sso login change password send link for email

[mohandholu43]

Summary by CodeRabbit

• New Features
  • Added a new icon to the dashboard featuring a distinctive broken circle check design.
  • Enhanced the password management experience by updating the reset form. Users now receive tailored instructions and feedback based on their Single Sign-On status, ensuring a more intuitive flow for password updates.
  • Improved sign-in process by managing user session states related to Single Sign-On.
• Bug Fixes
  • Ensured that local storage is cleared appropriately during sign-in and logout processes to maintain accurate user session information.

[coderabbitai]

Walkthrough

This pull request introduces a new SVG icon component, BrokenCircleCheckIcon, that renders with a default width, height, and color that adapts when disabled. Additionally, the PasswordForm component in the settings section has been updated to include a new type definition, PasswordFormProps, and a setPasswordMutation for password reset functionality. The component now distinguishes between users logged in via Single Sign-On (SSO) and those who are not. The SettingsPage has also been modified to pass the user’s email to PasswordForm, enabling the updated password management flow.

Changes

File(s)	Change Summary
app/.../Icons/BrokenCircleCheckIcon.tsx	Added a new functional component that renders an SVG icon with customizable color based on the disabled prop.
app/.../PasswordForm.tsx, app/.../page.tsx	Updated PasswordForm with a new PasswordFormProps type and integrated a setPasswordMutation for password reset; added conditional logic for SSO vs non-SSO flows; modified SettingsPage to supply the user’s email.
app/.../SigninPage.tsx	Modified handleSignInSuccess to remove "loggedInUsingSSO" from local storage upon successful sign-in.
app/.../idp-auth/page.tsx	Added a line in handleSignIn to set "loggedInUsingSSO" in local storage after successful sign-in.
src/hooks/useLogout.js	Added a line in handleLogout to remove "loggedInUsingSSO" from local storage during logout.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant PasswordForm
    participant API
    Note over PasswordForm: On form submission, determine authentication method
    alt Non-SSO Flow
        User->>PasswordForm: Enter current, new, confirm password
        PasswordForm->>API: Execute password update mutation with credentials
        API-->>PasswordForm: Return success/error response
        PasswordForm->>User: Display update result
    else SSO Flow
        User->>PasswordForm: Initiate password setup
        PasswordForm->>API: Execute setPasswordMutation with email
        API-->>PasswordForm: Return success response
        PasswordForm->>User: Show success message via snackbar
    end

Loading

Suggested labels

do not merge

Suggested reviewers

• Nithishprem

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 00bbc17 and 06c128e.

📒 Files selected for processing (2)

• app/(public)/(main-image)/signin/components/SigninPage.tsx (1 hunks)
• app/(public)/idp-auth/page.tsx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• app/(public)/(main-image)/signin/components/SigninPage.tsx
• app/(public)/idp-auth/page.tsx

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: package

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

app/(dashboard)/components/Icons/BrokenCircleCheckIcon.tsx (1)

31-32: Add missing React import and explicit return type.

The component is missing necessary imports and type declarations.

Add the following at the top of the file:

+import React from 'react';
+
 interface BrokenCircleCheckIconProps extends React.SVGProps<SVGSVGElement> {
   // ... props interface
 }

🧹 Nitpick comments (4)

app/(dashboard)/components/Icons/BrokenCircleCheckIcon.tsx (1)

6-11: Consider making dimensions configurable via props.

The icon has fixed dimensions which might limit its reusability.

Apply this diff to make dimensions configurable:

+interface BrokenCircleCheckIconProps extends React.SVGProps<SVGSVGElement> {
   color?: string;
   disabled?: boolean;
+  /** Width of the icon. Defaults to 20 */
+  width?: number | string;
+  /** Height of the icon. Defaults to 20 */
+  height?: number | string;
 }

 const BrokenCircleCheckIcon: React.FC<BrokenCircleCheckIconProps> = ({
   color = "#039855",
   disabled,
+  width = 20,
+  height = 20,
   ...restProps
 }) => (
   <svg
-    width="20"
-    height="20"
+    width={width}
+    height={height}
     viewBox="0 0 20 20"

app/(dashboard)/settings/components/PasswordForm.tsx (3)

29-29: Ensure fallback logic for missing props.
Although this function component is expecting an 'email' prop, consider providing a fallback or validating the prop in case it's undefined.

---

89-181: Address the @ts-ignore and potential form usability concerns.

1. The "@ts-ignore" on line 98 suggests a TypeScript mismatch. Remove or suppress it only after addressing the underlying type conflict to maintain consistency.
2. Consider advanced validation rules or clarifications to handle usage constraints (e.g., “newPassword cannot match old password”).

---

183-238: Enhance SSO fallback error handling.
While showing a spinner for loading, the SSO form flow lacks explicit error handling for setPasswordMutation. Logging or presenting error messages would improve the user experience should something go wrong.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6619245 and 6174207.

📒 Files selected for processing (3)

• app/(dashboard)/components/Icons/BrokenCircleCheckIcon.tsx (1 hunks)
• app/(dashboard)/settings/components/PasswordForm.tsx (2 hunks)
• app/(dashboard)/settings/page.tsx (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: package

🔇 Additional comments (7)

app/(dashboard)/components/Icons/BrokenCircleCheckIcon.tsx (2)

13-21: LGTM!

The SVG path implementation is well-structured with proper clipping and conditional styling based on the disabled state.

---

22-26: LGTM!

The SVG definitions are properly structured with consistent dimensions.

app/(dashboard)/settings/components/PasswordForm.tsx (4)

20-23: Imports are appropriately placed.
These additional imports for customer user API, MUI components, and the BrokenCircleCheckIcon look correct and facilitate the new password reset and SSO functionality.

---

25-27: Strongly typed props for better maintainability.
Defining the PasswordFormProps interface clarifies the expected prop structure and improves code readability.

---

32-34: Double-check localStorage usage for robust SSO checks.
Relying on localStorage to store "loggedInUsingSSO" may lead to stale or inconsistent data if the user’s session state changes. Consider a more authoritative source (e.g., server-side or tokens).

---

86-88: Consider confirming successful dispatch.
handleSetPassword simply triggers the mutation with no immediate feedback aside from the loading spinner. Ensure it’s sufficient or consider disabling the button until the email is confirmed.

app/(dashboard)/settings/page.tsx (1)

112-112: Check for potential undefined email property.
If selectUser is null or doesn’t have an email, this line may throw an error. Consider using optional chaining (e.g., selectUser?.email) or other defensive checks before rendering.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6174207 and 00bbc17.

📒 Files selected for processing (3)

• app/(public)/(main-image)/signin/components/SigninPage.tsx (1 hunks)
• app/(public)/idp-auth/page.tsx (1 hunks)
• src/hooks/useLogout.js (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: package

🔇 Additional comments (1)

src/hooks/useLogout.js (1)

20-20: 🛠️ Refactor suggestion

Consider security implications of using localStorage for auth state.

While the implementation is functionally correct, storing authentication state in localStorage makes it vulnerable to XSS attacks. Consider these alternatives:

1. Use HttpOnly cookies for improved security
2. Use session storage instead of local storage for temporary auth state

✅ Verification successful

🌐 Web query:

What are the security implications of storing auth state in localStorage vs cookies?

💡 Result:

Storing authentication state securely is crucial for web application security. Here's a detailed comparison of security implications when using localStorage vs cookies:

## Security Comparison
| Aspect               | LocalStorage                                                                 | Cookies (with proper configuration)                                                                 |
|----------------------|------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| **XSS Vulnerability**| Highly vulnerable - accessible via JavaScript                              | Protected with `httpOnly` flag - inaccessible to JavaScript [1][2][5]                             |
| **CSRF Vulnerability**| Immune - not automatically sent with requests                             | Vulnerable by default - mitigated via `sameSite` flag and anti-CSRF tokens [1][5]               |
| **Storage Limits**   | ~5MB                                                                         | 4KB per cookie                                                                                     |
| **Automatic Transmission**| Not sent automatically - requires manual handling                       | Sent with every request - reduces implementation complexity                                       |
| **Secure Attributes**| No equivalent security flags                                               | Supports `Secure` (HTTPS-only) and `httpOnly` flags [2][3][6]                                     |

### Key Security Risks
**For LocalStorage:**
- **XSS Attacks:** Full exposure of tokens if malicious script executes [1][4]
- **Persistence Risk:** Data remains after browser closure on public computers 
- **No Built-in Protections:** Lacks mechanisms like expiration or secure transmission [5]

**For Cookies:**
- **CSRF Attacks:** Requires mitigation through:
  - `sameSite=Strict/Lax` attribute [1][5]
  - Anti-CSRF tokens in requests [2]
- **Implementation Complexity:** Proper configuration of multiple flags needed:
  ```http
  Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax
  ```

## Best Practices
1. **Prefer httpOnly Cookies** for authentication tokens:
   - Blocks JavaScript access while maintaining automatic credential transmission [2][5][7]
   - Recommended by OWASP for session management [2][3]

2. **Use Refresh Token Rotation:**
   - Store short-lived access token in memory
   - Keep refresh token in httpOnly cookie [2][5]

3. **Defense-in-Depth Measures:**
   - Implement Content Security Policy (CSP) to reduce XSS risks [2]
   - Always use HTTPS with `Secure` cookie flag [3][6]
   - Validate token signatures server-side regardless of storage method [7]

While both storage mechanisms have vulnerabilities, properly configured cookies provide better security through their built-in protections against common attack vectors. The automatic credential management and httpOnly/Secure flags make cookies the preferred choice for authentication state storage when implemented with CSRF protections[1][2][5].

Citations:

- 1: https://dev.to/leduc1901/why-cookie-is-preferable-compared-to-localstorage-when-it-comes-to-authentication-48mb
- 2: https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id
- 3: https://www.pivotpointsecurity.com/local-storage-versus-cookies-which-to-use-to-securely-store-session-tokens/
- 4: https://stytch.com/blog/localstorage-vs-sessionstorage-vs-cookies/
- 5: https://supertokens.com/blog/cookies-vs-localstorage-for-sessions-everything-you-need-to-know
- 6: http://www.cyberchief.ai/2023/05/secure-jwt-token-storage.html
- 7: https://angular.love/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end

---

Security Improvement Suggestion: Avoid using localStorage for sensitive auth state

The web query confirms the concerns raised in the review comment. While your use of localStorage for removing the SSO flag is functionally correct, storing sensitive authentication information in localStorage exposes it to XSS attacks. As a result, consider the following alternatives:

• Use HttpOnly Cookies: They are inaccessible to JavaScript, reducing the risk of XSS attacks.
• Use Session Storage: This provides temporary storage that reduces persistence risks on shared or public machines.

Implementing these changes would enhance the overall security of the authentication flow.