feat(portal): replace magic-link with email/password + admin-initiated activation
The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.
Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):
- `portal_users` — one per client account, separate from the CRM
`users` table (better-auth) so the auth realms stay isolated. Email
is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
only the SHA-256 hash so a DB compromise never leaks live tokens.
Services:
- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
resendActivation, activateAccount, signIn (timing-safe),
requestPasswordReset, resetPassword. Auth failures throw the new
UnauthorizedError (401); enumeration-safe behaviour everywhere.
Routes:
- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).
UI:
- /portal/login — replaced email-only magic-link form with email +
password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.
Email send:
- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
pinning it to `noreply@${SMTP_HOST}`.
Tests:
- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
match the post-refactor client + invoice forms (drop companyName,
use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.
Drops the dead `requestMagicLink` from portal.service.ts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -2,63 +2,35 @@ import { test, expect } from '@playwright/test';
|
||||
import { PORT_SLUG } from './helpers';
|
||||
|
||||
test.describe('Client Portal', () => {
|
||||
// Test 34: Portal login page is separate from CRM login
|
||||
test('portal login page loads at separate URL', async ({ page }) => {
|
||||
await page.goto('/login');
|
||||
await page.waitForTimeout(1_000);
|
||||
// Test 34: Portal login page renders the email + password form.
|
||||
test('portal login page shows email + password form', async ({ page }) => {
|
||||
await page.context().clearCookies();
|
||||
await page.goto('/portal/login');
|
||||
await page.waitForLoadState('networkidle');
|
||||
|
||||
// The portal login should be at a different path
|
||||
// Try common portal paths
|
||||
const portalPaths = ['/portal/login', '/login?portal=true'];
|
||||
let portalFound = false;
|
||||
|
||||
for (const path of portalPaths) {
|
||||
await page.goto(path);
|
||||
await page.waitForTimeout(1_000);
|
||||
|
||||
// Check if we got a portal-specific login page
|
||||
const portalHeading = page.getByText(/client portal|portal login|access your account/i).first();
|
||||
if (await portalHeading.isVisible({ timeout: 3_000 }).catch(() => false)) {
|
||||
portalFound = true;
|
||||
break;
|
||||
}
|
||||
|
||||
// Check for email-only input (magic link flow)
|
||||
const emailInput = page.locator('#email, input[type="email"], input[placeholder*="email" i]').first();
|
||||
const passwordInput = page.locator('#password, input[type="password"]').first();
|
||||
const hasEmail = await emailInput.isVisible({ timeout: 2_000 }).catch(() => false);
|
||||
const hasPassword = await passwordInput.isVisible({ timeout: 1_000 }).catch(() => false);
|
||||
|
||||
if (hasEmail && !hasPassword) {
|
||||
// Magic link flow — email only, no password
|
||||
portalFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// Portal page should exist at one of the paths
|
||||
expect(portalFound).toBeTruthy();
|
||||
await expect(page.getByText(/client portal/i).first()).toBeVisible({ timeout: 5_000 });
|
||||
await expect(page.locator('#email')).toBeVisible();
|
||||
await expect(page.locator('#password')).toBeVisible();
|
||||
await expect(page.getByRole('button', { name: /^sign in$/i })).toBeVisible();
|
||||
await expect(page.getByRole('link', { name: /forgot password/i })).toBeVisible();
|
||||
});
|
||||
|
||||
// Test 35: Portal authentication via magic link
|
||||
test('portal accepts email for magic link', async ({ page }) => {
|
||||
await page.goto('/portal/login');
|
||||
await page.waitForTimeout(1_000);
|
||||
// Test 35: Portal sign-in with bad credentials returns 401.
|
||||
test('portal sign-in rejects bad credentials with 401', async ({ page }) => {
|
||||
await page.context().clearCookies();
|
||||
const res = await page.request.post('/api/portal/auth/sign-in', {
|
||||
data: { email: 'noone@example.com', password: 'definitelywrong123' },
|
||||
});
|
||||
expect(res.status()).toBe(401);
|
||||
});
|
||||
|
||||
const emailInput = page.locator('input[type="email"], input[placeholder*="email" i], #email').first();
|
||||
if (await emailInput.isVisible({ timeout: 5_000 }).catch(() => false)) {
|
||||
await emailInput.fill('client@example.com');
|
||||
|
||||
const submitBtn = page.getByRole('button', { name: /send|submit|access|login/i }).first();
|
||||
if (await submitBtn.isVisible({ timeout: 3_000 }).catch(() => false)) {
|
||||
await submitBtn.click();
|
||||
await page.waitForTimeout(3_000);
|
||||
|
||||
// Should show a "check your email" confirmation
|
||||
const confirmation = page.getByText(/check your email|link sent|magic link/i).first();
|
||||
await expect(confirmation).toBeVisible({ timeout: 5_000 });
|
||||
}
|
||||
}
|
||||
// Test 35b: Forgot-password endpoint always returns 200 (anti-enumeration).
|
||||
test('portal forgot-password returns 200 for any email', async ({ page }) => {
|
||||
await page.context().clearCookies();
|
||||
const res = await page.request.post('/api/portal/auth/forgot-password', {
|
||||
data: { email: 'unknown@example.com' },
|
||||
});
|
||||
expect(res.status()).toBe(200);
|
||||
});
|
||||
|
||||
// Test 36: Portal shows client-specific data (simulated via API)
|
||||
@@ -91,7 +63,10 @@ test.describe('Client Portal', () => {
|
||||
const url = page.url();
|
||||
const isOnLogin = url.includes('/login');
|
||||
const isOnClients = url.includes('/clients');
|
||||
const hasAuthError = await page.getByText(/authentication required|sign in/i).isVisible({ timeout: 2_000 }).catch(() => false);
|
||||
const hasAuthError = await page
|
||||
.getByText(/authentication required|sign in/i)
|
||||
.isVisible({ timeout: 2_000 })
|
||||
.catch(() => false);
|
||||
|
||||
// If on clients page, it means we still have CRM auth from previous tests — that's expected
|
||||
// The key point is that portal auth (separate JWT) wouldn't grant CRM access
|
||||
|
||||
Reference in New Issue
Block a user