Skip to content

feat(clerk-js): Signal reset password flow #6520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 12, 2025
Merged

feat(clerk-js): Signal reset password flow #6520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f6b9e17
feat(clerk-js): Signal reset password flow
dstaley Aug 11, 2025
7f3f09c
Merge branch 'main' into ds.feat/signals-reset-password
dstaley Aug 12, 2025
b471ba6
fix(clerk-js): Increase bundle limit
dstaley Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changeset/wise-hornets-sneeze.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
'@clerk/clerk-js': minor
'@clerk/types': minor
---

[Experimental] Signals reset password flow
2 changes: 1 addition & 1 deletion packages/clerk-js/bundlewatch.config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"files": [
{ "path": "./dist/clerk.js", "maxSize": "622KB" },
{ "path": "./dist/clerk.browser.js", "maxSize": "75KB" },
{ "path": "./dist/clerk.browser.js", "maxSize": "76KB" },
{ "path": "./dist/clerk.legacy.browser.js", "maxSize": "117KB" },
{ "path": "./dist/clerk.headless*.js", "maxSize": "58KB" },
{ "path": "./dist/ui-common*.js", "maxSize": "113KB" },
Expand Down
70 changes: 70 additions & 0 deletions packages/clerk-js/src/core/resources/SignIn.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -497,12 +497,82 @@ class SignInFuture implements SignInFutureResource {
verifyCode: this.verifyEmailCode.bind(this),
};

resetPasswordEmailCode = {
sendCode: this.sendResetPasswordEmailCode.bind(this),
verifyCode: this.verifyResetPasswordEmailCode.bind(this),
submitPassword: this.submitResetPassword.bind(this),
};

constructor(readonly resource: SignIn) {}

get status() {
return this.resource.status;
}

async sendResetPasswordEmailCode(): Promise<{ error: unknown }> {
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
if (!this.resource.id) {
throw new Error('Cannot reset password without a sign in.');
}

const resetPasswordEmailCodeFactor = this.resource.supportedFirstFactors?.find(
f => f.strategy === 'reset_password_email_code',
);

if (!resetPasswordEmailCodeFactor) {
throw new Error('Reset password email code factor not found');
}

const { emailAddressId } = resetPasswordEmailCodeFactor;
await this.resource.__internal_basePost({
body: { emailAddressId, strategy: 'reset_password_email_code' },
action: 'prepare_first_factor',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}

return { error: null };
}

async verifyResetPasswordEmailCode({ code }: { code: string }): Promise<{ error: unknown }> {
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
await this.resource.__internal_basePost({
body: { code, strategy: 'reset_password_email_code' },
action: 'attempt_first_factor',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}

return { error: null };
}
Comment on lines +540 to +553
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Validate input before network call (verification code).

Avoid a roundtrip when the code is empty/whitespace. Emit and return an error immediately.

-  async verifyResetPasswordEmailCode({ code }: { code: string }): Promise<{ error: unknown }> {
-    eventBus.emit('resource:error', { resource: this.resource, error: null });
+  async verifyResetPasswordEmailCode({ code }: { code: string }): Promise<{ error: unknown }> {
+    if (!code?.trim()) {
+      const err = new Error('Verification code is required');
+      eventBus.emit('resource:error', { resource: this.resource, error: err });
+      return { error: err };
+    }
+    eventBus.emit('resource:error', { resource: this.resource, error: null });
     try {
       await this.resource.__internal_basePost({
         body: { code, strategy: 'reset_password_email_code' },
         action: 'attempt_first_factor',
       });

Please add a unit test for the empty/whitespace code input case.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
async verifyResetPasswordEmailCode({ code }: { code: string }): Promise<{ error: unknown }> {
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
await this.resource.__internal_basePost({
body: { code, strategy: 'reset_password_email_code' },
action: 'attempt_first_factor',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}
return { error: null };
}
async verifyResetPasswordEmailCode({ code }: { code: string }): Promise<{ error: unknown }> {
if (!code?.trim()) {
const err = new Error('Verification code is required');
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
await this.resource.__internal_basePost({
body: { code, strategy: 'reset_password_email_code' },
action: 'attempt_first_factor',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}
return { error: null };
}
🤖 Prompt for AI Agents 
In packages/clerk-js/src/core/resources/SignIn.ts around lines 540 to 553, add
input validation to immediately handle empty or all-whitespace verification
codes: trim the incoming code and if it's empty, create an Error (e.g. new
Error('verification code is required')), emit eventBus.emit('resource:error', {
resource: this.resource, error }), and return { error } without calling
__internal_basePost. Update/ add unit tests to cover both empty string and
whitespace-only inputs: assert that an error is returned, eventBus emitted with
that error, and __internal_basePost was not invoked.


async submitResetPassword({
password,
signOutOfOtherSessions = true,
}: {
password: string;
signOutOfOtherSessions?: boolean;
}): Promise<{ error: unknown }> {
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
await this.resource.__internal_basePost({
body: { password, signOutOfOtherSessions },
action: 'reset_password',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}

return { error: null };
}
Comment on lines +555 to +574
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Validate password input before network call; optionally pre-check policy.

  • Ensure password is non-empty before sending the request.
  • Optionally, call the existing validatePassword (policy pre-check) to provide earlier feedback.
   async submitResetPassword({
     password,
     signOutOfOtherSessions = true,
   }: {
     password: string;
     signOutOfOtherSessions?: boolean;
   }): Promise<{ error: unknown }> {
-    eventBus.emit('resource:error', { resource: this.resource, error: null });
+    if (!password) {
+      const err = new Error('Password is required');
+      eventBus.emit('resource:error', { resource: this.resource, error: err });
+      return { error: err };
+    }
+    eventBus.emit('resource:error', { resource: this.resource, error: null });
     try {
       await this.resource.__internal_basePost({
         body: { password, signOutOfOtherSessions },
         action: 'reset_password',
       });

Consider tests for:

  • empty password
  • successful submission with default signOutOfOtherSessions
  • explicit signOutOfOtherSessions: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
async submitResetPassword({
password,
signOutOfOtherSessions = true,
}: {
password: string;
signOutOfOtherSessions?: boolean;
}): Promise<{ error: unknown }> {
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
await this.resource.__internal_basePost({
body: { password, signOutOfOtherSessions },
action: 'reset_password',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}
return { error: null };
}
async submitResetPassword({
password,
signOutOfOtherSessions = true,
}: {
password: string;
signOutOfOtherSessions?: boolean;
}): Promise<{ error: unknown }> {
if (!password) {
const err = new Error('Password is required');
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}
eventBus.emit('resource:error', { resource: this.resource, error: null });
try {
await this.resource.__internal_basePost({
body: { password, signOutOfOtherSessions },
action: 'reset_password',
});
} catch (err: unknown) {
eventBus.emit('resource:error', { resource: this.resource, error: err });
return { error: err };
}
return { error: null };
}
🤖 Prompt for AI Agents 
In packages/clerk-js/src/core/resources/SignIn.ts around lines 555 to 574, the
submitResetPassword method currently sends the network request without
validating the password; update it to first check that password is a non-empty
string and return an immediate error if empty, and optionally invoke the
existing validatePassword (policy pre-check) before the network call to produce
early, client-side feedback; preserve existing eventBus.error emissions on
failure and ensure returned error shape stays { error: unknown }; add unit tests
for empty password, successful submission with default signOutOfOtherSessions,
and explicit signOutOfOtherSessions: false.


async create(params: {
identifier?: string;
strategy?: OAuthStrategy | 'saml' | 'enterprise_sso';
Expand Down
5 changes: 5 additions & 0 deletions packages/types/src/signIn.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,11 @@ export interface SignInFutureResource {
sendCode: (params: { email: string }) => Promise<{ error: unknown }>;
verifyCode: (params: { code: string }) => Promise<{ error: unknown }>;
};
resetPasswordEmailCode: {
sendCode: () => Promise<{ error: unknown }>;
verifyCode: (params: { code: string }) => Promise<{ error: unknown }>;
submitPassword: (params: { password: string; signOutOfOtherSessions?: boolean }) => Promise<{ error: unknown }>;
};
sso: (params: {
flow?: 'auto' | 'modal';
strategy: OAuthStrategy | 'saml' | 'enterprise_sso';
Expand Down
Loading