From cd521513b3eda1de29e9807d21ef83ebfe1bf7ed Mon Sep 17 00:00:00 2001 From: jester Date: Tue, 28 Apr 2026 21:34:37 +0000 Subject: [PATCH] Clarify Portal reset token and profile save behavior --- Codex/Portal/CURRENT_STATE.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Codex/Portal/CURRENT_STATE.md b/Codex/Portal/CURRENT_STATE.md index d1418b6..a05bcad 100644 --- a/Codex/Portal/CURRENT_STATE.md +++ b/Codex/Portal/CURRENT_STATE.md @@ -48,12 +48,19 @@ This file records what is implemented now. ## Billing / auth / onboarding - billing UI alignment exists with the newer billing state model. +- profile save now sends the backend-supported account fields to authenticated `PATCH /api/auth/me`: + - `email` normalized to lowercase after trim + - `username` trimmed + - `firstName`, `lastName`, and `displayName` trimmed + - `409` responses surface a duplicate email/username message - forgot/reset password flow exists: - login includes a `Forgot password?` link to `/forgot-password` - `/forgot-password` posts `{ email }` to `POST /api/auth/password-reset/request` - the Portal always shows `If the account exists, a reset link has been sent.` for account-lookup-style responses - - `/reset-password?token=...` reads `token`, validates 8+ character password and confirmation match, then posts `{ token, password }` to `POST /api/auth/password-reset/confirm` - - missing, invalid, or expired reset tokens show `This reset link is invalid or has expired.` + - `/reset-password?token=...` reads `token` from query params, trims it, and requires it to be a 64-character hex token before submit + - valid reset submissions post `{ token, password }` to `POST /api/auth/password-reset/confirm` + - client validation requires an 8+ character password and confirmation match + - missing, malformed, invalid, or expired reset tokens show `This reset link is invalid or has expired.` - successful reset does not auto-login; Portal leaves the user with login navigation - profile change-password UI exists: - profile includes current password, new password, and confirm new password fields