/* global React */
const { useState: useLS, useEffect: useLE } = React;
// Password input with a show/hide toggle. Behaves exactly like a normal
// input — pass `value`, `onChange`, `placeholder`, `onKeyDown` etc.
function PasswordInput({ value, onChange, placeholder, onKeyDown, autoFocus }) {
const [shown, setShown] = useLS(false);
return (
);
}
function LoginScreen({ onLogin }) {
const [mode, setMode] = useLS('login'); // 'login' | 'forgot'
return (
{/* Subtle texture/wash */}
{/* Brand mark */}
{mode === 'login'
?
setMode('forgot')} />
: setMode('login')} onDone={() => setMode('login')} />
}
Sign in
Welcome back
Sign in to manage skills across your organizations.
setEmail(e.target.value)}
onKeyDown={e => { if (e.key === 'Enter') submit(); }}
placeholder="name@company.com" style={authInput} />
{touched && email.length > 0 && !emailValid && (
Enter a valid email address.
)}
setPw(e.target.value)}
onKeyDown={e => { if (e.key === 'Enter') submit(); }}
placeholder="Your password" />
{serverError &&
{serverError}}
);
}
// Two-phase reset:
// Phase 1 ("request"): user enters email → backend mints a single-use
// reset token, stores its SHA-256 + expiry on the auth doc, and logs
// the raw token to the server console for an operator to relay.
// Phase 2 ("apply"): user enters the token + new password → backend
// verifies the hash, applies the new password, clears the token.
//
// The pre-fix flow let any visitor reset any account by knowing only
// the email — full account-takeover. Knowing the token (which never
// leaves the server console / future email pipeline) is the proof of
// account ownership.
function ForgotForm({ onBack, onDone }) {
const [phase, setPhase] = useLS('request'); // 'request' | 'apply'
const [email, setEmail] = useLS('');
const [token, setToken] = useLS('');
const [pw, setPw] = useLS('');
const [pw2, setPw2] = useLS('');
const [submitted, setSubmitted] = useLS(false);
const [busy, setBusy] = useLS(false);
const [serverError, setServerError] = useLS('');
const emailValid = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
const tokenValid = token.length >= 16;
const pwValid = pw.length >= 8;
const pwMatches = pw2.length > 0 && pw === pw2;
const sendCode = async () => {
setServerError('');
if (!emailValid || busy) return;
setBusy(true);
try {
const r = await fetch('/api/auth/forgot-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email }),
});
if (!r.ok) {
setServerError('Could not start reset. Try again.');
return;
}
// Backend returns ok regardless of whether the email exists, so we
// always advance to phase 2 — anything else would let an attacker
// enumerate accounts.
setPhase('apply');
} catch {
setServerError('Network error. Is the server running?');
} finally {
setBusy(false);
}
};
const applyReset = async () => {
setServerError('');
if (!emailValid || !tokenValid || !pwValid || !pwMatches || busy) return;
setBusy(true);
try {
const r = await fetch('/api/auth/reset-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email, token: token.trim(), newPassword: pw }),
});
const data = await r.json().catch(() => ({}));
if (!r.ok) {
setServerError(
data.error === 'invalid_or_expired_token' ? 'That code is invalid or has expired. Request a new one.'
: data.error === 'password_too_short' ? 'Password must be at least 8 characters.'
: 'Could not update password. Try again.'
);
return;
}
setSubmitted(true);
setTimeout(() => onDone(), 900);
} catch {
setServerError('Network error. Is the server running?');
} finally {
setBusy(false);
}
};
const back = (
);
if (phase === 'request') {
return (
{back}
Reset password
Get a reset code
Enter your email and we'll generate a one-time reset code. Ask your administrator for the code, then return here to set a new password.
setEmail(e.target.value)}
onKeyDown={e => { if (e.key === 'Enter') sendCode(); }}
placeholder="name@company.com" style={authInput} />
{email.length > 0 && !emailValid && (
Enter a valid email address.
)}
{serverError &&
{serverError}}
);
}
const valid = emailValid && tokenValid && pwValid && pwMatches;
return (
{back}
Reset password
Enter your code & new password
Paste the one-time reset code your administrator gave you, then set a new password.
setEmail(e.target.value)}
placeholder="name@company.com" style={authInput} />
setToken(e.target.value)}
placeholder="Paste the reset code" style={{
...authInput,
fontFamily: 'ui-monospace, "JetBrains Mono", Menlo, monospace',
fontSize: 13, letterSpacing: '0.02em',
}} />
{token.length > 0 && !tokenValid && (
The code looks too short.
)}
setPw(e.target.value)}
placeholder="At least 8 characters" />
{pw.length > 0 && !pwValid && (
Use at least 8 characters.
)}
setPw2(e.target.value)}
onKeyDown={e => { if (e.key === 'Enter' && valid && !submitted) applyReset(); }}
placeholder="Re-enter new password" />
{pw2.length > 0 && !pwMatches && (
Passwords do not match.
)}
{serverError &&
{serverError}}
);
}
const authLabel = {
fontFamily: "'Inter', sans-serif", fontSize: 11, fontWeight: 700,
letterSpacing: '0.08em', textTransform: 'uppercase', color: 'var(--c-ink-600)',
};
const authInput = {
height: 44, padding: '0 14px', borderRadius: 12,
background: 'var(--c-cream-50)',
border: '1.5px solid var(--border-subtle)',
boxShadow: 'var(--shadow-inset-input)',
fontFamily: "'Suisse Int\\'l', sans-serif", fontSize: 14, color: 'var(--c-ink-900)',
width: '100%', outline: 'none', boxSizing: 'border-box',
};
const errorText = { fontSize: 12, color: 'var(--c-terra-600, #C65A42)' };
const primaryBtn = {
height: 46, padding: '0 22px', borderRadius: 12, border: 'none',
fontFamily: "'Inter', sans-serif", fontWeight: 700, fontSize: 13,
marginTop: 4,
};
const linkBtn = {
background: 'transparent', border: 'none', padding: 0, cursor: 'pointer',
color: 'var(--c-petrol-800)', fontFamily: "'Inter', sans-serif", fontWeight: 600, fontSize: 11,
textDecoration: 'underline',
};
Object.assign(window, { LoginScreen });