Boscop
commented
6 months ago Similarly, when the code has already expired when the user visits the pw reset link, it should also already show an error (instead of letting the user enter a new pw and click the button and only then showing an error).
If a user clicks on an outdated/already-used password reset link (in the email they get after requesting a pw reset), the frontend (on
https://<domain>/password-reset/update-password?code=<code>&email=<email>) first behaves as if this pw reset link is still valid. In other words, it shows no error, until the user enters a new pw and clicks "Change password". Only then it shows a toast with this message: https://github.com/timothymiller/t4-app/blob/325b5e58a39bf9cd4019db6273ad6ce62889cf2d/packages/api/src/auth/user.ts#L253Suggestion: When the pw reset code is invalid, show this error as soon as the site loads.
Btw: The pw reset email also contains the code on a separate line as the pw reset link, but it's irrelevant to the user because the user is never/nowhere asked to enter this code! To make it less confusing to the user, we could remove the code from the email. (Considering the the link in the email already contains this code in a query param.)
(And then, we could add a non linkified version of the pw reset URL on a separate line with something like "If the link above doesn't work, enter this URL manually in your browser's address bar".)