feat: password authentication #2061

Ubisoft-potato · 2025-08-11T04:15:33Z

Password Authentication Implementation

Summary

Implement password authentication feature for Bucketeer
Add password setup and reset functionality with email notifications
Support multiple email providers (SendGrid, SES, SMTP)

key Changes

Authentication API: Added password setup, reset, and update endpoints
Email Service: Integrated SendGrid, SES, and SMTP for password notifications
Database: Added account credentials table for password storage
Configuration: Added password auth configuration with customizable templates
Security: Implemented password validation and secure token handling

Password Setup Workflow

New User Account Creation Workflow

  flowchart TD
      A[Admin Creates New User Account] --> B[System Creates Account in
  Database]
      B --> C[System Generates Password Setup Token]
      C --> D[System Sends Setup Email to User]
      D --> E[User Clicks Email Link]
      E --> F[User Sets New Password]
      F --> G[Password Setup Complete]

      style C fill:#e8f5e8
      style D fill:#fff3e0

Process:

Admin creates a new user account through the admin interface
System automatically creates the account and generates a secure setup token
Setup email with token link is sent to the new user
User clicks the link and sets their password
User can now login with email/password

Existing OAuth User Password Setup Workflow

  flowchart TD
      A[User Logs in via OAuth] --> B[System Checks if User Has Password]
      B --> C{Has Password?}
      C -->|Yes| D[Login Complete - No Action Needed]
      C -->|No| E[System Generates Password Setup Token]
      E --> F[System Sends Setup Email to User]
      F --> G[User Clicks Email Link]
      G --> H[User Sets New Password]
      H --> I[User Now Has Both OAuth + Password Login]

      style E fill:#e8f5e8
      style F fill:#fff3e0

Process:

Existing OAuth user (Google/GitHub) logs in successfully
System checks if user already has password credentials
If no password exists, system generates setup token and sends email
User optionally sets up password for alternative login method
User can now login via OAuth OR email/password

Password Setup page workflow

  sequenceDiagram
      participant User
      participant Frontend
      participant Backend

      Note over User, Backend: User receives setup email with setupToken
      User->>Frontend: Clicks setup link with setupToken
      Frontend->>Backend: POST /v1/auth/password/setup/validate
      Note right of Frontend: Body: {"setupToken": "xyz"}
      Backend-->>Frontend: 200 OK with {"isValid": true, "email": "[email protected]"}

      alt Token Valid
          Frontend->>User: Show password setup form with email
          User->>Frontend: Enters new password
          Frontend->>Backend: POST /v1/auth/password/setup
          Note right of Frontend: Body: {"setupToken": "xyz", "newPassword": "newpass"}
          Backend-->>Frontend: 200 OK or 400 Bad Request

          alt Setup Success
              Frontend->>User: Show success message
              Frontend->>Frontend: Redirect to login page
          else Setup Failed
              Frontend->>User: Show error message and keep form open
          end
      else Token Invalid
          Frontend->>User: Show "Invalid Token" error
      end

cre8ivejp · 2025-08-19T07:32:11Z

We don't need to do this in this PR, but we will need to implement the password and google authentication as a setting in the organization settings.
So, the user can select the authentication types that are allowed in their organization.

When inviting a new user, we will need a flow for typing the new password when accessing the console for the first time, too.

cre8ivejp · 2025-09-03T04:47:32Z

manifests/bucketeer/charts/web/values.yaml

+      templates:
+        passwordChanged:
+          subject: "✅ Password Changed Successfully"
+          body: "<!DOCTYPE html><html><head><meta charset=\"utf-8\"><style>body{font-family:Arial,sans-serif;color:#333}.container{max-width:600px;margin:0 auto;padding:20px}.alert{background:#fff3cd;padding:15px;border-radius:5px;margin:20px 0}</style></head><body><div class=\"container\"><h1>✅ Password Changed Successfully</h1><p>Hello,</p><p>This email confirms that your Bucketeer password has been successfully changed.</p><div class=\"alert\"><strong>Security Notice:</strong> If you did not make this change, please contact your system administrator immediately.</div><p>Thank you for keeping your account secure.</p></div></body></html>"
+        passwordSetup:
+          subject: "🔐 Set Up Your Bucketeer Password"
+          body: "<!DOCTYPE html><html><head><meta charset=\"utf-8\"><style>body{font-family:Arial,sans-serif;color:#333}.container{max-width:600px;margin:0 auto;padding:20px}.button{display:inline-block;padding:12px 24px;background:#007bff;color:white;text-decoration:none;border-radius:5px}.warning{background:#fff3cd;padding:15px;border-radius:5px;margin:20px 0}</style></head><body><div class=\"container\"><h1>Set Up Your Bucketeer Password</h1><p>Hello,</p><p>Your Bucketeer account is ready! To get started, please set up your password by clicking the button below:</p><p style=\"text-align:center;margin:30px 0\"><a href=\"{{setupURL}}\" class=\"button\">Set Up Password</a></p><p>Or copy and paste this link: {{setupURL}}</p><div class=\"warning\"><strong>Security Note:</strong> This link will expire in {{expirationTime}}. Never share this link with anyone. Choose a strong, unique password.</div></div></body></html>"


Since we support multiple languages, we need it in the templates.

Oh, let me implement it.

I added ja and en language email template for now.

cre8ivejp · 2025-09-03T04:49:32Z

manifests/bucketeer/values.dev.yaml

    demoSignIn:
      enabled: true
-      email: [email protected]
-      password: demo
-      organizationId: demo
-      organizationOwnerEmail: [email protected]
-      projectId: demo
-      environmentId: demo
+      email: "[email protected]"
+      password: "demo"
+      organizationId: "demo"
+      organizationOwnerEmail: "[email protected]"
+      projectId: "demo"
+      environmentId: "demo"


We are implementing password authentication to replace the old implementation.
We will also need to update the initialization scripts for the dev container and docker-compose so we can access the console when deploying.

Yes, I already implemented it, when web service started, it will create demo user's demo password to database.

cre8ivejp · 2025-09-03T04:50:55Z

@Ubisoft-potato, can you update the PR's description to show the whole flow using Mermaid?
That will make it much easier to visualize how it works.

Ubisoft-potato · 2025-09-03T05:18:57Z

@Ubisoft-potato, can you update the PR's description to show the whole flow using Mermaid? That will make it much easier to visualize how it works.

Sure, I will show the whole workflow using Mermaid!

Ubisoft-potato · 2025-09-04T00:50:27Z

@Ubisoft-potato, can you update the PR's description to show the whole flow using Mermaid? That will make it much easier to visualize how it works.

@cre8ivejp I had updated the description with the detailed worflow, please take a look.

manifests/bucketeer/values.dev.yaml

pkg/account/api/account.go

pkg/auth/api/api.go

pkg/auth/api/password.go

hvn2k1 · 2025-09-04T08:43:06Z

@Ubisoft-potato thank you for your great work 💯
I haven't fully reviewed your pr yet but left some comments

pkg/auth/storage/sql/credentials/insert_credentials.sql

pkg/auth/api/api.go

pkg/auth/api/password.go

…ocess

…tion

…elated code

…ations

…ization

… setup

…ail logic

…ltiple enabled types

…iple authentication types

…messages

Ubisoft-potato force-pushed the feat-password-authentication branch from 3081014 to 784d790 Compare August 19, 2025 00:39

Ubisoft-potato force-pushed the feat-password-authentication branch 5 times, most recently from d536062 to d95c698 Compare August 29, 2025 03:30

Ubisoft-potato force-pushed the feat-password-authentication branch from d95c698 to 2dc5295 Compare September 3, 2025 02:48

cre8ivejp reviewed Sep 3, 2025

View reviewed changes