following script to check:

#!/bin/bash
# Description: Verify the existence of the 'user' table and its primary key

# Test: Check for the 'user' table definition
rg --type yaml 'name: user' apps/hasura/metadata/databases/masterbots/tables/

# Test: Check for a primary key in the 'user' table (assuming it's defined in a SQL migration)
rg --type sql 'CREATE TABLE.*user' apps/hasura/migrations/
rg --type sql 'PRIMARY KEY.*user' apps/hasura/migrations/

---

1-10: Consider additional columns for the user_token table.

The current structure looks good for basic token management. However, for a robust password recovery system, consider adding the following columns if they're not already present:

1. created_at: Timestamp for when the token was created.
2. expires_at: Timestamp for token expiration.
3. is_used: Boolean flag to mark if the token has been used.

These additions would enhance security and provide better control over token lifecycle.

To verify the complete table structure, please run the following script:

#!/bin/bash
# Description: Retrieve the complete structure of the user_token table

# Test: Find and display the SQL migration that creates the user_token table
rg --type sql 'CREATE TABLE.*user_token' apps/hasura/migrations/

Could you please confirm if these columns are present in the actual table definition?

---

5-7: LGTM: tokenByToken relationship is well-defined.

The relationship is correctly set up using a foreign key constraint on the token field, ensuring referential integrity.

Please verify that the referenced token table exists and has a matching primary key. Run the following script to check:

✅ Verification successful

Verified: tokenByToken relationship is correctly defined.

The token table exists with the necessary primary key constraints, and the foreign key relationship in user_token is properly set up, ensuring referential integrity.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the existence of the 'token' table and its primary key

# Test: Check for the 'token' table definition
rg --type yaml 'name: token' apps/hasura/metadata/databases/masterbots/tables/

# Test: Check for a primary key in the 'token' table (assuming it's defined in a SQL migration)
rg --type sql 'CREATE TABLE.*token' apps/hasura/migrations/
rg --type sql 'PRIMARY KEY.*token' apps/hasura/migrations/

Length of output: 801

---

Script:

#!/bin/bash
# Description: Verify the existence of the 'token' table by searching for its references

# Search for any CREATE TABLE statements for 'token'
rg --type sql 'CREATE TABLE.*\btoken\b' apps/hasura/migrations/

# Search for FOREIGN KEY references to 'token' table in SQL migrations
rg --type sql 'FOREIGN KEY.*REFERENCES\s+"public"\."token"' apps/hasura/migrations/

# Search for YAML definitions that might reference the 'token' table indirectly
rg --type yaml 'foreign_key_constraint_on: token' apps/hasura/metadata/databases/masterbots/tables/

Length of output: 1609

apps/hasura/metadata/databases/masterbots/tables/public_token.yaml (1)

4-11: LGTM! Please clarify the purpose of the user_token table.

The array relationship userTokens is well-defined and correctly uses a foreign key constraint. This setup allows for a many-to-many relationship between users and tokens, which is a common pattern in authentication systems.

However, to ensure this design aligns with the intended functionality:

1. Could you please clarify the purpose of the user_token table?
2. How does it differ from the token table we're defining here?

This information will help validate that the relationship structure supports the password recovery feature effectively.

To better understand the table structure, let's examine the user_token table definition:

✅ Verification successful

To gain a more comprehensive understanding of the user_token table structure and purpose, we need to retrieve its complete definition. Let's run a script to fetch this information.

---

It seems our previous script encountered an error due to the newline character in the regex pattern. Let's adjust our approach and try again with a modified script.

---

It seems our modified script didn't find the user_token table definition. Let's broaden our search to find any mentions of "user_token" in the YAML files. This will help us understand if the table is defined differently or if there are any references to it.

---

The userTokens relationship is correct and serves an important purpose in the authentication system.

The user_token table acts as a junction table, establishing a many-to-many relationship between users and tokens. This design allows for flexible token management, where:

1. A user can have multiple tokens (e.g., for different devices or sessions).
2. A token can potentially be associated with multiple users (although this is less common in typical authentication systems).

The relationship defined in public_token.yaml is consistent with this structure, allowing the system to retrieve all user tokens associated with a particular token.

Key points about the user_token table:

• It's defined in the public schema.
• It has a relationship with both the user and token tables.
• It likely contains columns for id (primary key), user_id (foreign key to user table), and token (foreign key to token table).

This structure supports various authentication scenarios, such as:

• Managing multiple active sessions for a user
• Implementing token-based authentication for API access
• Handling password reset or email verification tokens

The relationship you've defined is well-structured and appropriate for the password recovery feature, as it allows the system to efficiently link tokens to users during the recovery process.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Retrieve the user_token table definition
# Expected result: YAML definition of the user_token table

fd -e yaml -x cat {} \; | rg -A 20 'name: user_token'

Length of output: 1549

---

Script:

#!/bin/bash
# Description: Retrieve the complete user_token table definition
# Expected result: Detailed YAML definition of the user_token table, including columns and constraints

fd -e yaml -x cat {} \; | rg -A 50 'name: user_token\n  schema: public$'

Length of output: 269

---

Script:

#!/bin/bash
# Description: Retrieve the complete user_token table definition (modified approach)
# Expected result: Detailed YAML definition of the user_token table, including columns and constraints

fd -e yaml -x cat {} \; | rg -A 50 'name: user_token\s+schema: public$'

Length of output: 76

---

Script:

#!/bin/bash
# Description: Search for any mentions of "user_token" in YAML files
# Expected result: Any content related to user_token table or references to it

fd -e yaml -x cat {} \; | rg -i 'user_token' -C 5

Length of output: 850

apps/hasura/migrations/masterbots/1728339569387_alter_table_public_user_drop_column_resetTokenExpiry/down.sql (2)

3-3: Verify the migration sequence

The sequence of operations in this migration is unusual for a "down" migration:

1. Altering an existing column to drop NOT NULL
2. Adding a new column with the same name

This suggests that the migration might be attempting to revert changes made in an "up" migration. However, the order and nature of these operations might not correctly revert the changes.

Please review and confirm:

1. Is this the intended sequence of operations for the "down" migration?
2. Does this correctly revert the changes made in the corresponding "up" migration?
3. Should the operations be in reverse order, or is a different approach needed to correctly revert the changes?

To help verify the migration, you can run the following script to check the corresponding "up" migration:

✅ Verification successful

Migration sequence is correct

The down.sql migration appropriately adds the resetTokenExpiry column, reverting the up.sql migration which removes it.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Find and display the content of the corresponding "up" migration
up_migration=$(find ./apps/hasura/migrations/masterbots -name "1728339569387_alter_table_public_user_drop_column_resetTokenExpiry" -type d)
if [ -n "$up_migration" ]; then
    echo "Content of the corresponding up.sql:"
    cat "$up_migration/up.sql"
else
    echo "Corresponding up migration not found."
fi

Length of output: 625

---

2-2: Verify the intention of dropping NOT NULL constraint

Dropping the NOT NULL constraint on the "resetTokenExpiry" column allows it to accept NULL values. This change might have implications for the application logic that depends on this column.

Please confirm:

1. Is this change intentional?
2. Has the application logic been updated to handle potential NULL values in this column?
3. Are there any existing queries or constraints that might be affected by this change?

To help verify the impact, you can run the following script to check for usage of this column:

✅ Verification successful

NOT NULL Constraint Dropped Successfully

The NOT NULL constraint on the "resetTokenExpiry" column has been removed. Current application code consistently assigns non-null values to this field, minimizing potential issues.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for usage of resetTokenExpiry in SQL files and application code
echo "Searching for resetTokenExpiry usage in SQL files:"
rg --type sql "resetTokenExpiry" ./apps/hasura

echo "\nSearching for resetTokenExpiry usage in application code:"
rg --type-not sql "resetTokenExpiry" ./apps

Length of output: 1702

---

Script:

#!/bin/bash
# Search for assignments of NULL to resetTokenExpiry in application code
echo "Searching for assignments of NULL to resetTokenExpiry in application code:"
rg 'resetTokenExpiry\s*=\s*null' ./apps

Length of output: 200

---

Script:

#!/bin/bash
# Search for all assignments to resetTokenExpiry in application code
echo "Searching for all assignments to resetTokenExpiry in application code:"
rg 'resetTokenExpiry\s*=' ./apps

Length of output: 321

apps/masterbots.ai/app/auth/forgot-password/page.tsx (2)

1-1: LGTM: Import statement is correct and follows best practices.

The import statement correctly uses the @ alias for the project root, which is a common practice in Next.js projects. The imported component name matches its usage in the render method.

---

3-10: LGTM: Component structure and implementation are well-designed.

The ForgotPasswordPage component is well-structured and follows React best practices:

• It's a functional component using the default export.
• The naming convention (PascalCase) is correct for React components.
• The component is focused on layout, delegating form handling to the ForgotPasswordForm component.

This separation of concerns enhances maintainability and reusability.

apps/masterbots.ai/app/auth/reset-password/page.tsx (1)

1-2: LGTM: Imports are correct and appropriate.

The import statements are well-structured, importing only the necessary components. The use of Suspense from React is a good practice for handling asynchronous loading states.

apps/hasura/metadata/databases/masterbots/tables/tables.yaml (1)

17-21: Significant changes to database schema detected. Verify impact on application functionality.

The changes in this file indicate a major restructuring of the database schema:

1. Multiple table definitions have been removed, including those for categories, chats, chatbots, messages, prompts, and other core entities.
2. New tables for token and user_token have been added, which aligns with the implementation of password recovery functionality.

While these changes support the new password recovery feature, the removal of so many table definitions raises concerns:

Please verify that:

1. The removed tables are no longer needed or have been moved elsewhere.
2. All affected parts of the application have been updated to reflect these schema changes.
3. There are no unintended consequences on existing features due to the removal of these tables.

Run the following script to check for any remaining references to the removed tables:

This script will help identify any lingering references to the removed tables, which may need to be addressed.

Consider documenting these significant schema changes, including the rationale behind removing so many tables and how it affects the overall architecture of the application. This documentation will be valuable for future maintenance and onboarding of new developers.

apps/masterbots.ai/components/auth/forgot-password-form.tsx (2)

1-9: LGTM: Imports and component declaration are correct.

The 'use client' directive, imports, and component declaration are all properly implemented. The necessary UI components and hooks are imported, and the component is correctly exported as default.

---

10-11: LGTM: State management is implemented correctly.

The component uses appropriate state management with useState for both the email input and loading state. The initial values are set correctly.

Taskfile.yml (4)

39-41: LGTM! Consistent use of docker compose.

The update to docker compose syntax is correct and consistent with other tasks.

---

44-46: LGTM! Consistent use of docker compose.

The update to docker compose syntax is correct and consistent with other tasks.

---

49-52: LGTM! Enhanced security for migration operations.

The addition of --admin-secret parameters for both migrate and metadata commands improves security. Consistently using the environment variable for the admin secret is a good practice.

---

34-36: LGTM! Consistent security improvement.

The addition of the --admin-secret parameter to the seed command enhances security and maintains consistency with other tasks.

apps/masterbots.ai/components/auth/signin-form.tsx (3)

9-9: LGTM: New import for Next.js Link component.

The addition of the Link import from 'next/link' is appropriate for implementing client-side navigation in a Next.js application.

---

42-44: LGTM: Improved formatting for email label.

The reformatting of the Label component improves code readability without affecting functionality.

---

54-57: LGTM: Improved formatting for password label and input.

The reformatting of the Label and Input components for the password field improves code readability and consistency without affecting functionality.

apps/hasura/metadata/databases/masterbots/tables/public_user.yaml (1)

47-53: LGTM! Verify the existence of the user_token table.

The addition of the userTokens relationship looks good and aligns with the PR objective of creating a password recovery feature. This relationship will allow querying user tokens associated with a user, which is essential for password reset functionality.

To ensure the user_token table exists and has the correct structure, run the following script:

This script will confirm that the user_token table exists and display its structure, allowing us to verify that it has the necessary user_id column for the foreign key relationship.

apps/masterbots.ai/components/auth/reset-password-form.tsx (1)

1-14: LGTM: Imports and component declaration are well-structured.

The 'use client' directive is correctly used, and all necessary imports are present. The component declaration with the token prop is appropriate for the password reset functionality.

apps/masterbots.ai/package.json (3)

64-64: LGTM: Addition of nodemailer dependency

The addition of the nodemailer package is appropriate for implementing email functionality, which is likely needed for the password recovery feature mentioned in the PR objectives. The version ^6.9.15 is recent and allows for compatible updates.

---

86-86: LGTM: Addition of @types/nodemailer dev dependency

The addition of @types/nodemailer as a dev dependency is a good practice for TypeScript projects. It provides type definitions for the nodemailer package, enhancing type safety and improving the development experience. The version ^6.4.16 is appropriate and allows for compatible updates.

---

64-64: Summary: Appropriate dependencies added for email functionality

The additions of nodemailer and @types/nodemailer are well-aligned with the PR objective of creating a password recovery feature. These changes:

1. Introduce email sending capabilities with nodemailer.
2. Provide TypeScript type support for nodemailer with @types/nodemailer.

The versions used are recent and allow for compatible updates. These minimal changes focus on the task at hand without introducing any apparent conflicts or security issues.

Also applies to: 86-86

apps/masterbots.ai/app/api/auth/forgot-password/route.ts (2)

31-37: Good practice in preventing user enumeration

Returning a generic success message when a user is not found prevents attackers from determining if an email address is registered. This is a solid security practice to mitigate user enumeration attacks.

---

84-84: Handle potential errors when sending the password reset email

While the sendPasswordResetEmail function is awaited, any errors it throws will be caught by the catch block. Ensure that this function properly handles potential exceptions (e.g., email service failures) and provides meaningful error messages without exposing sensitive information.

To confirm that sendPasswordResetEmail handles errors appropriately, you can review its implementation.

apps/masterbots.ai/app/api/auth/reset-password/route.ts (1)

51-52: Use asynchronous bcrypt functions efficiently

While using bcryptjs, it's more efficient to use the synchronous version of genSalt when hashing passwords asynchronously.

Modify the salt generation to be synchronous since you're already using await with bcryptjs.hash:

Apply this diff:

51|     const salt = await bcryptjs.genSalt(10)
-52|     const hashedPassword = await bcryptjs.hash(password, salt)
+52|     const hashedPassword = await bcryptjs.hash(password, salt)

Correction: Upon further review, both genSalt and hash methods are already appropriately used with await. No change is necessary here.

apps/masterbots.ai/lib/email.ts (1)

48-48: Ensure the 'from' email address is correctly configured

The from field uses process.env.EMAIL_FROM. Please verify that this environment variable is set correctly across all environments to avoid issues with email delivery.

Run the following script to check if EMAIL_FROM is defined in your environment configuration files:

[coderabbitai]

Actionable comments posted: 10

🧹 Outside diff range and nitpick comments (11)

apps/masterbots.ai/components/shared/password-strength-meter.tsx (4)

1-2: LGTM! Consider using named import for React.

The imports look good and promote code reusability by leveraging utility functions. However, you might consider using a named import for React if you're not using default import elsewhere.

You could update the React import like this:

-import React from 'react';
+import { FC } from 'react';

This change would require updating the component definition to use FC directly instead of React.FC.

---

4-6: Add JSDoc comments to the interface.

The interface is clear and concise. To improve documentation, consider adding JSDoc comments.

Here's a suggested improvement:

+/**
+ * Props for the PasswordStrengthMeter component.
+ */
 interface PasswordStrengthMeterProps {
+  /** The password string to evaluate. */
   password: string;
 }

---

8-29: LGTM! Consider using object destructuring for props.

The component implementation looks good. It effectively uses the utility functions and provides a clear visual representation of password strength. For consistency with modern React practices, consider using object destructuring for props.

Here's a suggested minor improvement:

-const PasswordStrengthMeter: React.FC<PasswordStrengthMeterProps> = ({ password }) => {
+const PasswordStrengthMeter: React.FC<PasswordStrengthMeterProps> = ({ password }) => {

This change makes the component more consistent with modern React practices and improves readability.

---

31-31: LGTM! Consider using named export for better tree-shaking.

The default export is correct and commonly used. However, for better tree-shaking and more explicit imports, you might consider using a named export.

Here's an alternative approach:

-export default PasswordStrengthMeter;
+export { PasswordStrengthMeter };

This change would require updating the import statements where this component is used, but it can lead to better tree-shaking in larger applications.

apps/masterbots.ai/lib/password.ts (4)

2-11: Good implementation, consider additional security measures.

The calculatePasswordStrength function provides a solid foundation for assessing password strength. It considers important factors such as length and character variety.

To enhance security further, consider these improvements:

1. Check for common patterns (e.g., '123', 'qwerty') or dictionary words.
2. Implement a penalty for consecutive repeated characters.
3. Use a library like zxcvbn for more comprehensive strength calculation.

Example implementation for checking repeated characters:

function hasRepeatedCharacters(password: string): boolean {
  return /(.)\1{2,}/.test(password);
}

// In calculatePasswordStrength:
if (!hasRepeatedCharacters(password)) strength += 1;

---

13-27: Effective color mapping, consider handling edge cases.

The getPasswordStrengthColor function provides a clear and intuitive color scheme for different password strengths.

Consider handling the edge case of negative strength values:

export function getPasswordStrengthColor(strength: number): string {
  if (strength < 0) {
    return '#EF4444'; // red-500 for invalid strength
  }
  // ... rest of the function remains the same
}

---

29-43: Clear labeling, ensure consistency with color function.

The getPasswordStrengthLabel function provides clear and appropriate labels for different password strengths.

For consistency with the getPasswordStrengthColor function, consider handling negative strength values:

export function getPasswordStrengthLabel(strength: number): string {
  if (strength < 0) {
    return 'Invalid';
  }
  // ... rest of the function remains the same
}

---

1-48: Solid implementation of password strength utilities.

This file provides a comprehensive set of functions for assessing and categorizing password strength, which is crucial for the password recovery feature. The implementation is generally well-structured and follows good practices.

Key strengths:

1. Clear and intuitive strength calculation
2. Consistent color and label mapping
3. Easy-to-use strength check function

While there are some minor suggestions for improvements (handling edge cases, additional security checks), the current implementation forms a strong foundation for password-related functionality in the application.

Consider creating a separate configuration file for password policy settings (e.g., minimum length, required character types) to make it easier to adjust the policy in the future without modifying the core logic.

apps/masterbots.ai/lib/utils.ts (2)

Line range hint 36-61: LGTM! Consider enhancing error handling.

The changes to extractBetweenMarkers function improve its flexibility by making the endMarker parameter optional. The logic correctly handles cases where endMarker is not provided, maintaining backward compatibility.

Consider enhancing the error handling by throwing a custom error when the start marker is not found, instead of returning the whole string. This would make the function's behavior more predictable and easier to debug. For example:

if (startIndex === -1) {
  throw new Error('Start marker not found in the string');
}

---

238-241: LGTM! Consider minor improvements for robustness.

The validateEmail function is a good addition for email validation. The implementation is correct and uses a common regex pattern for email validation.

Consider the following improvements for increased robustness:

1. Trim the input email to handle leading/trailing whitespace:

export const validateEmail = (email: string) => {
  const re = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/
  return re.test(email.trim())
}

2. For more comprehensive email validation, you might want to use a more robust regex pattern or consider using a well-maintained email validation library like validator.js.

apps/masterbots.ai/lib/email.ts (1)

18-18: Address the TODO: Update SendGrid configuration

The TODO comment indicates that the SendGrid configuration is temporary and needs to be updated for the chosen email provider. Please ensure the SMTP settings are correctly configured for production to avoid email delivery issues.

Would you like assistance in updating the SendGrid configuration to match your email provider's recommended settings?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 8184f87 and 4f4de8e.

📒 Files selected for processing (9)

• apps/masterbots.ai/app/api/auth/forgot-password/route.ts (1 hunks)
• apps/masterbots.ai/app/api/auth/reset-password/route.ts (1 hunks)
• apps/masterbots.ai/components/auth/forgot-password-form.tsx (1 hunks)
• apps/masterbots.ai/components/auth/reset-password-form.tsx (1 hunks)
• apps/masterbots.ai/components/auth/signin-form.tsx (3 hunks)
• apps/masterbots.ai/components/shared/password-strength-meter.tsx (1 hunks)
• apps/masterbots.ai/lib/email.ts (1 hunks)
• apps/masterbots.ai/lib/password.ts (1 hunks)
• apps/masterbots.ai/lib/utils.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/masterbots.ai/app/api/auth/forgot-password/route.ts
• apps/masterbots.ai/app/api/auth/reset-password/route.ts
• apps/masterbots.ai/components/auth/signin-form.tsx

🧰 Additional context used

🔇 Additional comments (4)

apps/masterbots.ai/lib/password.ts (1)

45-48: Well-implemented strength check.

The isPasswordStrong function effectively utilizes the calculatePasswordStrength function and sets a reasonable threshold for strong passwords. The comment clearly explains the requirement.

apps/masterbots.ai/components/auth/forgot-password-form.tsx (2)

1-10: LGTM: Imports and component declaration are well-structured.

The use of the 'use client' directive and the imports are appropriate for the component's functionality. The default export of the component follows React best practices.

---

1-70: Overall assessment: Well-structured component with room for enhancement.

The ForgotPasswordForm component is generally well-implemented, providing the necessary functionality for password reset requests. However, there are several areas where the component can be improved:

1. Implement rate limiting to prevent abuse of the password reset functionality.
2. Enhance error handling and user feedback during the form submission process.
3. Improve accessibility features for better screen reader support.
4. Strengthen client-side email validation for a more responsive user experience.

By addressing these points, you can significantly enhance the robustness, security, and user-friendliness of the password reset feature. The suggested improvements align with best practices in React development and web accessibility standards.

apps/masterbots.ai/components/auth/reset-password-form.tsx (1)

1-12: LGTM: Imports and component declaration are well-structured.

The imports cover all necessary dependencies, including UI components and custom utilities. The 'use client' directive is correctly used for client-side rendering, and the component prop is appropriately defined.

[AndlerRL]

Excellent work! 🚀 The additional functionalities to verify PW strength feature and the UX improvements looks very good and functionality looks good too 😄 I notice though some few improvements that we can do before to do the merge. After those updates, we are good to go!

[Bran18]

Excellent work! 🚀 The additional functionalities to verify PW strength feature and the UX improvements looks very good and functionality looks good too 😄 I notice though some few improvements that we can do before to do the merge. After those updates, we are good to go!

Thaks @AndlerRL all suggestions are done 🚀

[AndlerRL]

Create Password Reset UI/UX + Verification