Add login and signup with email

[Naseem77]

No description provided.

[overcut-ai]

Completed Working on "Code Review"

✅ Published all review comments from 3 chunk files (6 comments total) and submitted a REQUEST_CHANGES review on PR #330.

Summary:
• Importance counts: 3 MAJOR security/correctness issues, 1 MEDIUM type-safety issue, 2 informational suggestions.
• Key themes:

1. Error handling & security – email signup now conflates backend failures with conflicts and leaks user account existence.
2. Accessibility – password visibility toggle buttons are not keyboard-accessible, impairing modal usability.
3. Type safety – User.provider union lacks new 'email' option, risking runtime/type errors.
   • Next steps for developer: refine backend error distinction & generic messaging, secure duplicate email handling, fix modal focus behavior for toggles, expand provider union and update related code.

Review event: REQUEST_CHANGES. All steps completed.

---

👉 View complete log

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-login-with-email

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[overcut-ai]

Posted the requested review comment from scratchpad chunk 2.

[overcut-ai]

[MAJOR]: This modal is never imported or rendered anywhere in the app, so none of the email-signup UI you added here is reachable—users still only see LoginModal, leaving signup-by-email impossible. Please either wire this component into the same places that open the auth dialog (or merge its functionality into LoginModal, which already accepts startInSignupMode) so the new flow can be accessed, otherwise drop the unused file to avoid shipping dead code.

[overcut-ai]

[MAJOR]: SignupModal reimplements the entire OAuth + email signup experience (state, validation, success handling, etc.) that now also exists in LoginModal via the new startInSignupMode prop. Having two separate components duplicating hundreds of lines of identical form logic guarantees that fixes (e.g., password validation, error copy, refresh behavior) will quickly drift. Please reuse the existing modal (e.g., by toggling signup mode or extracting a shared form hook/component) instead of maintaining a second copy.

[overcut-ai]

[MAJOR]: These handlers build the Google/GitHub auth redirects manually, bypassing the centralized useAuth().login.google/github helpers that encapsulate endpoint URLs and error handling. If those endpoints or login side effects change, this modal will silently break while the rest of the app keeps working. Please call the context-provided login helpers here (or plumb them through props) so all OAuth entry points share the same source of truth.

[overcut-ai]

[MAJOR]: This effect now unconditionally flips loginModalCanClose to false whenever the initial auth check resolves unauthenticated, even if the user had manually opened the modal while authLoading was still true. In that scenario the dialog suddenly becomes non-dismissible (the onOpenChange guard refuses to close it because loginModalCanClose is false and the user isn’t authenticated), effectively trapping them until they hard-refresh. Please only disable closing when the modal was auto-opened (e.g., track an autoOpened flag or check showLoginModal before overriding loginModalCanClose) so user-initiated open/close flows still work.

[overcut-ai]

[MAJOR]: The password visibility toggle is removed from the tab order by setting tabIndex={-1}, so keyboard users and screen readers cannot focus or activate it. Because the modal is intended to be accessible, every interactive control must be reachable via keyboard; otherwise users relying on keyboard/assistive tech cannot reveal their password, which breaks the form flow. Please allow the toggle buttons to receive focus (e.g., remove the negative tab index or set it to 0) so they remain operable for all users.

[overcut-ai]

Posted the queued comment from scratchpad chunk 3 regarding the missing 'email' provider in the shared User type.

[overcut-ai]

[MEDIUM]: The new loginWithEmail/signupWithEmail flows effectively introduce a third auth provider (email), but the shared User interface that this service imports (from @/types/api) still hard-codes provider to 'google' | 'github'. As soon as the backend starts returning 'email' through /auth-status, the runtime value no longer satisfies the declared type, so any code branching on user.provider will either break type-checking or be forced to cast away safety. Please expand User.provider (and any related discriminated unions) to include 'email' so that AuthStatus and every consumer stay type-correct.

[overcut-ai]

Review summary

• Email signup/login backend currently returns distinguishable errors and still masks internal failures, which leaks account-existence information and makes it impossible for the UI to surface real issues (see inline comments).
• The login/signup modal changes introduce keyboard accessibility gaps (non-focusable toggles, Escape/overlay suppression) and modal-closing logic that can leave users stuck if auth fails.
• Auth service/context typing and error propagation don’t cover the new email methods, forcing the UI to assume data that the API never returns.

Tests: Not run (review only).

[overcut-ai]

Summary:

• Email signup now conflates backend failures with duplicate accounts and leaks whether an address already exists, so the API both hides real outages and exposes user data.
• The new email login/signup UI shipped keyboard-inaccessible password toggles, blocking non-pointer users.
• The AuthContext now surfaces email auth but the shared User type still forbids the 'email' provider, so the new flow cannot be represented safely in TypeScript.

Please address these regressions before merging.

[overcut-ai]

[major] This new branch now treats any failure from ensure_user_in_organizations() as “user already exists” and forces a 409. When the helper returns success = False because the graph DB or callback handler failed, we’ll still execute this block, tell the user their email is taken, and hide the real 5xx error. That makes triage impossible and forces users to retry endlessly even though the backend is down. We need to distinguish between success is False (return a 500/"Registration failed") and the legit success=True/new_identity=False case before emitting this response.

[overcut-ai]

[major] Returning "An account with this email already exists" along with a 409 leaks whether a particular email has ever registered. Attackers can now enumerate valid accounts just by hitting /signup/email. The earlier implementation always returned a generic success payload, so this is a new information disclosure. Please respond with a generic error (e.g. “Registration failed”/400) even when the identity already exists, and surface the specific reason only in logs.

[overcut-ai]

[medium] Both password-visibility toggle buttons are rendered with tabIndex={-1}, which removes them from the tab order entirely. Keyboard and assistive-technology users can no longer reach the control, violating WCAG 2.1.2/2.4.3. Please leave the default tab index (and ideally add an aria-label such as “Show password”) so the toggle is operable without a pointer.

[overcut-ai]

[major] Now that the context exposes login.email/signup.email, refreshAuth() will eventually populate user.provider with the literal 'email'. Our shared User type (imported from @/types/api) still restricts provider to 'google' | 'github', so this assignment will be rejected by TypeScript (or worse, forced to any) and anything narrowing on provider will never match the email case. Please extend the User interface to include 'email' (and update the client code accordingly) so the new auth path is representable.