@open-mercato/core 0.4.2-canary-f075c3eb92 → 0.4.2-canary-8a04af8836

package/src/modules/auth/backend/users/create/page.tsx

@@ -11,6 +11,7 @@ import { TenantSelect } from '@open-mercato/core/modules/directory/components/Te
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
 import { Spinner } from '@open-mercato/ui/primitives/spinner'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type CreateUserFormValues = {
   email: string
@@ -84,6 +85,16 @@ export default function CreateUserPage() {
   const [selectedWidgets, setSelectedWidgets] = React.useState<string[]>([])
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
 
   React.useEffect(() => {
     let cancelled = false
@@ -156,7 +167,13 @@ export default function CreateUserPage() {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text', required: true },
+      {
+        id: 'password',
+        label: t('auth.users.form.field.password', 'Password'),
+        type: 'text',
+        required: true,
+        description: passwordDescription,
+      },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -203,7 +220,7 @@ export default function CreateUserPage() {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, selectedTenantId, t])
 
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']

package/src/modules/auth/backend/users/page.tsx

@@ -383,9 +383,9 @@ export default function UsersListPage() {
           perspective={{ tableId: 'auth.users.list' }}
           rowActions={(row) => (
             <RowActions items={[
-              { label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
-              { label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
-              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
+              { id: 'show-roles', label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
+              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           pagination={{ page, pageSize: 50, total, totalPages, onPageChange: setPage }}

package/src/modules/auth/cli.ts

@@ -16,6 +16,8 @@ import { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 import { env } from 'process'
 import type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'
 import crypto from 'node:crypto'
+import { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'
+import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const addUser: ModuleCli = {
   command: 'add-user',
@@ -34,6 +36,7 @@ const addUser: ModuleCli = {
       console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any
     const org =
@@ -102,6 +105,16 @@ function hashSecret(value: string | null | undefined): string | null {
   return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)
 }
 
+function ensurePasswordPolicy(password: string): boolean {
+  const policy = getPasswordPolicy()
+  const result = validatePassword(password, policy)
+  if (result.ok) return true
+  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback)
+  const suffix = requirements ? `: ${requirements}` : ''
+  console.error(`Password does not meet the requirements${suffix}.`)
+  return false
+}
+
 async function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {
   const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG
   process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'
@@ -392,20 +405,33 @@ const addOrganization: ModuleCli = {
 const setupApp: ModuleCli = {
   command: 'setup',
   async run(rest) {
-    const args: Record<string, string> = {}
-    for (let i = 0; i < rest.length; i += 2) {
-      const k = rest[i]?.replace(/^--/, '')
-      const v = rest[i + 1]
-      if (k) args[k] = v
-    }
-    const orgName = args.orgName || args.name
-    const email = args.email
-    const password = args.password
-    const rolesCsv = (args.roles ?? 'superadmin,admin,employee').trim()
+    const args = parseArgs(rest)
+    const orgName = typeof args.orgName === 'string'
+      ? args.orgName
+      : typeof args.name === 'string'
+        ? args.name
+        : undefined
+    const email = typeof args.email === 'string' ? args.email : undefined
+    const password = typeof args.password === 'string' ? args.password : undefined
+    const rolesCsv = typeof args.roles === 'string'
+      ? args.roles.trim()
+      : 'superadmin,admin,employee'
+    const skipPasswordPolicyRaw =
+      args['skip-password-policy'] ??
+      args.skipPasswordPolicy ??
+      args['allow-weak-password'] ??
+      args.allowWeakPassword
+    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === 'boolean'
+      ? skipPasswordPolicyRaw
+      : parseBooleanToken(typeof skipPasswordPolicyRaw === 'string' ? skipPasswordPolicyRaw : null) ?? false
     if (!orgName || !email || !password) {
-      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')
+      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]')
       return
     }
+    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return
+    if (skipPasswordPolicy) {
+      console.warn('⚠️  Password policy validation skipped for setup.')
+    }
     const { resolve } = await createRequestContainer()
     const em = resolve<EntityManager>('em')
     const roleNames = rolesCsv
@@ -595,6 +621,7 @@ const setPassword: ModuleCli = {
       console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any

package/src/modules/auth/commands/users.ts

@@ -27,6 +27,10 @@ import {
 import { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type SerializedUser = {
   email: string
@@ -63,9 +67,11 @@ type UserSnapshots = {
   undo: UserUndoSnapshot
 }
 
+const passwordSchema = buildPasswordSchema()
+
 const createSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -73,7 +79,7 @@ const createSchema = z.object({
 const updateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })
@@ -105,6 +111,46 @@ export const userCrudIndexer: CrudIndexerConfig = {
   }),
 }
 
+async function notifyRoleChanges(
+  ctx: CommandRuntimeContext,
+  user: User,
+  assignedRoles: string[],
+  revokedRoles: string[],
+): Promise<void> {
+  const tenantId = user.tenantId ? String(user.tenantId) : null
+  if (!tenantId) return
+  const organizationId = user.organizationId ? String(user.organizationId) : null
+
+  try {
+    const notificationService = resolveNotificationService(ctx.container)
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.users.roles] Failed to create notification:', err)
+  }
+}
+
 const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
   id: 'auth.users.create',
   async execute(rawInput, ctx) {
@@ -147,8 +193,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       throw error
     }
 
+    let assignedRoles: string[] = []
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId)
+      assignedRoles = await loadUserRoleNames(em, String(user.id))
     }
 
     await setCustomFieldsIfAny({
@@ -173,6 +221,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, [])
+    }
+
     return user
   },
   captureAfter: async (_input, result, ctx) => {
@@ -288,6 +340,9 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)
     const em = (ctx.container.resolve('em') as EntityManager)
+    const rolesBefore = Array.isArray(parsed.roles)
+      ? await loadUserRoleNames(em, parsed.id)
+      : null
 
     if (parsed.email !== undefined) {
       const emailHash = computeEmailHash(parsed.email)
@@ -377,6 +432,14 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id))
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked)
+      }
+    }
+
     await invalidateUserCache(ctx, parsed.id)
 
     return user
@@ -772,6 +835,14 @@ async function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {
   }
 }
 
+function diffRoleChanges(before: string[], after: string[]) {
+  const beforeSet = new Set(before)
+  const afterSet = new Set(after)
+  const assigned = after.filter((role) => !beforeSet.has(role))
+  const revoked = before.filter((role) => !afterSet.has(role))
+  return { assigned, revoked }
+}
+
 function arrayEquals(left: string[] | undefined, right: string[]): boolean {
   if (!left) return false
   if (left.length !== right.length) return false

package/src/modules/auth/data/validators.ts

@@ -1,10 +1,14 @@
 import { z } from 'zod'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
+
+const passwordSchema = buildPasswordSchema()
 
 // Core auth validators
 export const userLoginSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
   requireRole: z.string().optional(),
+  tenantId: z.string().uuid().optional(),
 })
 
 export const requestPasswordResetSchema = z.object({
@@ -13,7 +17,7 @@ export const requestPasswordResetSchema = z.object({
 
 export const confirmPasswordResetSchema = z.object({
   token: z.string().min(10),
-  password: z.string().min(6),
+  password: passwordSchema,
 })
 
 export const sidebarPreferencesInputSchema = z.object({
@@ -29,7 +33,7 @@ export const sidebarPreferencesInputSchema = z.object({
 // Optional helpers for CLI or admin forms
 export const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   tenantId: z.string().uuid().optional(),
   organizationId: z.string().uuid(),
   rolesCsv: z.string().optional(),

package/src/modules/auth/frontend/login.tsx

@@ -1,14 +1,40 @@
 "use client"
-import { useState } from 'react'
+import { useCallback, useEffect, useState } from 'react'
 import Image from 'next/image'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Card, CardContent, CardHeader, CardTitle, CardDescription } from '@open-mercato/ui/primitives/card'
+import { Card, CardContent, CardHeader, CardDescription } from '@open-mercato/ui/primitives/card'
 import { Input } from '@open-mercato/ui/primitives/input'
 import { Label } from '@open-mercato/ui/primitives/label'
+import { Button } from '@open-mercato/ui/primitives/button'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import { translateWithFallback } from '@open-mercato/shared/lib/i18n/translate'
 import { clearAllOperations } from '@open-mercato/ui/backend/operations/store'
+import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
+import { X } from 'lucide-react'
+
+const loginTenantKey = 'om_login_tenant'
+const loginTenantCookieMaxAge = 60 * 60 * 24 * 14
+
+function readTenantCookie() {
+  if (typeof document === 'undefined') return null
+  const entries = document.cookie.split(';')
+  for (const entry of entries) {
+    const [name, ...rest] = entry.trim().split('=')
+    if (name === loginTenantKey) return decodeURIComponent(rest.join('='))
+  }
+  return null
+}
+
+function setTenantCookie(value: string) {
+  if (typeof document === 'undefined') return
+  document.cookie = `${loginTenantKey}=${encodeURIComponent(value)}; path=/; max-age=${loginTenantCookieMaxAge}; samesite=lax`
+}
+
+function clearTenantCookie() {
+  if (typeof document === 'undefined') return
+  document.cookie = `${loginTenantKey}=; path=/; max-age=0; samesite=lax`
+}
 
 function extractErrorMessage(payload: unknown): string | null {
   if (!payload) return null
@@ -44,8 +70,11 @@ function looksLikeJsonString(value: string): boolean {
 
 export default function LoginPage() {
   const t = useT()
-  const translate = (key: string, fallback: string, params?: Record<string, string | number>) =>
-    translateWithFallback(t, key, fallback, params)
+  const translate = useCallback(
+    (key: string, fallback: string, params?: Record<string, string | number>) =>
+      translateWithFallback(t, key, fallback, params),
+    [t],
+  )
   const router = useRouter()
   const searchParams = useSearchParams()
   const requireRole = (searchParams.get('requireRole') || searchParams.get('role') || '').trim()
@@ -56,6 +85,80 @@ export default function LoginPage() {
   const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature))
   const [error, setError] = useState<string | null>(null)
   const [submitting, setSubmitting] = useState(false)
+  const [tenantId, setTenantId] = useState<string | null>(null)
+  const [tenantName, setTenantName] = useState<string | null>(null)
+  const [tenantLoading, setTenantLoading] = useState(false)
+  const [tenantInvalid, setTenantInvalid] = useState<string | null>(null)
+  const showTenantInvalid = tenantId != null && tenantInvalid === tenantId
+
+  useEffect(() => {
+    const tenantParam = (searchParams.get('tenant') || '').trim()
+    if (tenantParam) {
+      setTenantId(tenantParam)
+      window.localStorage.setItem(loginTenantKey, tenantParam)
+      setTenantCookie(tenantParam)
+      return
+    }
+    const storedTenant = window.localStorage.getItem(loginTenantKey) || readTenantCookie()
+    if (storedTenant) {
+      setTenantId(storedTenant)
+    }
+  }, [searchParams])
+
+  useEffect(() => {
+    if (!tenantId) {
+      setTenantName(null)
+      setTenantInvalid(null)
+      return
+    }
+    if (tenantInvalid === tenantId) {
+      setTenantName(null)
+      setTenantLoading(false)
+      return
+    }
+    let active = true
+    setTenantLoading(true)
+    setTenantInvalid(null)
+    apiCall<{ ok: boolean; tenant?: { id: string; name: string }; error?: string }>(
+      `/api/directory/tenants/lookup?tenantId=${encodeURIComponent(tenantId)}`,
+    )
+      .then(({ result }) => {
+        if (!active) return
+        if (result?.ok && result.tenant) {
+          setTenantName(result.tenant.name)
+          return
+        }
+        const message = translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.')
+        setTenantName(null)
+        setTenantInvalid(tenantId)
+        setError(null)
+      })
+      .catch(() => {
+        if (!active) return
+        setTenantName(null)
+        setTenantInvalid(tenantId)
+        setError(null)
+      })
+      .finally(() => {
+        if (active) setTenantLoading(false)
+      })
+    return () => {
+      active = false
+    }
+  }, [tenantId, translate])
+
+  function handleClearTenant() {
+    window.localStorage.removeItem(loginTenantKey)
+    clearTenantCookie()
+    setTenantId(null)
+    setTenantName(null)
+    setTenantInvalid(null)
+    const params = new URLSearchParams(searchParams)
+    params.delete('tenant')
+    setError(null)
+    const query = params.toString()
+    router.replace(query ? `/login?${query}` : '/login')
+  }
 
   async function onSubmit(e: React.FormEvent<HTMLFormElement>) {
     e.preventDefault()
@@ -141,6 +244,9 @@ export default function LoginPage() {
         </CardHeader>
         <CardContent>
           <form className="grid gap-3" onSubmit={onSubmit} noValidate>
+            {tenantId ? (
+              <input type="hidden" name="tenantId" value={tenantId} />
+            ) : null}
             {!!translatedRoles.length && (
               <div className="rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900">
                 {translate(
@@ -159,7 +265,30 @@ export default function LoginPage() {
                 })}
               </div>
             )}
-            {error && (
+            {showTenantInvalid ? (
+              <div className="rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-xs text-red-700">
+                <div className="font-medium">{translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.')}</div>
+                <Button type="button" variant="outline" size="sm" className="mt-2 border-red-300 text-red-700" onClick={handleClearTenant}>
+                  <X className="mr-2 size-4" aria-hidden="true" />
+                  {translate('auth.login.tenantClear', 'Clear')}
+                </Button>
+              </div>
+            ) : tenantId ? (
+              <div className="rounded-md border border-emerald-200 bg-emerald-50 px-3 py-2 text-center text-xs text-emerald-900">
+                <div className="font-medium">
+                  {tenantLoading
+                    ? translate('auth.login.tenantLoading', 'Loading tenant details...')
+                    : translate('auth.login.tenantBanner', "You're logging in to {tenant} tenant.", {
+                        tenant: tenantName || tenantId,
+                      })}
+                </div>
+                <Button type="button" variant="outline" size="sm" className="mt-2 border-emerald-300 text-emerald-900" onClick={handleClearTenant}>
+                  <X className="mr-2 size-4" aria-hidden="true" />
+                  {translate('auth.login.tenantClear', 'Clear')}
+                </Button>
+              </div>
+            ) : null}
+            {error && !showTenantInvalid && (
               <div className="rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700" role="alert" aria-live="polite">
                 {error}
               </div>

package/src/modules/auth/frontend/reset/[token]/page.tsx

@@ -4,11 +4,20 @@ import { Input } from '@open-mercato/ui/primitives/input'
 import { Label } from '@open-mercato/ui/primitives/label'
 import { useState } from 'react'
 import { useRouter } from 'next/navigation'
+import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 export default function ResetWithTokenPage({ params }: { params: { token: string } }) {
   const router = useRouter()
+  const t = useT()
   const [error, setError] = useState<string | null>(null)
   const [submitting, setSubmitting] = useState(false)
+  const passwordPolicy = getPasswordPolicy()
+  const passwordRequirements = formatPasswordRequirements(passwordPolicy, t)
+  const passwordDescription = passwordRequirements
+    ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+    : ''
 
   async function onSubmit(e: React.FormEvent<HTMLFormElement>) {
     e.preventDefault()
@@ -17,13 +26,15 @@ export default function ResetWithTokenPage({ params }: { params: { token: string
     try {
       const form = new FormData(e.currentTarget)
       form.set('token', params.token)
-      const res = await fetch('/api/auth/reset/confirm', { method: 'POST', body: form })
-      const data = await res.json().catch(() => null)
-      if (!res.ok) {
-        setError(data?.error || 'Unable to reset password')
+      const { ok, result } = await apiCall<{ ok?: boolean; error?: string; redirect?: string }>(
+        '/api/auth/reset/confirm',
+        { method: 'POST', body: form },
+      )
+      if (!ok || result?.ok === false) {
+        setError(result?.error || t('auth.reset.errors.failed', 'Unable to reset password'))
         return
       }
-      router.replace(data?.redirect || '/login')
+      router.replace(result?.redirect || '/login')
     } finally {
       setSubmitting(false)
     }
@@ -33,18 +44,21 @@ export default function ResetWithTokenPage({ params }: { params: { token: string
     <div className="min-h-svh flex items-center justify-center p-4">
       <Card className="w-full max-w-sm">
         <CardHeader>
-          <CardTitle>Set a new password</CardTitle>
-          <CardDescription>Choose a strong password for your account.</CardDescription>
+          <CardTitle>{t('auth.reset.title', 'Set a new password')}</CardTitle>
+          <CardDescription>{t('auth.reset.subtitle', 'Choose a strong password for your account.')}</CardDescription>
         </CardHeader>
         <CardContent>
           <form className="grid gap-3" onSubmit={onSubmit}>
             {error && <div className="text-sm text-red-600">{error}</div>}
             <div className="grid gap-1">
-              <Label htmlFor="password">New password</Label>
-              <Input id="password" name="password" type="password" required minLength={6} />
+              <Label htmlFor="password">{t('auth.reset.form.password', 'New password')}</Label>
+              <Input id="password" name="password" type="password" required minLength={passwordPolicy.minLength} />
+              {passwordDescription ? (
+                <p className="text-xs text-muted-foreground">{passwordDescription}</p>
+              ) : null}
             </div>
             <button disabled={submitting} className="h-10 rounded-md bg-foreground text-background mt-2 hover:opacity-90 transition disabled:opacity-60">
-              {submitting ? '...' : 'Update password'}
+              {submitting ? t('auth.reset.form.loading', '...') : t('auth.reset.form.submit', 'Update password')}
             </button>
           </form>
         </CardContent>
@@ -52,4 +66,3 @@ export default function ResetWithTokenPage({ params }: { params: { token: string
     </div>
   )
 }
-

package/src/modules/auth/i18n/de.json

@@ -2,12 +2,26 @@
   "auth.signIn": "Anmelden",
   "auth.email": "E-Mail",
   "auth.password": "Passwort",
+  "auth.password.requirements.help": "Passwortanforderungen: {requirements}",
+  "auth.password.requirements.minLength": "Mindestens {min} Zeichen",
+  "auth.password.requirements.digit": "Eine Zahl",
+  "auth.password.requirements.uppercase": "Ein Großbuchstabe",
+  "auth.password.requirements.special": "Ein Sonderzeichen",
+  "auth.password.requirements.separator": ", ",
   "auth.sendResetLink": "Link zum Zurücksetzen senden",
   "auth.resetPassword": "Passwort zurücksetzen",
+  "auth.reset.title": "Neues Passwort festlegen",
+  "auth.reset.subtitle": "Wähle ein sicheres Passwort für dein Konto.",
+  "auth.reset.form.password": "Neues Passwort",
+  "auth.reset.form.loading": "...",
+  "auth.reset.form.submit": "Passwort aktualisieren",
+  "auth.reset.errors.failed": "Passwort konnte nicht zurückgesetzt werden",
   "auth.usersRoles": "Benutzer und Rollen",
   "auth.manageAuthSettings": "Verwalte die Authentifizierungseinstellungen.",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
   "auth.login.errors.invalidCredentials": "Ungültige E-Mail oder ungültiges Passwort",
+  "auth.login.errors.tenantRequired": "Nutze den Login-Link aus deiner Tenant-Aktivierung, um fortzufahren.",
+  "auth.login.errors.tenantInvalid": "Tenant nicht gefunden. Entferne die Tenant-Auswahl und versuche es erneut.",
   "auth.login.errors.generic": "Es ist ein Fehler aufgetreten. Bitte versuche es erneut.",
   "auth.login.logoAlt": "Open Mercato Logo",
   "auth.login.brandName": "Open Mercato",
@@ -15,6 +29,9 @@
   "auth.login.requireRoleMessage": "Für den Zugriff ist die folgende Rolle erforderlich: {roles}",
   "auth.login.requireRolesMessage": "Für den Zugriff ist eine der folgenden Rollen erforderlich: {roles}",
   "auth.login.featureDenied": "Du hast keinen Zugriff auf diese Funktion ({feature}). Bitte wende dich an deine Administration.",
+  "auth.login.tenantBanner": "Du meldest dich beim Tenant {tenant} an.",
+  "auth.login.tenantLoading": "Tenant-Daten werden geladen...",
+  "auth.login.tenantClear": "Zurücksetzen",
   "auth.login.rememberMe": "Angemeldet bleiben",
   "auth.login.loading": "Wird geladen ...",
   "auth.login.forgotPassword": "Passwort vergessen?",
@@ -80,6 +97,21 @@
   "auth.users.form.errors.load": "Benutzerdaten konnten nicht geladen werden",
   "auth.users.form.errors.aclUpdate": "Aktualisierung der Benutzerberechtigungen fehlgeschlagen",
   "auth.users.form.errors.delete": "Benutzer konnte nicht gelöscht werden",
+  "auth.profile.title": "Profil",
+  "auth.profile.subtitle": "Passwort ändern",
+  "auth.profile.form.email": "E-Mail",
+  "auth.profile.form.password": "Neues Passwort",
+  "auth.profile.form.confirmPassword": "Neues Passwort bestätigen",
+  "auth.profile.form.save": "Änderungen speichern",
+  "auth.profile.form.loading": "Profil wird geladen...",
+  "auth.profile.form.errors.load": "Profil konnte nicht geladen werden.",
+  "auth.profile.form.errors.save": "Profil konnte nicht aktualisiert werden.",
+  "auth.profile.form.errors.invalid": "Ungültige Profilaktualisierung.",
+  "auth.profile.form.errors.passwordMismatch": "Die Passwörter stimmen nicht überein.",
+  "auth.profile.form.errors.passwordRequirements": "Das Passwort muss die Anforderungen erfüllen.",
+  "auth.profile.form.errors.noChanges": "Keine Änderungen zu speichern.",
+  "auth.profile.form.errors.emailRequired": "E-Mail ist erforderlich.",
+  "auth.profile.form.success": "Profil aktualisiert.",
   "auth.users.list.error.load": "Benutzer konnten nicht geladen werden",
   "auth.users.list.error.delete": "Benutzer konnte nicht gelöscht werden",
   "auth.users.flash.created": "Benutzer erstellt",
@@ -95,5 +127,20 @@
   "auth.email.resetPassword.title": "Passwort zurücksetzen",
   "auth.email.resetPassword.body": "Klicken Sie auf den Link unten, um ein neues Passwort festzulegen. Dieser Link läuft in 60 Minuten ab.",
   "auth.email.resetPassword.cta": "Neues Passwort festlegen",
-  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren."
+  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren.",
+  "auth.notifications.passwordReset.requested.title": "Passwort-Zurücksetzung angefordert",
+  "auth.notifications.passwordReset.requested.body": "Ein Link zum Zurücksetzen des Passworts wurde an Ihre E-Mail gesendet",
+  "auth.notifications.passwordReset.completed.title": "Passwort erfolgreich geändert",
+  "auth.notifications.passwordReset.completed.body": "Ihr Passwort wurde erfolgreich aktualisiert",
+  "auth.notifications.account.locked.title": "Konto gesperrt",
+  "auth.notifications.account.locked.body": "Ihr Konto wurde aus Sicherheitsgründen gesperrt. Bitte wenden Sie sich an den Support.",
+  "auth.notifications.login.newDevice.title": "Neues Gerät erkannt",
+  "auth.notifications.login.newDevice.body": "Es wurde eine Anmeldung von einem unbekannten Gerät für Ihr Konto erkannt",
+  "auth.notifications.role.assigned.title": "Neue Rolle zugewiesen",
+  "auth.notifications.role.assigned.body": "Ihnen wurde eine neue Rolle mit zusätzlichen Berechtigungen zugewiesen",
+  "auth.notifications.role.revoked.title": "Rolle entfernt",
+  "auth.notifications.role.revoked.body": "Eine Rolle wurde von Ihrem Konto entfernt",
+  "auth.actions.contactSupport": "Support kontaktieren",
+  "auth.actions.viewSessions": "Sitzungen anzeigen",
+  "auth.actions.viewPermissions": "Berechtigungen anzeigen"
 }