Feature: Passwordless Login and Password Reset supports use of email mode (#3525)

## template-retail-react-app
- support setting passwordless login mode in config
- Set default passwordless mode to 'email' for apps created via pwa-kit-create-app
- Update password reset to use email mode by default. The mode can now be configured via default.js
- update passwordless login `extra-features` e2e tests
- update "Continue Securely" button to "Continue"
- display errors in EmailConfirmation page
- added new auth-utils.js that contains utility methods for mapping passwordless and reset password API error messages to user-friendly error messages
- added error message mappings for the following API error messages:
  - "no callback_uri is registered for client" -> "This feature is not currently available"
  - "Too many login requests were made. Please try again later." -> Too many requests. For your security, please wait 10 minutes before trying again.
  - "Monthly quota for passwordless login mode email has been exceeded" -> "This feature is not currently available"

## commerce-sdk-react
- Update `getPasswordResetToken` and `authorizePasswordless` to default locale to the one in CommerceApiProvider and pass callback_uri and idp_name only when they are defined
- Update `getPasswordResetToken` to return a raw response and throw an error with the error message if the status code  is not 200

## pwa-kit-create-app
- Update `default.js` and `/_app-config/index.jsx` template to use email mode by default for passwordless login and password reset.

Author: hajinsuha1

e2e/config.js

@@ -170,6 +170,7 @@ module.exports = {
     PWA_E2E_USER_EMAIL: process.env.PWA_E2E_USER_EMAIL,
     PWA_E2E_USER_PASSWORD: process.env.PWA_E2E_USER_PASSWORD,
     EXTRA_FEATURES_E2E_RETAIL_APP_HOME:
+        process.env.EXTRA_FEATURES_E2E_RETAIL_APP_HOME ||
         'https://scaffold-pwa-extra-features-e2e.mobify-storefront.com',
     EXTRA_FEATURES_E2E_RETAIL_APP_HOME_SITE: 'RefArchGlobal'
 }

e2e/tests/desktop/extra-features.spec.js

@@ -32,7 +32,7 @@ test('Verify passwordless login request', async ({page}) => {
     await page.locator('#email').scrollIntoViewIfNeeded()
     await page.fill('#email', config.PWA_E2E_USER_EMAIL)
 
-    await page.getByRole('button', {name: 'Continue Securely'}).click()
+    await page.getByRole('button', {name: 'Continue'}).click()
 
     await page.waitForResponse(
         '**/mobify/slas/private/shopper/auth/v1/organizations/*/oauth2/passwordless/login'
@@ -47,12 +47,11 @@ test('Verify passwordless login request', async ({page}) => {
     const params = new URLSearchParams(postData)
 
     expect(params.get('user_id')).toBe(config.PWA_E2E_USER_EMAIL)
-    expect(params.get('mode')).toBe('callback')
+    expect(params.get('mode')).toBe('email')
     expect(params.get('channel_id')).toBe(config.EXTRA_FEATURES_E2E_RETAIL_APP_HOME_SITE)
-    expect(params.get('callback_uri')).toMatch(/.*\/passwordless-login-callback$/)
 })
 
-test('Verify password reset callback request', async ({page}) => {
+test('Verify password reset request', async ({page}) => {
     let interceptedRequest = null
 
     await page.route(
@@ -88,16 +87,13 @@ test('Verify password reset callback request', async ({page}) => {
     const params = new URLSearchParams(postData)
 
     expect(params.get('user_id')).toBe(config.PWA_E2E_USER_EMAIL)
-    expect(params.get('mode')).toBe('callback')
+    expect(params.get('mode')).toBe('email')
     expect(params.get('channel_id')).toBe(config.EXTRA_FEATURES_E2E_RETAIL_APP_HOME_SITE)
-    expect(params.get('callback_uri')).toMatch(/.*\/reset-password-callback$/)
     expect(params.get('hint')).toBe('cross_device')
 })
 
 // Verify on the login UI that looks different when extra login features are not enabled
-test('Verify password reset callback request when extra login features are not enabled', async ({
-    page
-}) => {
+test('Verify password reset request when extra login features are not enabled', async ({page}) => {
     let interceptedRequest = null
 
     await page.route(
@@ -132,13 +128,12 @@ test('Verify password reset callback request when extra login features are not e
     const params = new URLSearchParams(postData)
 
     expect(params.get('user_id')).toBe(config.PWA_E2E_USER_EMAIL)
-    expect(params.get('mode')).toBe('callback')
+    expect(params.get('mode')).toBe('email')
     expect(params.get('channel_id')).toBe(config.RETAIL_APP_HOME_SITE)
-    expect(params.get('callback_uri')).toMatch(/.*\/reset-password-callback$/)
     expect(params.get('hint')).toBe('cross_device')
 })
 
-test('Verify password reset request', async ({page}) => {
+test('Verify password reset action request', async ({page}) => {
     let interceptedRequest = null
     await page.route(
         '**/mobify/slas/private/shopper/auth/v1/organizations/*/oauth2/password/action',

e2e/tests/mobile/extra-features.spec.js

@@ -33,8 +33,8 @@ test('Verify passwordless login request on mobile', async ({page}) => {
     await page.locator('#email').scrollIntoViewIfNeeded()
     await page.fill('#email', config.PWA_E2E_USER_EMAIL)
 
-    await page.getByRole('button', {name: 'Continue Securely'}).scrollIntoViewIfNeeded()
-    await page.getByRole('button', {name: 'Continue Securely'}).click()
+    await page.getByRole('button', {name: 'Continue'}).scrollIntoViewIfNeeded()
+    await page.getByRole('button', {name: 'Continue'}).click()
 
     await page.waitForResponse(
         '**/mobify/slas/private/shopper/auth/v1/organizations/*/oauth2/passwordless/login'
@@ -49,14 +49,11 @@ test('Verify passwordless login request on mobile', async ({page}) => {
     const params = new URLSearchParams(postData)
 
     expect(params.get('user_id')).toBe(config.PWA_E2E_USER_EMAIL)
-    expect(params.get('mode')).toBe('callback')
+    expect(params.get('mode')).toBe('email')
     expect(params.get('channel_id')).toBe(config.EXTRA_FEATURES_E2E_RETAIL_APP_HOME_SITE)
-    expect(params.get('callback_uri')).toMatch(/.*\/passwordless-login-callback$/)
 })
 
-test('Verify password reset callback request on mobile (extra features enabled)', async ({
-    page
-}) => {
+test('Verify password reset request on mobile (extra features enabled)', async ({page}) => {
     let interceptedRequest = null
 
     await page.route(
@@ -92,13 +89,12 @@ test('Verify password reset callback request on mobile (extra features enabled)'
     const params = new URLSearchParams(postData)
 
     expect(params.get('user_id')).toBe(config.PWA_E2E_USER_EMAIL)
-    expect(params.get('mode')).toBe('callback')
+    expect(params.get('mode')).toBe('email')
     expect(params.get('channel_id')).toBe(config.EXTRA_FEATURES_E2E_RETAIL_APP_HOME_SITE)
-    expect(params.get('callback_uri')).toMatch(/.*\/reset-password-callback$/)
     expect(params.get('hint')).toBe('cross_device')
 })
 
-test('Verify password reset callback request on mobile when extra login features are not enabled', async ({
+test('Verify password reset request on mobile when extra login features are not enabled', async ({
     page
 }) => {
     let interceptedRequest = null
@@ -136,13 +132,12 @@ test('Verify password reset callback request on mobile when extra login features
     const params = new URLSearchParams(postData)
 
     expect(params.get('user_id')).toBe(config.PWA_E2E_USER_EMAIL)
-    expect(params.get('mode')).toBe('callback')
+    expect(params.get('mode')).toBe('email')
     expect(params.get('channel_id')).toBe(config.RETAIL_APP_HOME_SITE)
-    expect(params.get('callback_uri')).toMatch(/.*\/reset-password-callback$/)
     expect(params.get('hint')).toBe('cross_device')
 })
 
-test('Verify password reset request on mobile', async ({page}) => {
+test('Verify password reset action request on mobile', async ({page}) => {
     let interceptedRequest = null
     await page.route(
         '**/mobify/slas/private/shopper/auth/v1/organizations/*/oauth2/password/action',

packages/commerce-sdk-react/CHANGELOG.md

@@ -1,6 +1,7 @@
 ## v4.4.0-dev (Dec 17, 2025)
 - [Bugfix]Ensure code_verifier can be optional in resetPassword call [#3567](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3567)
 - [Improvement] Strengthening typescript types on custom endpoint options and fetchOptions types [#3589](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3589)
+- [Feature] update `authorizePasswordless`, `getPasswordResetToken`, and `resetPassword` to support use of `email` mode [#3525](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3525)
 
 ## v4.3.0 (Dec 17, 2025)