npm - @open-mercato/core - Versions diffs - 0.4.2-canary-da2b080494 → 0.4.2-canary-19353c5970 - Mend

@open-mercato/core 0.4.2-canary-da2b080494 → 0.4.2-canary-19353c5970

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (433) hide show

package/src/modules/auth/api/admin/nav.ts CHANGED Viewed

@@ -297,12 +297,16 @@ export async function GET(req: Request) {
   const groupsWithRole = rolePreference ? applySidebarPreference(groups, rolePreference) : groups
   const baseForUser = adoptSidebarDefaults(groupsWithRole)
-  const preference = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available; otherwise skip user preferences
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const preference = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
   const withPreference = applySidebarPreference(baseForUser, preference)

package/src/modules/auth/api/profile/route.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import type { CommandBus, CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { signJwt } from '@open-mercato/shared/lib/auth/jwt'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
+const profileResponseSchema = z.object({
+  email: z.string().email(),
+})
+const passwordSchema = buildPasswordSchema()
+const updateSchema = z.object({
+  email: z.string().email().optional(),
+  password: passwordSchema.optional(),
+}).refine((data) => Boolean(data.email || data.password), {
+  message: 'Provide an email or password.',
+  path: ['email'],
+})
+const profileUpdateResponseSchema = z.object({
+  ok: z.literal(true),
+  email: z.string().email(),
+})
+export const metadata = {
+  GET: { requireAuth: true },
+  PUT: { requireAuth: true },
+}
+function buildCommandContext(container: Awaited<ReturnType<typeof createRequestContainer>>, auth: NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>, req: Request): CommandRuntimeContext {
+  return {
+    container,
+    auth,
+    organizationScope: null,
+    selectedOrganizationId: auth.orgId ?? null,
+    organizationIds: auth.orgId ? [auth.orgId] : null,
+    request: req,
+  }
+}
+export async function GET(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const container = await createRequestContainer()
+    const em = (container.resolve('em') as EntityManager)
+    const user = await findOneWithDecryption(
+      em,
+      User,
+      { id: auth.sub, deletedAt: null },
+      undefined,
+      { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
+    )
+    if (!user) {
+      return NextResponse.json({ error: translate('auth.users.form.errors.notFound', 'User not found') }, { status: 404 })
+    }
+    return NextResponse.json({ email: String(user.email) })
+  } catch (err) {
+    console.error('auth.profile.load failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.load', 'Failed to load profile.') }, { status: 400 })
+  }
+}
+export async function PUT(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const body = await req.json().catch(() => ({}))
+    const parsed = updateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json(
+        {
+          error: translate('auth.profile.form.errors.invalid', 'Invalid profile update.'),
+          issues: parsed.error.issues,
+        },
+        { status: 400 },
+      )
+    }
+    const container = await createRequestContainer()
+    const commandBus = (container.resolve('commandBus') as CommandBus)
+    const ctx = buildCommandContext(container, auth, req)
+    const { result } = await commandBus.execute<{ id: string; email?: string; password?: string }, User>(
+      'auth.users.update',
+      {
+        input: {
+          id: auth.sub,
+          email: parsed.data.email,
+          password: parsed.data.password,
+        },
+        ctx,
+      },
+    )
+    const authService = container.resolve('authService') as AuthService
+    const roles = await authService.getUserRoles(result, result.tenantId ? String(result.tenantId) : null)
+    const jwt = signJwt({
+      sub: String(result.id),
+      tenantId: result.tenantId ? String(result.tenantId) : null,
+      orgId: result.organizationId ? String(result.organizationId) : null,
+      email: result.email,
+      roles,
+    })
+    const res = NextResponse.json({ ok: true, email: String(result.email) })
+    res.cookies.set('auth_token', jwt, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 8,
+    })
+    return res
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('auth.profile.update failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.save', 'Failed to update profile.') }, { status: 400 })
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Authentication & Accounts',
+  summary: 'Profile settings',
+  methods: {
+    GET: {
+      summary: 'Get current profile',
+      description: 'Returns the email address for the signed-in user.',
+      responses: [
+        { status: 200, description: 'Profile payload', schema: profileResponseSchema },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        { status: 404, description: 'User not found', schema: z.object({ error: z.string() }) },
+      ],
+    },
+    PUT: {
+      summary: 'Update current profile',
+      description: 'Updates the email address or password for the signed-in user.',
+      requestBody: {
+        contentType: 'application/json',
+        schema: updateSchema,
+      },
+      responses: [
+        { status: 200, description: 'Profile updated', schema: profileUpdateResponseSchema },
+        { status: 400, description: 'Invalid payload', schema: z.object({ error: z.string() }) },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}

package/src/modules/auth/api/reset/confirm.ts CHANGED Viewed

@@ -3,6 +3,9 @@ import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 // validation via confirmPasswordResetSchema
@@ -15,8 +18,28 @@ export async function POST(req: Request) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })
   const c = await createRequestContainer()
   const auth = c.resolve<AuthService>('authService')
-  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
-  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
+  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset.confirm] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true, redirect: '/login' })
 }

package/src/modules/auth/api/reset.ts CHANGED Viewed

@@ -6,6 +6,9 @@ import { AuthService } from '@open-mercato/core/modules/auth/services/authServic
 import { sendEmail } from '@open-mercato/shared/lib/email/send'
 import ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 // validation via requestPasswordResetSchema
@@ -35,6 +38,26 @@ export async function POST(req: Request) {
   }
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true })
 }

package/src/modules/auth/api/sidebar/preferences/route.ts CHANGED Viewed

@@ -64,12 +64,16 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
-  const settings = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const settings = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -92,11 +96,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings.groupOrder ?? [],
-      groupLabels: settings.groupLabels ?? {},
-      itemLabels: settings.itemLabels ?? {},
-      hiddenItems: settings.hiddenItems ?? [],
+      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings?.groupOrder ?? [],
+      groupLabels: settings?.groupLabels ?? {},
+      itemLabels: settings?.itemLabels ?? {},
+      hiddenItems: settings?.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -106,6 +110,11 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  if (!effectiveUserId) {
+    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
+  }
   let parsedBody: unknown
   try {
@@ -182,7 +191,7 @@ export async function PUT(req: Request) {
   }
   const settings = await saveSidebarPreference(em, {
-    userId: auth.sub,
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,

package/src/modules/auth/api/users/route.ts CHANGED Viewed

@@ -15,6 +15,7 @@ import type { EntityManager } from '@mikro-orm/postgresql'
 import { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 const querySchema = z.object({
   id: z.string().uuid().optional(),
@@ -27,9 +28,11 @@ const querySchema = z.object({
 const rawBodySchema = z.object({}).passthrough()
+const passwordSchema = buildPasswordSchema()
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -37,7 +40,7 @@ const userCreateSchema = z.object({
 const userUpdateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })

package/src/modules/auth/backend/auth/profile/page.meta.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export const metadata = {
+  requireAuth: true,
+  navHidden: true,
+  pageTitle: 'Profile',
+  pageTitleKey: 'auth.profile.title',
+  breadcrumb: [
+    { label: 'Profile', labelKey: 'auth.profile.title' },
+  ],
+}

package/src/modules/auth/backend/auth/profile/page.tsx ADDED Viewed

@@ -0,0 +1,174 @@
+"use client"
+import * as React from 'react'
+import { useRouter } from 'next/navigation'
+import { z } from 'zod'
+import { Save } from 'lucide-react'
+import { Page, PageBody } from '@open-mercato/ui/backend/Page'
+import { CrudForm, type CrudField } from '@open-mercato/ui/backend/CrudForm'
+import { apiCall, readApiResultOrThrow } from '@open-mercato/ui/backend/utils/apiCall'
+import { createCrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'
+import { flash } from '@open-mercato/ui/backend/FlashMessages'
+import { LoadingMessage, ErrorMessage } from '@open-mercato/ui/backend/detail'
+import { Button } from '@open-mercato/ui/primitives/button'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { buildPasswordSchema, formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
+type ProfileResponse = {
+  email?: string | null
+}
+type ProfileUpdateResponse = {
+  ok?: boolean
+  email?: string | null
+}
+type ProfileFormValues = {
+  email: string
+  password?: string
+  confirmPassword?: string
+}
+export default function AuthProfilePage() {
+  const t = useT()
+  const router = useRouter()
+  const [loading, setLoading] = React.useState(true)
+  const [error, setError] = React.useState<string | null>(null)
+  const [email, setEmail] = React.useState('')
+  const [formKey, setFormKey] = React.useState(0)
+  const formId = React.useId()
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
+  React.useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      setError(null)
+      try {
+        const { ok, result } = await apiCall<ProfileResponse>('/api/auth/profile')
+        if (!ok) throw new Error('load_failed')
+        const resolvedEmail = typeof result?.email === 'string' ? result.email : ''
+        if (!cancelled) setEmail(resolvedEmail)
+      } catch (err) {
+        console.error('Failed to load auth profile', err)
+        if (!cancelled) setError(t('auth.profile.form.errors.load', 'Failed to load profile.'))
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => { cancelled = true }
+  }, [t])
+  const fields = React.useMemo<CrudField[]>(() => [
+    { id: 'email', label: t('auth.profile.form.email', 'Email'), type: 'text', required: true },
+    {
+      id: 'password',
+      label: t('auth.profile.form.password', 'New password'),
+      type: 'text',
+      description: passwordDescription,
+    },
+    { id: 'confirmPassword', label: t('auth.profile.form.confirmPassword', 'Confirm new password'), type: 'text' },
+  ], [passwordDescription, t])
+  const schema = React.useMemo(() => {
+    const passwordSchema = buildPasswordSchema({
+      policy: passwordPolicy,
+      message: t('auth.profile.form.errors.passwordRequirements', 'Password must meet the requirements.'),
+    })
+    const optionalPasswordSchema = z.union([z.literal(''), passwordSchema]).optional()
+    return z.object({
+      email: z.string().trim().min(1, t('auth.profile.form.errors.emailRequired', 'Email is required.')),
+      password: optionalPasswordSchema,
+      confirmPassword: z.string().optional(),
+    }).superRefine((values, ctx) => {
+      const password = values.password?.trim() ?? ''
+      const confirmPassword = values.confirmPassword?.trim() ?? ''
+      if ((password || confirmPassword) && password !== confirmPassword) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: t('auth.profile.form.errors.passwordMismatch', 'Passwords do not match.'),
+          path: ['confirmPassword'],
+        })
+      }
+    })
+  }, [passwordPolicy, t])
+  const handleSubmit = React.useCallback(async (values: ProfileFormValues) => {
+    const nextEmail = values.email?.trim() ?? ''
+    const password = values.password?.trim() ?? ''
+    if (!password && nextEmail === email) {
+      throw createCrudFormError(t('auth.profile.form.errors.noChanges', 'No changes to save.'))
+    }
+    const payload: { email: string; password?: string } = { email: nextEmail }
+    if (password) payload.password = password
+    const result = await readApiResultOrThrow<ProfileUpdateResponse>(
+      '/api/auth/profile',
+      {
+        method: 'PUT',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(payload),
+      },
+      { errorMessage: t('auth.profile.form.errors.save', 'Failed to update profile.') },
+    )
+    const resolvedEmail = typeof result?.email === 'string' ? result.email : nextEmail
+    setEmail(resolvedEmail)
+    setFormKey((prev) => prev + 1)
+    flash(t('auth.profile.form.success', 'Profile updated.'), 'success')
+    router.refresh()
+  }, [email, router, t])
+  return (
+    <Page>
+      <PageBody>
+        {loading ? (
+          <LoadingMessage label={t('auth.profile.form.loading', 'Loading profile...')} />
+        ) : error ? (
+          <ErrorMessage label={error} />
+        ) : (
+          <section className="space-y-6 rounded-lg border bg-background p-6">
+            <header className="flex flex-col gap-4 sm:flex-row sm:items-start sm:justify-between">
+              <div className="space-y-1">
+                <h2 className="text-lg font-semibold">{t('auth.profile.title', 'Profile')}</h2>
+                <p className="text-sm text-muted-foreground">
+                  {t('auth.profile.subtitle', 'Change password')}
+                </p>
+              </div>
+              <Button type="submit" form={formId}>
+                <Save className="size-4 mr-2" />
+                {t('auth.profile.form.save', 'Save changes')}
+              </Button>
+            </header>
+            <CrudForm<ProfileFormValues>
+              key={formKey}
+              formId={formId}
+              schema={schema}
+              fields={fields}
+              initialValues={{
+                email,
+                password: '',
+                confirmPassword: '',
+              }}
+              submitLabel={t('auth.profile.form.save', 'Save changes')}
+              onSubmit={handleSubmit}
+              embedded
+              hideFooterActions
+            />
+          </section>
+        )}
+      </PageBody>
+    </Page>
+  )
+}

package/src/modules/auth/backend/roles/[id]/edit/page.tsx CHANGED Viewed

@@ -6,7 +6,7 @@ import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
 import { deleteCrud, updateCrud } from '@open-mercato/ui/backend/utils/crud'
 import { collectCustomFieldValues } from '@open-mercato/ui/backend/utils/customFieldValues'
 import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/components/AclEditor'
-import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { E } from '#generated/entities.ids.generated'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
@@ -37,6 +37,7 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
+  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
   React.useEffect(() => {
     if (!id) return
@@ -153,6 +154,7 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             kind="role"
             targetId={String(id)}
             tenantId={selectedTenantId ?? (initial?.tenantId ?? null)}
+            ref={widgetEditorRef}
           />
         )
         : null),
@@ -191,6 +193,7 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/roles/acl', { roleId: id, tenantId: effectiveTenantId, ...aclData }, {
               errorMessage: t('auth.roles.form.errors.aclUpdate', 'Failed to update role access control'),
             })
+            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {

package/src/modules/auth/backend/roles/page.tsx CHANGED Viewed

@@ -117,9 +117,9 @@ export default function RolesListPage() {
           onSearchChange={(v) => { setSearch(v); setPage(1) }}
           rowActions={(row) => (
             <RowActions items={[
-              { label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
-              { label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
-              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
+              { id: 'show-users', label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
+              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           sortable

package/src/modules/auth/backend/users/[id]/edit/page.tsx CHANGED Viewed

@@ -10,8 +10,9 @@ import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/compone
 import { OrganizationSelect } from '@open-mercato/core/modules/directory/components/OrganizationSelect'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
-import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 type EditUserFormValues = {
   email: string
@@ -108,6 +109,17 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [customFieldValues, setCustomFieldValues] = React.useState<Record<string, unknown>>({})
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
+  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
   React.useEffect(() => {
     if (!id) {
@@ -201,7 +213,12 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text' },
+      {
+        id: 'password',
+        label: t('auth.users.form.field.password', 'Password'),
+        type: 'text',
+        description: passwordDescription,
+      },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -251,7 +268,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, preloadedTenants, selectedOrgId, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, preloadedTenants, selectedOrgId, selectedTenantId, t])
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']
@@ -292,6 +309,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
             targetId={String(id)}
             tenantId={selectedTenantId ?? null}
             organizationId={initialUser?.organizationId ?? null}
+            ref={widgetEditorRef}
           />
         ) : null
       ),
@@ -354,6 +372,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/users/acl', { userId: id, ...aclData }, {
               errorMessage: t('auth.users.form.errors.aclUpdate', 'Failed to update user access control'),
             })
+            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {