letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(portal): replace magic-link with email/password + admin-initiated activation
All checks were successful
Build & Push Docker Images / lint (pull_request) Successful in 1m0s
Details
Build & Push Docker Images / build-and-push (pull_request) Has been skipped
Details

Browse Source 
The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.

Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):

- `portal_users` — one per client account, separate from the CRM
  `users` table (better-auth) so the auth realms stay isolated. Email
  is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
  only the SHA-256 hash so a DB compromise never leaks live tokens.

Services:

- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
  uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
  resendActivation, activateAccount, signIn (timing-safe),
  requestPasswordReset, resetPassword. Auth failures throw the new
  UnauthorizedError (401); enumeration-safe behaviour everywhere.

Routes:

- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).

UI:

- /portal/login — replaced email-only magic-link form with email +
  password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.

Email send:

- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
  set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
  pinning it to `noreply@${SMTP_HOST}`.

Tests:

- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
  match the post-refactor client + invoice forms (drop companyName,
  use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.

Drops the dead `requestMagicLink` from portal.service.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-04-26 15:34:02 +02:00
parent 4da8ed3ae4
commit 475b051e29
33 changed files with 10129 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/components/clients/client-detail-header.tsx
View File

@@ -9,6 +9,7 @@ import { Badge } from '@/components/ui/badge';
import { TagBadge } from '@/components/shared/tag-badge';
import { ArchiveConfirmDialog } from '@/components/shared/archive-confirm-dialog';
import { ClientForm } from '@/components/clients/client-form';
import { PortalInviteButton } from '@/components/clients/portal-invite-button';
import { apiFetch } from '@/lib/api/client';
interface ClientDetailHeaderProps {
@@ -127,6 +128,13 @@ export function ClientDetailHeader({ client }: ClientDetailHeaderProps) {
{/* Actions */}
<div className="flex items-center gap-2">
{!isArchived && (
<PortalInviteButton
clientId={client.id}
clientName={client.fullName}
defaultEmail={primaryEmail?.value}
/>
)}
<Button variant="outline" size="sm" onClick={() => setEditOpen(true)}>
<Pencil className="mr-1.5 h-3.5 w-3.5" />
Edit

154
src/components/clients/portal-invite-button.tsx Normal file
View File

@@ -0,0 +1,154 @@
'use client';
import { useState } from 'react';
import { UserPlus, Loader2, Check } from 'lucide-react';
import { Button } from '@/components/ui/button';
import {
Dialog,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
} from '@/components/ui/dialog';
import { Input } from '@/components/ui/input';
import { Label } from '@/components/ui/label';
import { apiFetch } from '@/lib/api/client';
interface PortalInviteButtonProps {
clientId: string;
clientName: string;
defaultEmail?: string;
}
/**
* Admin button on the client detail header that creates a portal user for
* the client and sends them an activation email. Uses the client's primary
* email as the default but lets the admin override.
*/
export function PortalInviteButton({
clientId,
clientName,
defaultEmail,
}: PortalInviteButtonProps) {
const [open, setOpen] = useState(false);
const [email, setEmail] = useState(defaultEmail ?? '');
const [name, setName] = useState(clientName);
const [loading, setLoading] = useState(false);
const [error, setError] = useState('');
const [success, setSuccess] = useState(false);
function reset() {
setEmail(defaultEmail ?? '');
setName(clientName);
setError('');
setSuccess(false);
setLoading(false);
}
async function submit(e: React.FormEvent) {
e.preventDefault();
setLoading(true);
setError('');
try {
await apiFetch(`/api/v1/clients/${clientId}/portal-user`, {
method: 'POST',
body: { email, name },
});
setSuccess(true);
} catch (err) {
setError(err instanceof Error ? err.message : 'Failed to send invitation');
} finally {
setLoading(false);
}
}
return (
<>
<Button
variant="outline"
size="sm"
onClick={() => {
reset();
setOpen(true);
}}
>
<UserPlus className="mr-1.5 h-3.5 w-3.5" />
Invite to portal
</Button>
<Dialog
open={open}
onOpenChange={(o) => {
if (!o) reset();
setOpen(o);
}}
>
<DialogContent className="sm:max-w-md">
<DialogHeader>
<DialogTitle>Invite to client portal</DialogTitle>
<DialogDescription>
We&apos;ll email an activation link. The client picks their own password from there.
</DialogDescription>
</DialogHeader>
{success ? (
<div className="py-4 flex items-center gap-3 text-sm text-green-700">
<Check className="h-5 w-5" />
Activation email sent to <strong>{email}</strong>.
</div>
) : (
<form onSubmit={submit} className="space-y-4 py-2">
<div className="space-y-1.5">
<Label htmlFor="invite-email">Email address</Label>
<Input
id="invite-email"
type="email"
required
autoFocus
value={email}
onChange={(e) => setEmail(e.target.value)}
disabled={loading}
placeholder="client@example.com"
/>
</div>
<div className="space-y-1.5">
<Label htmlFor="invite-name">Display name (optional)</Label>
<Input
id="invite-name"
value={name}
onChange={(e) => setName(e.target.value)}
disabled={loading}
/>
</div>
{error && <p className="text-sm text-destructive">{error}</p>}
</form>
)}
<DialogFooter>
{success ? (
<Button onClick={() => setOpen(false)}>Done</Button>
) : (
<>
<Button type="button" variant="outline" onClick={() => setOpen(false)}>
Cancel
</Button>
<Button onClick={submit} disabled={loading || !email}>
{loading ? (
<>
<Loader2 className="h-4 w-4 mr-2 animate-spin" />
Sending
</>
) : (
'Send invitation'
)}
</Button>
</>
)}
</DialogFooter>
</DialogContent>
</Dialog>
</>
);
}

181
src/components/portal/password-set-form.tsx Normal file
View File

@@ -0,0 +1,181 @@
'use client';
import Link from 'next/link';
import { useSearchParams } from 'next/navigation';
import { useState } from 'react';
import { CheckCircle2, Loader2 } from 'lucide-react';
import { Button } from '@/components/ui/button';
import { Input } from '@/components/ui/input';
import { Label } from '@/components/ui/label';
interface PasswordSetFormProps {
/** API endpoint that accepts `{ token, password }` and sets / resets the password. */
endpoint: string;
title: string;
description: string;
successTitle: string;
successDescription: string;
submitLabel: string;
}
const MIN_LENGTH = 12;
/**
* Shared form used by both the activation and password-reset flows. The
* activation token is read from the `?token=` query string. Empty / missing
* tokens land the user in an explicit error state instead of submitting a
* doomed request.
*/
export function PasswordSetForm({
endpoint,
title,
description,
successTitle,
successDescription,
submitLabel,
}: PasswordSetFormProps) {
const search = useSearchParams();
const token = search.get('token') ?? '';
const [password, setPassword] = useState('');
const [confirm, setConfirm] = useState('');
const [loading, setLoading] = useState(false);
const [error, setError] = useState('');
const [done, setDone] = useState(false);
const tooShort = password.length > 0 && password.length < MIN_LENGTH;
const mismatch = confirm.length > 0 && password !== confirm;
const canSubmit = !!token && password.length >= MIN_LENGTH && password === confirm && !loading;
async function handleSubmit(e: React.FormEvent) {
e.preventDefault();
if (!canSubmit) return;
setLoading(true);
setError('');
try {
const res = await fetch(endpoint, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ token, password }),
});
if (!res.ok) {
const data = await res.json().catch(() => ({}));
setError((data as { error?: string }).error ?? 'Something went wrong. Please try again.');
return;
}
setDone(true);
} catch {
setError('Unable to connect. Please try again.');
} finally {
setLoading(false);
}
}
if (!token) {
return (
<div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
<div className="w-full max-w-md text-center space-y-3">
<h1 className="text-xl font-semibold text-gray-900">Link is missing or invalid</h1>
<p className="text-sm text-gray-500">
Please use the link from the email we sent you. If the link is broken, request a new
one.
</p>
<Link
href="/portal/forgot-password"
className="inline-block text-sm text-[#1e2844] hover:underline"
>
Request a new link
</Link>
</div>
</div>
);
}
if (done) {
return (
<div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
<div className="w-full max-w-md text-center">
<div className="inline-flex items-center justify-center w-14 h-14 rounded-full bg-green-50 mb-4">
<CheckCircle2 className="h-7 w-7 text-green-600" />
</div>
<h1 className="text-xl font-semibold text-gray-900 mb-2">{successTitle}</h1>
<p className="text-gray-500 text-sm">{successDescription}</p>
<Link
href="/portal/login"
className="mt-6 inline-block text-sm text-[#1e2844] hover:underline"
>
Sign in
</Link>
</div>
</div>
);
}
return (
<div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
<div className="w-full max-w-sm">
<div className="bg-white rounded-lg border p-8 shadow-sm">
<div className="mb-6">
<h1 className="text-xl font-semibold text-gray-900">{title}</h1>
<p className="text-sm text-gray-500 mt-1">{description}</p>
</div>
<form onSubmit={handleSubmit} className="space-y-4">
<div className="space-y-1.5">
<Label htmlFor="password">New password</Label>
<Input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
required
autoFocus
autoComplete="new-password"
minLength={MIN_LENGTH}
disabled={loading}
/>
<p className="text-xs text-gray-500">At least {MIN_LENGTH} characters.</p>
{tooShort && (
<p className="text-xs text-red-600">
Password must be at least {MIN_LENGTH} characters.
</p>
)}
</div>
<div className="space-y-1.5">
<Label htmlFor="confirm">Confirm password</Label>
<Input
id="confirm"
type="password"
value={confirm}
onChange={(e) => setConfirm(e.target.value)}
required
autoComplete="new-password"
disabled={loading}
/>
{mismatch && <p className="text-xs text-red-600">Passwords don&apos;t match.</p>}
</div>
{error && <p className="text-sm text-red-600">{error}</p>}
<Button
type="submit"
className="w-full bg-[#1e2844] hover:bg-[#1e2844]/90 text-white"
disabled={!canSubmit}
>
{loading ? (
<>
<Loader2 className="h-4 w-4 mr-2 animate-spin" />
Saving
</>
) : (
submitLabel
)}
</Button>
</form>
</div>
</div>
</div>
);
}