feat: implement rate limit error handling and cooldown mechanism in login modal; enhance password visibility toggle

Author: aree6

backend/src/index.ts

@@ -82,6 +82,11 @@ const loginLimiter = rateLimit({
   limit: 5,
   standardHeaders: 'draft-7',
   legacyHeaders: false,
+  message: { error: 'RateLimitExceeded', message: 'Too many login attempts. Please wait 1 minute.' },
+  skip: (req) => {
+    // Don't rate limit warmup requests
+    return req.path === '/api/hevy/recaptcha/session-warmup';
+  },
 });
 
 const requireAuthTokenHeader = (req: express.Request): string => {

frontend/app/ui/appErrorMessages.ts

@@ -1,11 +1,18 @@
 export const getErrorMessage = (err: unknown): string => {
   if (err instanceof Error && err.message) return err.message;
-  return 'Failed to import CSV. Please export your workout data from the Hevy app and try again.';
+  return 'Failed to import CSV. Please try again.';
 };
 
-export const getHevyErrorMessage = (err: unknown): string => {
+export const getHevyErrorMessage = (err: unknown, cooldownSeconds?: number): string => {
   if (err instanceof Error && err.message) {
     const msg = err.message;
+    // Rate limit error - show dynamic countdown
+    if (msg.toLowerCase().includes('rate') || msg.toLowerCase().includes('429') || msg.toLowerCase().includes('too many requests')) {
+      if (cooldownSeconds && cooldownSeconds > 0) {
+        return `Too many login attempts. Please wait ${cooldownSeconds}s before trying again.`;
+      }
+      return 'Too many login attempts. Please wait 60s before trying again.';
+    }
     // "Load failed" is a Safari-specific error, often caused by content blockers, VPNs, or network issues
     if (msg.toLowerCase().includes('load failed') || msg.toLowerCase().includes('failed to fetch')) {
       return `Network error: ${msg}. This is often caused by content blockers, VPNs,  or network issues. Try disabling ad blockers or switching browsers.`;

frontend/components/modals/auth/HevyLoginModal.tsx

@@ -1,5 +1,5 @@
 import React, { useEffect, useRef, useState } from 'react';
-import { ArrowLeft, ArrowRight, HelpCircle, Key, LogIn, RefreshCw, Trash2, Upload } from 'lucide-react';
+import { ArrowLeft, ArrowRight, Eye, EyeOff, HelpCircle, Key, LogIn, RefreshCw, Trash2, Upload } from 'lucide-react';
 import { UNIFORM_HEADER_BUTTON_CLASS, UNIFORM_HEADER_ICON_BUTTON_CLASS } from '../../../utils/ui/uiConstants';
 import { OnboardingModalShell } from '../ui/OnboardingModalShell';
 import { HevyLoginHelp } from './HevyLoginHelp';
@@ -51,8 +51,71 @@ export const HevyLoginModal: React.FC<HevyLoginModalProps> = ({
   const [password, setPassword] = useState('');
   const [apiKey, setApiKey] = useState(() => getHevyProApiKey() || '');
   const [showLoginHelp, setShowLoginHelp] = useState(false);
+  const [cooldownSeconds, setCooldownSeconds] = useState(0);
+  const [failedAttempts, setFailedAttempts] = useState(0);
+  const [showPassword, setShowPassword] = useState(false);
   const passwordTouchedRef = useRef(false);
   const warmupTriggeredRef = useRef(false);
+  const passwordHideTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+
+  // Cooldown timer effect
+  useEffect(() => {
+    if (cooldownSeconds <= 0) return;
+    const timer = setInterval(() => {
+      setCooldownSeconds((prev) => {
+        if (prev <= 1) {
+          clearInterval(timer);
+          return 0;
+        }
+        return prev - 1;
+      });
+    }, 1000);
+    return () => clearInterval(timer);
+  }, [cooldownSeconds > 0]);
+
+  // Trigger cooldown when rate limit error received or after 3 failed attempts
+  useEffect(() => {
+    if (!errorMessage || isLoading) return;
+    
+    const isRateLimited = errorMessage?.toLowerCase().includes('rate') || errorMessage?.toLowerCase().includes('429') || errorMessage?.toLowerCase().includes('too many');
+    const isAuthError = errorMessage?.toLowerCase().includes('invalid') || errorMessage?.toLowerCase().includes('wrong') || errorMessage?.toLowerCase().includes('password');
+    
+    if (isRateLimited) {
+      setCooldownSeconds(120);
+      setFailedAttempts(0);
+    } else if (isAuthError) {
+      // Track failed attempts for non-rate-limit errors
+      setFailedAttempts((prev) => {
+        const newCount = prev + 1;
+        if (newCount >= 3) {
+          setCooldownSeconds(120);
+          return 0;
+        }
+        return newCount;
+      });
+    }
+  }, [errorMessage, isLoading]);
+
+  const isCooldownActive = cooldownSeconds > 0;
+
+  // Handle password show/hide
+  const togglePasswordVisibility = () => {
+    setShowPassword((prev) => !prev);
+    // Auto-hide after 5 seconds
+    if (passwordHideTimerRef.current) clearTimeout(passwordHideTimerRef.current);
+    if (!showPassword) {
+      passwordHideTimerRef.current = setTimeout(() => {
+        setShowPassword(false);
+      }, 5000);
+    }
+  };
+
+  // Cleanup timer on unmount
+  useEffect(() => {
+    return () => {
+      if (passwordHideTimerRef.current) clearTimeout(passwordHideTimerRef.current);
+    };
+  }, []);
 
   // When in API key mode, back should return to credentials view, not unit/gender screen
   const handleBack = () => {
@@ -200,38 +263,53 @@ export const HevyLoginModal: React.FC<HevyLoginModalProps> = ({
 
                   <div>
                     <label className="block text-xs font-semibold text-slate-200">Password</label>
-                    <input
-                      name="password"
-                      type="password"
-                      value={password}
-                      onFocus={() => maybeWarmup()}
-                      onChange={(e) => {
-                        passwordTouchedRef.current = true;
-                        setPassword(e.target.value);
-                      }}
-                      disabled={isLoading}
-                      className="mt-1 w-full h-10 rounded-md bg-slate-900/20 border border-slate-700/60 px-3 text-sm text-slate-200 placeholder:text-slate-500 outline-none focus:border-emerald-500/60"
-                      placeholder="Password"
-                      autoComplete="current-password"
-                      required
-                    />
+                    <div className="relative">
+                      <input
+                        name="password"
+                        type={showPassword ? 'text' : 'password'}
+                        value={password}
+                        onFocus={() => maybeWarmup()}
+                        onChange={(e) => {
+                          passwordTouchedRef.current = true;
+                          setPassword(e.target.value);
+                        }}
+                        disabled={isLoading}
+                        className="mt-1 w-full h-10 rounded-md bg-slate-900/20 border border-slate-700/60 px-3 pr-10 text-sm text-slate-200 placeholder:text-slate-500 outline-none focus:border-emerald-500/60"
+                        placeholder="Password"
+                        autoComplete="current-password"
+                        required
+                      />
+                      <button
+                        type="button"
+                        onClick={togglePasswordVisibility}
+                        className="absolute right-2 top-1/2 -translate-y-1/2 text-slate-400 hover:text-slate-200"
+                      >
+                        {showPassword ? <EyeOff className="w-4 h-4" /> : <Eye className="w-4 h-4" />}
+                      </button>
+                    </div>
                   </div>
                 </>
               )}
 
-              {errorMessage ? (
+              {isCooldownActive ? (
+                <div className="rounded-lg border border-amber-500/30 bg-amber-500/10 px-3 py-2 text-xs text-amber-200 text-center">
+                  {cooldownSeconds > 0 
+                    ? `Too many login attempts. Please wait ${cooldownSeconds}s before trying again.` 
+                    : 'Retry now!'}
+                </div>
+              ) : errorMessage ? (
                 <div className="rounded-lg border border-rose-500/30 bg-rose-500/10 px-3 py-2 text-xs text-rose-200">
                   {errorMessage}
                 </div>
               ) : null}
 
               <button
                 type="submit"
-                disabled={isLoading}
+                disabled={isLoading || isCooldownActive}
                 className={`${UNIFORM_HEADER_BUTTON_CLASS} w-full h-10 text-sm font-semibold disabled:opacity-60 gap-2 justify-center`}
               >
                 <span className="truncate">
-                  {isLoading ? (loginMode === 'apiKey' ? 'Logging in…' : 'Logging in…') : 'Login'}
+                  {isLoading ? (loginMode === 'apiKey' ? 'Logging in…' : 'Logging in…') : isCooldownActive ? (cooldownSeconds > 0 ? `Wait ${cooldownSeconds}s` : 'Retry now!') : 'Login'}
                 </span>
                 <ArrowRight className="w-4 h-4" />
               </button>