npm - @authagonal/login - Versions diffs - 0.3.8 → 0.3.10 - Mend

@authagonal/login 0.3.8 → 0.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/api.d.ts +2 -2
package/dist/index.js +69 -32
package/package.json +1 -1
package/src/api.ts +4 -4
package/src/i18n/de.json +1 -0
package/src/i18n/en.json +1 -0
package/src/i18n/es.json +1 -0
package/src/i18n/fr.json +1 -0
package/src/i18n/pt.json +1 -0
package/src/i18n/tlh.json +1 -0
package/src/i18n/vi.json +1 -0
package/src/i18n/zh-Hans.json +1 -0
package/src/pages/ForgotPasswordPage.tsx +34 -7
package/src/pages/LoginPage.tsx +1 -1
package/src/pages/RegisterPage.tsx +1 -1
package/src/pages/ResetPasswordPage.tsx +28 -3

package/dist/api.d.ts CHANGED Viewed

@@ -10,10 +10,10 @@ export declare function register(email: string, password: string, firstName?: st
 export declare function logout(): Promise<{
     success: true;
 }>;
-export declare function forgotPassword(email: string): Promise<{
+export declare function forgotPassword(email: string, turnstileToken?: string): Promise<{
     success: true;
 }>;
-export declare function resetPassword(token: string, newPassword: string): Promise<{
+export declare function resetPassword(token: string, newPassword: string, turnstileToken?: string): Promise<{
     success: true;
 }>;
 export declare function getSession(): Promise<SessionResponse>;

package/dist/index.js CHANGED Viewed

@@ -3523,6 +3523,7 @@ var Er = {
 	errorEmailRequired: "Email is required",
 	errorPasswordRequired: "Password is required",
 	errorUnexpected: "An unexpected error occurred. Please try again.",
+	captchaFailed: "Verification failed. Please try again.",
 	resetYourPassword: "Reset your password",
 	resetSubtitle: "Enter your email address and we'll send you a link to reset your password.",
 	sending: "Sending...",
@@ -3656,6 +3657,7 @@ var Er = {
 	errorEmailRequired: "电子邮件为必填项",
 	errorPasswordRequired: "密码为必填项",
 	errorUnexpected: "发生意外错误，请重试。",
+	captchaFailed: "验证失败，请重试。",
 	resetYourPassword: "重置密码",
 	resetSubtitle: "输入您的电子邮件地址，我们将向您发送重置密码的链接。",
 	sending: "正在发送...",
@@ -3766,6 +3768,7 @@ var Er = {
 	errorEmailRequired: "E-Mail ist erforderlich",
 	errorPasswordRequired: "Passwort ist erforderlich",
 	errorUnexpected: "Ein unerwarteter Fehler ist aufgetreten. Bitte versuchen Sie es erneut.",
+	captchaFailed: "Verifizierung fehlgeschlagen. Bitte versuchen Sie es erneut.",
 	resetYourPassword: "Passwort zurücksetzen",
 	resetSubtitle: "Geben Sie Ihre E-Mail-Adresse ein und wir senden Ihnen einen Link zum Zurücksetzen Ihres Passworts.",
 	sending: "Wird gesendet...",
@@ -3876,6 +3879,7 @@ var Er = {
 	errorEmailRequired: "L'e-mail est requis",
 	errorPasswordRequired: "Le mot de passe est requis",
 	errorUnexpected: "Une erreur inattendue s'est produite. Veuillez réessayer.",
+	captchaFailed: "Échec de la vérification. Veuillez réessayer.",
 	resetYourPassword: "Réinitialiser votre mot de passe",
 	resetSubtitle: "Entrez votre adresse e-mail et nous vous enverrons un lien pour réinitialiser votre mot de passe.",
 	sending: "Envoi en cours...",
@@ -3986,6 +3990,7 @@ var Er = {
 	errorEmailRequired: "El correo electrónico es obligatorio",
 	errorPasswordRequired: "La contraseña es obligatoria",
 	errorUnexpected: "Se produjo un error inesperado. Por favor, inténtelo de nuevo.",
+	captchaFailed: "Error de verificación. Inténtalo de nuevo.",
 	resetYourPassword: "Restablecer su contraseña",
 	resetSubtitle: "Ingrese su dirección de correo electrónico y le enviaremos un enlace para restablecer su contraseña.",
 	sending: "Enviando...",
@@ -4096,6 +4101,7 @@ var Er = {
 	errorEmailRequired: "Email là bắt buộc",
 	errorPasswordRequired: "Mật khẩu là bắt buộc",
 	errorUnexpected: "Đã xảy ra lỗi không mong muốn. Vui lòng thử lại.",
+	captchaFailed: "Xác minh không thành công. Vui lòng thử lại.",
 	resetYourPassword: "Đặt lại mật khẩu",
 	resetSubtitle: "Nhập địa chỉ email của bạn và chúng tôi sẽ gửi cho bạn liên kết để đặt lại mật khẩu.",
 	sending: "Đang gửi...",
@@ -4206,6 +4212,7 @@ var Er = {
 	errorEmailRequired: "O e-mail é obrigatório",
 	errorPasswordRequired: "A senha é obrigatória",
 	errorUnexpected: "Ocorreu um erro inesperado. Tente novamente.",
+	captchaFailed: "Falha na verificação. Tente novamente.",
 	resetYourPassword: "Redefinir a sua senha",
 	resetSubtitle: "Introduza o seu endereço de e-mail e enviaremos um link para redefinir a sua senha.",
 	sending: "A enviar...",
@@ -4316,6 +4323,7 @@ var Er = {
 	errorEmailRequired: "QIn nab nIteb nISlu'",
 	errorPasswordRequired: "mu'wIj pegh nIteb nISlu'",
 	errorUnexpected: "Qagh qaS. yInIDqa'.",
+	captchaFailed: "ngu' luj. yInIDqa'.",
 	resetYourPassword: "mu'wIj pegh yIchoH",
 	resetSubtitle: "QIn nab yIngu'. mu'wIj pegh choHmeH lIngwI' DangeH.",
 	sending: "ngeHmeH...",
@@ -4724,18 +4732,22 @@ function Yr(e, t, n, r, i) {
 function Xr() {
 	return $("/api/auth/logout", { method: "POST" });
 }
-function Zr(e) {
+function Zr(e, t) {
 	return $("/api/auth/forgot-password", {
 		method: "POST",
-		body: JSON.stringify({ email: e })
+		body: JSON.stringify({
+			email: e,
+			turnstileToken: t
+		})
 	});
 }
-function Qr(e, t) {
+function Qr(e, t, n) {
 	return $("/api/auth/reset-password", {
 		method: "POST",
 		body: JSON.stringify({
 			token: e,
-			newPassword: t
+			newPassword: t,
+			turnstileToken: n
 		})
 	});
 }
@@ -4964,7 +4976,7 @@ function _i() {
 					C(e("errorPasswordRequired"));
 					break;
 				case "captcha_failed":
-					C(e("errorUnexpected"));
+					C(e("captchaFailed"));
 					break;
 				default: C(t.message || e("errorUnexpected"));
 			}
@@ -5204,7 +5216,7 @@ function vi() {
 					b(e("errorEmailAndPasswordRequired"));
 					break;
 				case "captcha_failed":
-					b(e("errorRegistrationFailed"));
+					b(e("captchaFailed"));
 					break;
 				default: b(t.message || e("errorRegistrationFailed"));
 			}
@@ -5326,25 +5338,29 @@ function vi() {
 //#endregion
 //#region src/pages/ForgotPasswordPage.tsx
 function yi() {
-	let { t: e } = L(), [t] = _(), n = t.get("returnUrl") || "", [r, i] = s(""), [a, o] = s(!1), [c, d] = s(!1), [p, m] = s(""), h = n ? `/login?returnUrl=${encodeURIComponent(n)}` : "/login";
-	async function g(t) {
-		t.preventDefault(), m(""), o(!0);
+	let { t: e } = L(), [t] = _(), n = t.get("returnUrl") || "", [r, i] = s(""), [o, c] = s(!1), [d, p] = s(!1), [m, h] = s(""), [g, v] = s(void 0), [y, b] = s(null), [x, S] = s(0);
+	a(() => {
+		ti().then((e) => v(e.turnstileSiteKey)).catch(() => {});
+	}, []);
+	let C = n ? `/login?returnUrl=${encodeURIComponent(n)}` : "/login";
+	async function w(t) {
+		t.preventDefault(), h(""), c(!0);
 		try {
-			await Zr(r), d(!0);
-		} catch {
-			m(e("errorUnexpected"));
+			await Zr(r, y || void 0), p(!0);
+		} catch (t) {
+			t instanceof Kr && t.error === "captcha_failed" ? h(e("captchaFailed")) : h(e("errorUnexpected")), g && (b(null), S((e) => e + 1));
 		} finally {
-			o(!1);
+			c(!1);
 		}
 	}
-	return c ? /* @__PURE__ */ u("div", { children: [
+	return d ? /* @__PURE__ */ u("div", { children: [
 		/* @__PURE__ */ l(G, { children: e("checkYourEmail") }),
 		/* @__PURE__ */ l(Q, {
 			variant: "success",
 			children: e("resetEmailSent")
 		}),
 		/* @__PURE__ */ l(K, { children: /* @__PURE__ */ l(f, {
-			to: h,
+			to: C,
 			className: "text-sm font-medium text-primary hover:underline no-underline",
 			children: e("backToSignIn")
 		}) })
@@ -5354,12 +5370,12 @@ function yi() {
 			className: "mb-5",
 			children: e("resetSubtitle")
 		}),
-		p && /* @__PURE__ */ l(Q, {
+		m && /* @__PURE__ */ l(Q, {
 			variant: "error",
-			children: p
+			children: m
 		}),
 		/* @__PURE__ */ u("form", {
-			onSubmit: g,
+			onSubmit: w,
 			children: [
 				/* @__PURE__ */ u("div", {
 					className: "mb-4",
@@ -5378,13 +5394,21 @@ function yi() {
 						required: !0
 					})]
 				}),
+				g && /* @__PURE__ */ l("div", {
+					className: "mb-4",
+					children: /* @__PURE__ */ l(mi, {
+						siteKey: g,
+						onToken: b
+					}, x)
+				}),
 				/* @__PURE__ */ l(Y, {
 					type: "submit",
-					loading: a,
-					children: e(a ? "sending" : "sendResetLink")
+					loading: o,
+					disabled: !!g && !y,
+					children: e(o ? "sending" : "sendResetLink")
 				}),
 				/* @__PURE__ */ l(K, { children: /* @__PURE__ */ l(f, {
-					to: h,
+					to: C,
 					className: "text-sm font-medium text-primary hover:underline no-underline",
 					children: e("backToSignIn")
 				}) })
@@ -5449,13 +5473,15 @@ function Si(e, t) {
 	});
 }
 function Ci() {
-	let { t: e } = L(), [t] = _(), n = t.get("p") || "", [r, i] = s(""), [o, c] = s(""), [d, p] = s(!1), [m, h] = s(""), [g, v] = s(!1), [y, b] = s(""), [x, S] = s(xi);
+	let { t: e } = L(), [t] = _(), n = t.get("p") || "", [r, i] = s(""), [o, c] = s(""), [d, p] = s(!1), [m, h] = s(""), [g, v] = s(!1), [y, b] = s(""), [x, S] = s(xi), [C, w] = s(void 0), [T, E] = s(null), [D, O] = s(0);
 	a(() => {
 		fetch(`${bi}/api/auth/password-policy`).then((e) => e.ok ? e.json() : null).then((e) => {
 			e?.rules && S(e.rules);
 		}).catch(() => {});
+	}, []), a(() => {
+		ti().then((e) => w(e.turnstileSiteKey)).catch(() => {});
 	}, []);
-	function C(t) {
+	function k(t) {
 		switch (t.rule) {
 			case "minLength": return e("ruleMinLength", { count: t.value ?? 8 });
 			case "uppercase": return e("ruleUppercase");
@@ -5465,12 +5491,12 @@ function Ci() {
 			default: return t.label;
 		}
 	}
-	let w = Si(r, x.map((e) => ({
+	let A = Si(r, x.map((e) => ({
 		...e,
-		label: C(e)
-	}))), T = w.every((e) => e.met);
-	async function E(t) {
-		if (t.preventDefault(), h(""), b(""), !T) {
+		label: k(e)
+	}))), j = A.every((e) => e.met);
+	async function M(t) {
+		if (t.preventDefault(), h(""), b(""), !j) {
 			b(e("passwordNotMeetRequirements"));
 			return;
 		}
@@ -5480,7 +5506,7 @@ function Ci() {
 		}
 		p(!0);
 		try {
-			await Qr(n, r), v(!0);
+			await Qr(n, r, T || void 0), v(!0);
 		} catch (t) {
 			if (t instanceof Kr) switch (t.error) {
 				case "weak_password":
@@ -5493,9 +5519,13 @@ function Ci() {
 				case "password_required":
 					h(e("errorPasswordRequired"));
 					break;
+				case "captcha_failed":
+					h(e("captchaFailed"));
+					break;
 				default: h(t.message || e("errorUnexpected"));
 			}
 			else h(e("errorUnexpected"));
+			C && (E(null), O((e) => e + 1));
 		} finally {
 			p(!1);
 		}
@@ -5522,7 +5552,7 @@ function Ci() {
 			children: y
 		}),
 		/* @__PURE__ */ u("form", {
-			onSubmit: E,
+			onSubmit: M,
 			children: [
 				/* @__PURE__ */ u("div", {
 					className: "mb-4",
@@ -5543,7 +5573,7 @@ function Ci() {
 				}),
 				r.length > 0 && /* @__PURE__ */ l("ul", {
 					className: "list-none mb-4 p-3 bg-gray-50 dark:bg-gray-800/60 rounded-md",
-					children: w.map((e) => /* @__PURE__ */ u("li", {
+					children: A.map((e) => /* @__PURE__ */ u("li", {
 						className: `text-[13px] py-0.5 flex items-center gap-1.5 ${e.met ? "text-green-800 dark:text-green-400" : "text-red-800 dark:text-red-400"}`,
 						children: [e.met ? /* @__PURE__ */ l(Xt, { className: "h-3.5 w-3.5 shrink-0" }) : /* @__PURE__ */ l(tn, { className: "h-3.5 w-3.5 shrink-0" }), e.label]
 					}, e.label))
@@ -5564,10 +5594,17 @@ function Ci() {
 						required: !0
 					})]
 				}),
+				C && /* @__PURE__ */ l("div", {
+					className: "mb-4",
+					children: /* @__PURE__ */ l(mi, {
+						siteKey: C,
+						onToken: E
+					}, D)
+				}),
 				/* @__PURE__ */ l(Y, {
 					type: "submit",
 					loading: d,
-					disabled: !T,
+					disabled: !j || !!C && !T,
 					children: e(d ? "resetting" : "resetPassword")
 				}),
 				/* @__PURE__ */ l(K, { children: /* @__PURE__ */ l(f, {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@authagonal/login",
-  "version": "0.3.8",
+  "version": "0.3.10",
   "description": "Default login UI for Authagonal — runtime-configurable via branding.json",
   "type": "module",
   "license": "MIT",

package/src/api.ts CHANGED Viewed

@@ -66,17 +66,17 @@ export function logout(): Promise<{ success: true }> {
   });
 }
-export function forgotPassword(email: string): Promise<{ success: true }> {
+export function forgotPassword(email: string, turnstileToken?: string): Promise<{ success: true }> {
   return api<{ success: true }>('/api/auth/forgot-password', {
     method: 'POST',
-    body: JSON.stringify({ email }),
+    body: JSON.stringify({ email, turnstileToken }),
   });
 }
-export function resetPassword(token: string, newPassword: string): Promise<{ success: true }> {
+export function resetPassword(token: string, newPassword: string, turnstileToken?: string): Promise<{ success: true }> {
   return api<{ success: true }>('/api/auth/reset-password', {
     method: 'POST',
-    body: JSON.stringify({ token, newPassword }),
+    body: JSON.stringify({ token, newPassword, turnstileToken }),
   });
 }

package/src/i18n/de.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "E-Mail ist erforderlich",
   "errorPasswordRequired": "Passwort ist erforderlich",
   "errorUnexpected": "Ein unerwarteter Fehler ist aufgetreten. Bitte versuchen Sie es erneut.",
+  "captchaFailed": "Verifizierung fehlgeschlagen. Bitte versuchen Sie es erneut.",
   "resetYourPassword": "Passwort zurücksetzen",
   "resetSubtitle": "Geben Sie Ihre E-Mail-Adresse ein und wir senden Ihnen einen Link zum Zurücksetzen Ihres Passworts.",
   "sending": "Wird gesendet...",

package/src/i18n/en.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "Email is required",
   "errorPasswordRequired": "Password is required",
   "errorUnexpected": "An unexpected error occurred. Please try again.",
+  "captchaFailed": "Verification failed. Please try again.",
   "resetYourPassword": "Reset your password",
   "resetSubtitle": "Enter your email address and we'll send you a link to reset your password.",
   "sending": "Sending...",

package/src/i18n/es.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "El correo electrónico es obligatorio",
   "errorPasswordRequired": "La contraseña es obligatoria",
   "errorUnexpected": "Se produjo un error inesperado. Por favor, inténtelo de nuevo.",
+  "captchaFailed": "Error de verificación. Inténtalo de nuevo.",
   "resetYourPassword": "Restablecer su contraseña",
   "resetSubtitle": "Ingrese su dirección de correo electrónico y le enviaremos un enlace para restablecer su contraseña.",
   "sending": "Enviando...",

package/src/i18n/fr.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "L'e-mail est requis",
   "errorPasswordRequired": "Le mot de passe est requis",
   "errorUnexpected": "Une erreur inattendue s'est produite. Veuillez réessayer.",
+  "captchaFailed": "Échec de la vérification. Veuillez réessayer.",
   "resetYourPassword": "Réinitialiser votre mot de passe",
   "resetSubtitle": "Entrez votre adresse e-mail et nous vous enverrons un lien pour réinitialiser votre mot de passe.",
   "sending": "Envoi en cours...",

package/src/i18n/pt.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "O e-mail é obrigatório",
   "errorPasswordRequired": "A senha é obrigatória",
   "errorUnexpected": "Ocorreu um erro inesperado. Tente novamente.",
+  "captchaFailed": "Falha na verificação. Tente novamente.",
   "resetYourPassword": "Redefinir a sua senha",
   "resetSubtitle": "Introduza o seu endereço de e-mail e enviaremos um link para redefinir a sua senha.",
   "sending": "A enviar...",

package/src/i18n/tlh.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "QIn nab nIteb nISlu'",
   "errorPasswordRequired": "mu'wIj pegh nIteb nISlu'",
   "errorUnexpected": "Qagh qaS. yInIDqa'.",
+  "captchaFailed": "ngu' luj. yInIDqa'.",
   "resetYourPassword": "mu'wIj pegh yIchoH",
   "resetSubtitle": "QIn nab yIngu'. mu'wIj pegh choHmeH lIngwI' DangeH.",
   "sending": "ngeHmeH...",

package/src/i18n/vi.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "Email là bắt buộc",
   "errorPasswordRequired": "Mật khẩu là bắt buộc",
   "errorUnexpected": "Đã xảy ra lỗi không mong muốn. Vui lòng thử lại.",
+  "captchaFailed": "Xác minh không thành công. Vui lòng thử lại.",
   "resetYourPassword": "Đặt lại mật khẩu",
   "resetSubtitle": "Nhập địa chỉ email của bạn và chúng tôi sẽ gửi cho bạn liên kết để đặt lại mật khẩu.",
   "sending": "Đang gửi...",

package/src/i18n/zh-Hans.json CHANGED Viewed

@@ -16,6 +16,7 @@
   "errorEmailRequired": "电子邮件为必填项",
   "errorPasswordRequired": "密码为必填项",
   "errorUnexpected": "发生意外错误，请重试。",
+  "captchaFailed": "验证失败，请重试。",
   "resetYourPassword": "重置密码",
   "resetSubtitle": "输入您的电子邮件地址，我们将向您发送重置密码的链接。",
   "sending": "正在发送...",

package/src/pages/ForgotPasswordPage.tsx CHANGED Viewed

@@ -1,7 +1,8 @@
-import { useState } from 'react';
+import { useState, useEffect } from 'react';
 import { useSearchParams, Link } from 'react-router-dom';
 import { useTranslation } from 'react-i18next';
-import { forgotPassword } from '../api';
+import { forgotPassword, getProviders, ApiRequestError } from '../api';
+import { Turnstile } from '../components/Turnstile';
 import { Button } from '@/components/ui/button';
 import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
@@ -17,6 +18,16 @@ export default function ForgotPasswordPage() {
   const [loading, setLoading] = useState(false);
   const [submitted, setSubmitted] = useState(false);
   const [error, setError] = useState('');
+  const [turnstileSiteKey, setTurnstileSiteKey] = useState<string | undefined>(undefined);
+  const [turnstileToken, setTurnstileToken] = useState<string | null>(null);
+  const [turnstileKey, setTurnstileKey] = useState(0); // bump to re-mount the widget for a fresh challenge
+  // Surface the Turnstile site key (opt-in; empty when not configured for the tenant).
+  useEffect(() => {
+    getProviders()
+      .then((res) => setTurnstileSiteKey(res.turnstileSiteKey))
+      .catch(() => {});
+  }, []);
   const loginLink = returnUrl
     ? `/login?returnUrl=${encodeURIComponent(returnUrl)}`
@@ -28,11 +39,21 @@ export default function ForgotPasswordPage() {
     setLoading(true);
     try {
-      await forgotPassword(email);
+      await forgotPassword(email, turnstileToken || undefined);
       setSubmitted(true);
-    } catch {
-      // The API always returns 200 for anti-enumeration, but handle errors just in case
-      setError(t('errorUnexpected'));
+    } catch (err) {
+      // The API always returns 200 for anti-enumeration; the only expected error is a
+      // failed captcha (handled explicitly), otherwise a generic message.
+      if (err instanceof ApiRequestError && err.error === 'captcha_failed') {
+        setError(t('captchaFailed'));
+      } else {
+        setError(t('errorUnexpected'));
+      }
+      // Turnstile tokens are single-use — reset so a retry gets a fresh challenge.
+      if (turnstileSiteKey) {
+        setTurnstileToken(null);
+        setTurnstileKey((k) => k + 1);
+      }
     } finally {
       setLoading(false);
     }
@@ -75,7 +96,13 @@ export default function ForgotPasswordPage() {
           />
         </div>
-        <Button type="submit" loading={loading}>
+        {turnstileSiteKey && (
+          <div className="mb-4">
+            <Turnstile key={turnstileKey} siteKey={turnstileSiteKey} onToken={setTurnstileToken} />
+          </div>
+        )}
+        <Button type="submit" loading={loading} disabled={!!turnstileSiteKey && !turnstileToken}>
           {loading ? t('sending') : t('sendResetLink')}
         </Button>

package/src/pages/LoginPage.tsx CHANGED Viewed

@@ -224,7 +224,7 @@ export default function LoginPage() {
             setError(t('errorPasswordRequired'));
             break;
           case 'captcha_failed':
-            setError(t('errorUnexpected'));
+            setError(t('captchaFailed'));
             break;
           default:
             setError(err.message || t('errorUnexpected'));

package/src/pages/RegisterPage.tsx CHANGED Viewed

@@ -70,7 +70,7 @@ export default function RegisterPage() {
             setError(t('errorEmailAndPasswordRequired'));
             break;
           case 'captcha_failed':
-            setError(t('errorRegistrationFailed'));
+            setError(t('captchaFailed'));
             break;
           default:
             setError(err.message || t('errorRegistrationFailed'));

package/src/pages/ResetPasswordPage.tsx CHANGED Viewed

@@ -1,7 +1,8 @@
 import { useState, useEffect } from 'react';
 import { useSearchParams, Link } from 'react-router-dom';
 import { useTranslation } from 'react-i18next';
-import { resetPassword, ApiRequestError } from '../api';
+import { resetPassword, getProviders, ApiRequestError } from '../api';
+import { Turnstile } from '../components/Turnstile';
 import { Button } from '@/components/ui/button';
 import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
@@ -57,6 +58,9 @@ export default function ResetPasswordPage() {
   const [success, setSuccess] = useState(false);
   const [validationError, setValidationError] = useState('');
   const [rules, setRules] = useState<PasswordRule[]>(defaultRules);
+  const [turnstileSiteKey, setTurnstileSiteKey] = useState<string | undefined>(undefined);
+  const [turnstileToken, setTurnstileToken] = useState<string | null>(null);
+  const [turnstileKey, setTurnstileKey] = useState(0); // bump to re-mount the widget for a fresh challenge
   useEffect(() => {
     fetch(`${API_URL}/api/auth/password-policy`)
@@ -65,6 +69,13 @@ export default function ResetPasswordPage() {
       .catch(() => { /* use defaults */ });
   }, []);
+  // Surface the Turnstile site key (opt-in; empty when not configured for the tenant).
+  useEffect(() => {
+    getProviders()
+      .then((res) => setTurnstileSiteKey(res.turnstileSiteKey))
+      .catch(() => {});
+  }, []);
   function getRuleLabel(rule: PasswordRule): string {
     switch (rule.rule) {
       case 'minLength': return t('ruleMinLength', { count: rule.value ?? 8 });
@@ -102,7 +113,7 @@ export default function ResetPasswordPage() {
     setLoading(true);
     try {
-      await resetPassword(token, newPassword);
+      await resetPassword(token, newPassword, turnstileToken || undefined);
       setSuccess(true);
     } catch (err) {
       if (err instanceof ApiRequestError) {
@@ -117,12 +128,20 @@ export default function ResetPasswordPage() {
           case 'password_required':
             setError(t('errorPasswordRequired'));
             break;
+          case 'captcha_failed':
+            setError(t('captchaFailed'));
+            break;
           default:
             setError(err.message || t('errorUnexpected'));
         }
       } else {
         setError(t('errorUnexpected'));
       }
+      // Turnstile tokens are single-use — reset so a retry gets a fresh challenge.
+      if (turnstileSiteKey) {
+        setTurnstileToken(null);
+        setTurnstileKey((k) => k + 1);
+      }
     } finally {
       setLoading(false);
     }
@@ -204,7 +223,13 @@ export default function ResetPasswordPage() {
           />
         </div>
-        <Button type="submit" loading={loading} disabled={!allRequirementsMet}>
+        {turnstileSiteKey && (
+          <div className="mb-4">
+            <Turnstile key={turnstileKey} siteKey={turnstileSiteKey} onToken={setTurnstileToken} />
+          </div>
+        )}
+        <Button type="submit" loading={loading} disabled={!allRequirementsMet || (!!turnstileSiteKey && !turnstileToken)}>
           {loading ? t('resetting') : t('resetPassword')}
         </Button>