You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now users can sign in with email and password, and the sign-in page has a "Forgot password?" link to /reset-password, but the reset flow isn't implemented. We want users to eventually request a reset, receive an email with a link, set a new password, and be redirected to sign-in. This ticket is only the backend piece: when a password reset is requested (via Better Auth's API), we send the reset email via our SES connector. The pages where users enter their email and set a new password are not in scope here; those will be a separate ticket when we have designs (or when we're ready to add a simple page that matches the existing auth pages).
The ask is to implement the hook that sends the password reset email. In src/lib/auth/auth.ts, implement sendResetPassword under emailAndPassword so that when someone calls Better Auth's request-password-reset endpoint, we send an email via the SES connector from #184. The email must contain a link that uses the base URL of the app or domain and includes the reset token so that when we later build the reset page, the user can land there and submit a new password. Better Auth already exposes POST /api/auth/request-password-reset and POST /api/auth/reset-password; we're only wiring up the email sender.
Follow the Request Password Reset docs: sendResetPassword receives { user, url, token } from Better Auth. Use the SES connector from #184 to send the email to user.email with the reset link (the url is the full link Better Auth generates, or you can build it from the base URL of the app and the token). Don't await the send; fire it and return. See the docs for that bit. You can add onPasswordReset if we want a callback after a successful reset. The existing config already has resetPasswordTokenExpiresIn: 60 * 60 and a commented-out sendResetPassword; uncomment and implement it. Same pattern as the org invite ticket for wiring SES.
Scope: This ticket is strictly the backend/config that sends the reset email when a password reset is requested. No UI: no request-reset page and no set-new-password page. Those will be a follow-up ticket. The reset link in the email must use the base URL of the app or domain so that a future reset page can read the token from the URL.
When a password reset is requested (via POST /api/auth/request-password-reset with a valid user email), an email is sent to that address from the Sarge domain using the SES connector from [CRM/OA][Infra] - Welcome to Sarge, SES #184.
The email contains a link that uses the base URL of the app or domain and includes the reset token so the user can later land on a reset page (to be built in a separate ticket) and submit a new password.
How to test
Test without the reset pages by triggering a reset yourself:
Trigger request: Call POST /api/auth/request-password-reset with Postman or curl, body { "email": "<your-test-user-email>" }. Use an email that has an account in the app. In AWS SES sandbox mode, the recipient must be a verified identity (add and verify the address in the SES console first).
Confirm email: Check the inbox for that address. You should receive an email from the Sarge domain with a link. The link URL should use the base URL of the app or domain and include the token (e.g. as a query param). No reset page yet, so just confirm the email is sent and the link is formed correctly.
Out of scope / follow-up
The reset pages (form to enter email and request a reset, and form to enter new password after clicking the link) are not in this ticket. A separate ticket will cover those when we have designs or when we want to ship a simple /reset-password page that matches the existing sign-in/signup style.
Blocked By
#184 (SES connector; required to send the reset email from our domain)
CRM][Backend/Auth] - Reset password
Description
Right now users can sign in with email and password, and the sign-in page has a "Forgot password?" link to
/reset-password, but the reset flow isn't implemented. We want users to eventually request a reset, receive an email with a link, set a new password, and be redirected to sign-in. This ticket is only the backend piece: when a password reset is requested (via Better Auth's API), we send the reset email via our SES connector. The pages where users enter their email and set a new password are not in scope here; those will be a separate ticket when we have designs (or when we're ready to add a simple page that matches the existing auth pages).The ask is to implement the hook that sends the password reset email. In
src/lib/auth/auth.ts, implementsendResetPasswordunderemailAndPasswordso that when someone calls Better Auth's request-password-reset endpoint, we send an email via the SES connector from #184. The email must contain a link that uses the base URL of the app or domain and includes the reset token so that when we later build the reset page, the user can land there and submit a new password. Better Auth already exposesPOST /api/auth/request-password-resetandPOST /api/auth/reset-password; we're only wiring up the email sender.Follow the Request Password Reset docs:
sendResetPasswordreceives{ user, url, token }from Better Auth. Use the SES connector from #184 to send the email touser.emailwith the reset link (theurlis the full link Better Auth generates, or you can build it from the base URL of the app and thetoken). Don't await the send; fire it and return. See the docs for that bit. You can addonPasswordResetif we want a callback after a successful reset. The existing config already hasresetPasswordTokenExpiresIn: 60 * 60and a commented-outsendResetPassword; uncomment and implement it. Same pattern as the org invite ticket for wiring SES.Scope: This ticket is strictly the backend/config that sends the reset email when a password reset is requested. No UI: no request-reset page and no set-new-password page. Those will be a follow-up ticket. The reset link in the email must use the base URL of the app or domain so that a future reset page can read the token from the URL.
Lmk if you have questions @bderbs30
Acceptance Criteria
POST /api/auth/request-password-resetwith a valid user email), an email is sent to that address from the Sarge domain using the SES connector from [CRM/OA][Infra] - Welcome to Sarge, SES #184.How to test
Test without the reset pages by triggering a reset yourself:
POST /api/auth/request-password-resetwith Postman or curl, body{ "email": "<your-test-user-email>" }. Use an email that has an account in the app. In AWS SES sandbox mode, the recipient must be a verified identity (add and verify the address in the SES console first).Out of scope / follow-up
The reset pages (form to enter email and request a reset, and form to enter new password after clicking the link) are not in this ticket. A separate ticket will cover those when we have designs or when we want to ship a simple
/reset-passwordpage that matches the existing sign-in/signup style.Blocked By
#184 (SES connector; required to send the reset email from our domain)
Figma Link
N/A
Mocks / Screenshots
N/A