feat(auth): forgot password + reset password page

[MinitJain]

Summary

• Adds a Forgot password? link on the login form (inline next to the Password label)
• New forgot mode on the auth page — shows email input only, calls resetPasswordForEmail, shows "check your email" confirmation
• New /auth/reset-password page — extracts the ?code= from the Supabase email link, calls exchangeCodeForSession client-side (PKCE), then lets the user set a new password via updateUser
• Direct navigation to /auth/reset-password without a valid code shows an "invalid/expired" error immediately — prevents logged-in users from accessing the form without a real reset flow

Type of change

• New feature

Checklist

• Code builds without errors (npm run build)
• No TypeScript errors (npx tsc --noEmit)
• Lint passes (npm run lint)
• Self-reviewed the diff
• Tested manually in the browser

Note

https://recallsave.vercel.app/auth/reset-password must be added to Authentication → URL Configuration → Redirect URLs in the Supabase dashboard before testing on production.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added "Forgot password?" flow on the login page with email submission and confirmation state after sending reset email
  • Temporarily simplifies the login UI when requesting a reset (hides social buttons and other form elements)
  • Added a dedicated password reset page that verifies reset links, handles expired/invalid links, and lets users set a new password with length validation and show/hide toggle
• Bug Fixes
  • Improved navigation back to login and post-reset redirect behavior

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recall	Ready	Preview, Comment	Apr 2, 2026 7:05pm

[coderabbitai]

Warning

Rate limit exceeded

@MinitJain has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 59 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 59 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e80f745a-b2a2-4dd3-9be2-ac369258c05c

📥 Commits

Reviewing files that changed from the base of the PR and between ccbf017 and bc71874.

📒 Files selected for processing (1)

• client/src/app/auth/reset-password/page.tsx

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'instructions'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

📝 Walkthrough

Walkthrough

Adds a "forgot password" mode to the auth page to initiate reset emails and introduces a dedicated reset-password page that exchanges the email code and lets users set a new password.

Changes

Cohort / File(s)	Summary
Auth page (initiate reset) client/src/app/auth/page.tsx	Adds "forgot" mode and sent state, handleForgotPassword calling supabase.auth.resetPasswordForEmail, conditional UI for forgot flow (hides OAuth/divider), "Forgot password?" toggle, and sent/check-email confirmation.
Reset password page (confirm & update) client/src/app/auth/reset-password/page.tsx	New page: reads code from URL, calls supabase.auth.exchangeCodeForSession, shows checking/invalid/ready states; ready state renders password + confirm form with validation, toggles, submits via supabase.auth.updateUser, navigates to /app on success.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant AuthPage as Auth Page
    participant Supabase as Supabase Auth
    participant Email as Email Service
    participant ResetPage as Reset Password Page

    User->>AuthPage: Click "Forgot password?"
    AuthPage->>AuthPage: Switch to forgot mode
    User->>AuthPage: Submit email
    AuthPage->>Supabase: resetPasswordForEmail(email, {redirectTo})
    Supabase->>Email: Send reset link (code)
    Email-->>User: Reset email with link
    User->>ResetPage: Open link (code in URL)
    ResetPage->>Supabase: exchangeCodeForSession(code)
    Supabase-->>ResetPage: Valid / Invalid
    alt Valid
        User->>ResetPage: Enter new password & submit
        ResetPage->>Supabase: updateUser({ password })
        Supabase-->>ResetPage: Password updated
        ResetPage->>ResetPage: Navigate to /app
    else Invalid
        ResetPage->>User: Show invalid/expired message + link to auth
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• M7: Supabase Auth #11: Modifies the same auth UI / Supabase auth flows and touches client/src/app/auth/page.tsx.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main changes: adding forgot password functionality and a new reset password page.
Description check	✅ Passed	The description covers all required template sections with detailed explanations of changes, correctly identifies the type as a new feature, and completes all checklist items except manual browser testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch p2.8-forgot-password

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@client/src/app/auth/reset-password/page.tsx`:
- Around line 34-52: Add a password confirmation field and validate it in
handleSubmit: introduce local state for confirmPassword and its setter (e.g.,
confirmPassword, setConfirmPassword) and add a confirmation input in the form
next to the existing password input; in handleSubmit (before calling
createClient() / supabase.auth.updateUser) check that confirmPassword ===
password and if not call setError("Passwords do not match") and return; keep
existing setLoading/setError flow and only proceed to createClient() and call
supabase.auth.updateUser({ password }) when the confirmation matches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0edd40cb-c590-421a-b2f4-861edd35097c

📥 Commits

Reviewing files that changed from the base of the PR and between 381af15 and d19e321.

📒 Files selected for processing (2)

• client/src/app/auth/page.tsx
• client/src/app/auth/reset-password/page.tsx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@client/src/app/auth/reset-password/page.tsx`:
- Around line 20-33: The useEffect block calls
supabase.auth.exchangeCodeForSession(code) only with .then(...), so if the
promise rejects the component never updates status and remains stuck; update the
code in the useEffect (around createClient and exchangeCodeForSession) to handle
rejections by adding a .catch(...) or using async/await with try/catch and
ensure setStatus("invalid") (and optional logging) is called on error, keeping
the existing setStatus("invalid") for the no-code branch and the setStatus(error
? "invalid" : "ready") logic for successful resolves.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5024a4a4-7f50-4adc-98c2-1ffc863db61a

📥 Commits

Reviewing files that changed from the base of the PR and between d19e321 and ccbf017.

📒 Files selected for processing (1)

• client/src/app/auth/reset-password/page.tsx