feature(reset password)

[NancyWei123]

Description

Add forget password feature.

Fixes # (issue)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• [✔] New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• [✔] Test in my computer

Checklist:

• [✔] My code follows the style guidelines of this project
• [✔] I have performed a self-review of my own code
• [✔] I have commented my code, particularly in hard-to-understand areas
• [✔] I have made corresponding changes to the documentation
• [✔] My changes generate no new warnings
• [✔] I have added tests that prove my fix is effective or that my feature works
• [✔] New and existing unit tests pass locally with my changes
• [✔] Any dependent changes have been merged and published in downstream modules

Summary by CodeRabbit

• New Features
  • Added a “Forgot password?” button to the login screen (shown only in login mode) to request a password reset using the entered email.
  • Added in-app feedback for password reset requests, including a success message, email validation, and error handling; the action is disabled while loading.

[NancyWei123]

#650

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 03dc766d-78e9-4bf0-9a8d-9579e7253330

📥 Commits

Reviewing files that changed from the base of the PR and between 8a07cb2 and 87a1fe6.

📒 Files selected for processing (1)

• app/src/screens/AuthScreen.js

🚧 Files skipped from review as they are similar to previous changes (1)

• app/src/screens/AuthScreen.js

---

📝 Walkthrough

Walkthrough

AuthScreen gains a "Forgot password?" button visible only in login mode. A new handleForgotPassword handler validates the email field, calls Firebase's sendPasswordResetEmail, and reports success via successMessage state or failure via emailError. The component manages loading state throughout the reset request and clears success/error messaging when switching modes or editing the email field.

Changes

Forgot Password Flow

Layer / File(s)	Summary
State initialization and imports app/src/screens/AuthScreen.js	Adds sendPasswordResetEmail to Firebase auth imports; introduces successMessage state for reset feedback; clears successMessage on login/signup mode switch and when email input changes.
Password reset handler app/src/screens/AuthScreen.js	Implements handleForgotPassword async function that validates the email, sets touched state, manages loading spinner, calls Firebase sendPasswordResetEmail, and sets either successMessage (success) or emailError (failure) using getFirebaseErrorMessage.
UI button and styles app/src/screens/AuthScreen.js	Renders successMessage as green success text; adds a "Forgot password?" button (login-mode only, disabled while loading) that calls handleForgotPassword; adds forgotPasswordContainer, forgotPasswordText, and successText style definitions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit hops in with a password so grand,
"Forgot it?" we ask with a sympathetic hand.
Firebase whispers, an email takes flight,
New credentials await — everything's right!
The bunny has bundled this feature with care,
No more lost passwords floating in air. 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feature(reset password)' directly and specifically identifies the main change—adding password reset functionality—matching the PR's core objective of implementing a password reset feature.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.23.0)

app/src/screens/AuthScreen.js

┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

[00.58][ERROR]: unable to find a config; path .coderabbit-opengrep-fallback.yml does not exist

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

app/src/screens/AuthScreen.js

ESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[roshankumar0036singh]

@NancyWei123 match the theme and design style for reset password

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

app/src/screens/AuthScreen.js (1)

304-343: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add focused tests for forgot-password branches.

Please add AuthScreen tests for: invalid email (local validation), successful reset request, and rejected reset request; assert loading/disabled UI state and message path behavior.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src/screens/AuthScreen.js` around lines 304 - 343, Add unit tests for the
AuthScreen component focused on the handleForgotPassword function and
showMessage helper. Create test cases for three scenarios: invalid email
validation (verify setEmailError is called and showMessage displays the
validation error), successful password reset request (verify loading state
transitions, sendPasswordResetEmail is called with the trimmed email, and the
success message is shown), and failed password reset request (verify the error
is caught, getFirebaseErrorMessage is called to format the error, setEmailError
updates the state with the error message, and showMessage displays the error).
For each scenario, assert that the loading state (setLoading) is properly
managed and that the correct message path (either success or error message) is
triggered through showMessage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src/screens/AuthScreen.js`:
- Around line 332-338: The catch block in the forgot password error handler is
exposing Firebase backend error details via getFirebaseErrorMessage(error),
which can leak information about account existence to unauthenticated users.
Remove the call to getFirebaseErrorMessage(error) and instead use a generic,
non-revealing message. Replace the setEmailError and showMessage calls with a
single generic message (such as "check your email for password reset
instructions") that does not disclose whether the email exists or whether the
operation succeeded, following Firebase's security best practice for password
reset flows.

---

Nitpick comments:
In `@app/src/screens/AuthScreen.js`:
- Around line 304-343: Add unit tests for the AuthScreen component focused on
the handleForgotPassword function and showMessage helper. Create test cases for
three scenarios: invalid email validation (verify setEmailError is called and
showMessage displays the validation error), successful password reset request
(verify loading state transitions, sendPasswordResetEmail is called with the
trimmed email, and the success message is shown), and failed password reset
request (verify the error is caught, getFirebaseErrorMessage is called to format
the error, setEmailError updates the state with the error message, and
showMessage displays the error). For each scenario, assert that the loading
state (setLoading) is properly managed and that the correct message path (either
success or error message) is triggered through showMessage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 13cafc27-5bd0-4d67-b97c-8504cf63a202

📥 Commits

Reviewing files that changed from the base of the PR and between bfff954 and d136eb4.

📒 Files selected for processing (1)

• app/src/screens/AuthScreen.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For Firebase Auth JavaScript SDK v11, what errors can sendPasswordResetEmail(auth, email) return, and how does Email Enumeration Protection affect whether user existence is disclosed?

💡 Result:

In Firebase Auth JavaScript SDK v11, sendPasswordResetEmail(auth, email) can throw these errors related to the provided email: 1) auth/invalid-email — the email address is not valid. [1] 2) auth/user-not-found — thrown if there is no user corresponding to the email address. [1] 3) auth/too-many-requests — thrown if requests are blocked from a device due to unusual activity (rate limiting). [2] How Email Enumeration Protection changes user existence disclosure By default (without enumeration protection), calling sendPasswordResetEmail for an unregistered email can result in auth/user-not-found, which discloses that the email address does not exist. [1] If you enable Email enumeration protection for your project, Firebase changes error reporting for password reset flows: it “removes error responses” for password reset calls (including the client SDK method sendPasswordResetEmail). In that mode, the request results in no specific error that indicates the email is unregistered (Firebase sends a password reset email only if the email exists, but there are “no specific error messages indicating when emails aren't sent”). [3] Practically, this means user existence is no longer disclosed via the thrown error (the SDK won’t reliably throw auth/user-not-found for non-existent emails); instead, your app should always show a generic “check your email” success message regardless of whether the email exists. [4][3]

Citations:

• 1: https://firebase.google.cn/docs/reference/js/v8/firebase.auth.Auth
• 2: https://firebase.google.com/docs/reference/js/v8/firebase.auth.Error
• 3: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection
• 4: https://firebase.google.com/docs/auth/web/password-auth

---

🏁 Script executed:

#!/bin/bash
# Find getFirebaseErrorMessage definition to see if it returns user-facing error messages
rg "getFirebaseErrorMessage" --max-count 5 -B 2 -A 8

Repository: roshankumar0036singh/Uni-Event

Length of output: 1982

---

🏁 Script executed:

#!/bin/bash
# Verify the exact code at the catch block in AuthScreen.js
rg "Forgot password error" -B 3 -A 6

Repository: roshankumar0036singh/Uni-Event

Length of output: 734

---

Do not expose backend error details in password-reset error handling; use a generic message instead.

The catch block at lines 332–338 surfaces Firebase backend error details to unauthenticated users via getFirebaseErrorMessage(error). When Email Enumeration Protection is disabled on your Firebase project, errors like auth/user-not-found leak information about account existence. Even with enumeration protection enabled, Firebase's official best practice is to always show a generic "check your email" message regardless of whether the email exists or the request succeeded.

Replace the error handling with a generic success message that does not disclose whether the email exists or the operation actually succeeded:

Recommended fix

         } catch (error) {
-            console.log('Forgot password error:', error);
-
-            const msg = getFirebaseErrorMessage(error);
-            setEmailError(msg);
-
-            showMessage('Cannot send reset email', msg);
+            console.error('Forgot password request failed:', error?.code || error);
+            showMessage(
+                'Check your email',
+                'If an account exists for this email, you will receive a password reset link shortly.',
+            );
         } finally {
             setLoading(false);
         }

🧰 Tools

🪛 ast-grep (0.44.0)

[warning] 335-335: Avoid using the initial state variable in setState
Context: setEmailError(msg)
Note: [CWE-710] Improper Adherence to Coding Standards. Security best practice.

(setstate-same-var)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src/screens/AuthScreen.js` around lines 332 - 338, The catch block in the
forgot password error handler is exposing Firebase backend error details via
getFirebaseErrorMessage(error), which can leak information about account
existence to unauthenticated users. Remove the call to
getFirebaseErrorMessage(error) and instead use a generic, non-revealing message.
Replace the setEmailError and showMessage calls with a single generic message
(such as "check your email for password reset instructions") that does not
disclose whether the email exists or whether the operation succeeded, following
Firebase's security best practice for password reset flows.

[roshankumar0036singh]

resolev the issue

[NancyWei123]

I have fixed the problem

[coderabbitai]

🧹 Nitpick comments (1)

app/src/screens/AuthScreen.js (1)

727-732: 📐 Maintainability & Code Quality | 🔵 Trivial

Consider sourcing the success color from the theme for consistency.

color: 'green' is hardcoded, while the rest of the form drives colors from theme.colors.*. The theme palette exposes colors.success: '#00C853' for semantic consistency across light and dark modes, matching the pattern used elsewhere in the form.

♻️ Suggested approach

-                        {successMessage ? (
-                            <Text style={styles.successText}>{successMessage}</Text>
-                        ) : null}
+                        {successMessage ? (
+                            <Text style={[styles.successText, { color: theme.colors.success }]}>
+                                {successMessage}
+                            </Text>
+                        ) : null}

     successText: {
-        color: 'green',
         fontSize: 12,
         marginTop: -8,
         marginLeft: 4,
     },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src/screens/AuthScreen.js` around lines 727 - 732, The successText style
object contains a hardcoded color value of 'green' which is inconsistent with
the pattern used elsewhere in the form where colors are sourced from the theme
object. Replace the hardcoded color: 'green' with a reference to the theme
colors palette using theme.colors.success to ensure semantic consistency across
light and dark modes and maintain the established theming pattern throughout the
form.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app/src/screens/AuthScreen.js`:
- Around line 727-732: The successText style object contains a hardcoded color
value of 'green' which is inconsistent with the pattern used elsewhere in the
form where colors are sourced from the theme object. Replace the hardcoded
color: 'green' with a reference to the theme colors palette using
theme.colors.success to ensure semantic consistency across light and dark modes
and maintain the established theming pattern throughout the form.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c8cafc1b-7753-4f95-98a4-48b40c9898a8

📥 Commits

Reviewing files that changed from the base of the PR and between d136eb4 and 8a07cb2.

📒 Files selected for processing (1)

• app/src/screens/AuthScreen.js

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud