Cap
Cap copied to clipboard
Published
6 days ago
•
CapSoftware
CapSoftware
"Implement password sign-in option (#1036)"
@richiemcilroy can you please review this ? I have tested this and it works fine. let me know if any changes required
Summary by CodeRabbit
- New Features
- Password-based login added alongside OTP and SSO.
- Password-based signup added alongside OTP signup.
- Users can toggle between password and OTP flows on login and signup screens.
- Verification flow now supports credential-specific verification and resend, with redirects for verification when needed.
- Email verification fully integrated with password-based signup and login.
Walkthrough
Adds email+password credential signup and login flows front-to-back, wires a NextAuth CredentialsProvider that supports OTP-token and password paths, persists encrypted passwords in users table, and extends OTP verification/resend to handle credential-based flows.
Changes
| Cohort / File(s) | Summary |
|---|---|
Frontend — Login flow apps/web/app/(org)/login/form.tsx |
Adds showCredientialLogin and password state, new LoginWithEmailAndPassword component, updates NormalLogin to accept setShowCredientialLogin, conditionally renders credential vs OTP login, and extends submit logic to handle credential sign-in, email verification errors, resend and redirects. |
Frontend — Signup flow apps/web/app/(org)/signup/form.tsx |
Adds showCredientialLogin and password state, new SignUpWithEmailAndPassword component, updates NormalSignup to accept setShowCredientialLogin, implements credential signup POST to /api/auth/signup with client validation, loading/error handling, and redirect to credential OTP verify. |
Frontend — OTP verification apps/web/app/(org)/verify-otp/form.tsx, apps/web/app/(org)/verify-otp/page.tsx |
VerifyOTPForm gains optional `type?: "email" |
Backend — NextAuth provider packages/database/auth/auth-options.ts |
Adds CredentialsProvider with authorize handling email presence, OTP-token consumption (verificationTokens) and password verification (via verifyPassword), enforces email verification, deletes consumed tokens, logs errors, and returns user on success. |
Backend — Adapter changes packages/database/auth/drizzle-adapter.ts |
Persists incoming encrypted password from userData when creating users (adds password: hashedPassword to inserted record). |
Database schema packages/database/schema.ts |
Adds nullable encrypted password column to users table: password: encryptedTextNullable("password"). |
Imports updated apps/web/app/(org)/* |
Adds KeyRound alongside LucideArrowUpRight imports from lucide-react where components were updated. |
Sequence Diagram(s)
sequenceDiagram
participant User
participant Frontend as Client UI
participant API as /api/auth
participant NextAuth as CredentialsProvider
participant DB as Database
Note right of Frontend: Credential login/signup flows (new)
User->>Frontend: Enter email & password
Frontend->>API: POST /signin or /signup (credentials)
API->>NextAuth: authorize(credentials)
NextAuth->>DB: fetch user, lookup verificationTokens
alt OTP token provided
DB-->>NextAuth: token valid
NextAuth->>DB: delete token
NextAuth-->>API: return user (authenticated)
else Password provided
NextAuth->>DB: verify password hash
alt password match
NextAuth-->>API: return user (authenticated)
else mismatch
NextAuth-->>API: error (invalid credentials)
end
end
API-->>Frontend: success / error
alt needs verification
Frontend->>Frontend: redirect to /verify-otp?type=credentials
end
sequenceDiagram
participant Frontend as Signup UI
participant SignupAPI as /api/auth/signup
participant DB as Database
participant Verify as Verify OTP Page
User->>Frontend: Submit email + password (credential signup)
Frontend->>SignupAPI: POST email, password
SignupAPI->>DB: create user (store encrypted password)
DB-->>SignupAPI: user created
SignupAPI-->>Frontend: success
Frontend->>sessionStorage: store temp password
Frontend->>Verify: redirect to /verify-otp?type=credentials
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~45 minutes
- Pay extra attention to:
CredentialsProvider.authorize(token lifecycle, error messages, logging). - DB/adapter changes: encrypted password persistence and schema migration implications.
- Frontend conditional flows and temporary password handling (sessionStorage, redirects).
- Verify-OTP flow correctness for
type="credentials"(resend/verify endpoints).
Possibly related PRs
- CapSoftware/Cap#832 — Overlapping edits to login/verify-otp and auth-options; touches same frontend/back-end auth flows.
- CapSoftware/Cap#972 — Modifies NextAuth auth-options (signIn callback); affects the same NextAuth configuration and provider logic.
Suggested reviewers
- Brendonovich
Poem
🐰
I nudged a key into the burrow deep,
Now passwords hum where OTPs leap,
Tokens tidy, secrets tucked away,
A hop, a stitch — auth’s new day,
Nibble the carrot, merge complete! 🥕
Pre-merge checks and finishing touches
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | ⚠️ Warning | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
✅ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The pull request title clearly and concisely describes the main change: implementing a password-based sign-in option as an alternative to OTP/SSO, which aligns with the substantial changes across login, signup, and authentication flows. |
✨ Finishing touches
- [ ] 📝 Generate docstrings
🧪 Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}