Social auth: password set up flow

[hlbmtc]

Updated user account settings. If you signed up via Google/Facebook, we now show a disclaimer that you need to set up a password:

Clicking email change now shows an error toast:

The user is prompted to set up a password via the email password reset flow:

Slightly modified password reset page + added extra copy:

closes #2091

Summary by CodeRabbit

• New Features

  • Password setup email flow for social-login accounts
  • Banner and messaging for accounts without passwords
  • New localized strings for password/email flows (multiple languages)

• Improvements

  • Password reset page redesigned with loading states and better feedback
  • Prevent email changes until a password is set; clearer user prompts and toasts

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Adds password-setup flows for social-auth users: new translations, frontend UI/components and actions to request/set passwords, backend endpoint and serializer field exposing password presence, and updated password-reset/account-setting flows and types.

Changes

Cohort / File(s)	Summary
Localization front_end/messages/{cs,en,es,pt,zh-TW,zh}.json	Added 6 translation keys for password setup/reset and no-password UI (passwordResetPageDescription, socialAccountNoPasswordBanner, noPasswordYet, sendSetPasswordEmail, sendSetPasswordEmailSuccess, setPasswordRequiredForEmailChange).
Frontend — Account Settings UI front_end/src/app/(main)/accounts/settings/account/components/change_password.tsx, .../no_password_banner.tsx, .../email_edit.tsx, .../page.tsx	Introduced NoPasswordBanner, changed ChangePassword to accept hasPassword and conditionally render change vs. set-password flows; prevent email edits when no password and surface toast.
Frontend — Password Reset UI front_end/src/app/(main)/accounts/reset/components/password_reset.tsx, .../actions.ts, .../page.tsx	Refactored reset form layout, added loading state handling, hidden uid/token fields, and redirect to account settings after successful reset (replaced returning data with navigation).
Frontend — Actions / API client / Types front_end/src/app/(main)/accounts/settings/actions.tsx, front_end/src/services/api/profile/profile.server.ts, front_end/src/types/users.ts	Added sendSetPasswordEmail() action and API client method; added has_password: boolean to CurrentUser type.
Backend — Serializer and Endpoint users/serializers.py, users/urls.py, users/views.py	Added has_password SerializerMethodField on UserPrivateSerializer; new POST endpoint /users/me/request-set-password/ and view send_set_password_email_api_view to send set-password emails when user lacks a usable password.

Sequence Diagram

sequenceDiagram
    actor User
    participant Frontend as Frontend (React)
    participant Action as Frontend Action
    participant Backend as Backend API
    participant DB as Database

    User->>Frontend: Open Account Settings
    Frontend->>Backend: GET /users/me (fetch profile)
    Backend->>DB: Read user.has_password
    DB-->>Backend: has_password=false
    Backend-->>Frontend: Return profile (has_password=false)
    Frontend->>Frontend: Render NoPasswordBanner, disable email edit

    User->>Frontend: Click "Send Set-Password Email"
    Frontend->>Action: sendSetPasswordEmail()
    Action->>Backend: POST /users/me/request-set-password/
    Backend->>DB: Check has_usable_password()
    Backend->>Backend: send_password_reset_email(user)
    Backend-->>Action: 204 No Content
    Action-->>Frontend: Success response
    Frontend->>Frontend: Show success toast

    User->>Frontend: Click link in email (uid, token)
    Frontend->>Frontend: Load password reset page with form
    User->>Frontend: Submit new password
    Frontend->>Action: passwordResetConfirmAction(uid, token, password)
    Action->>Backend: POST /accounts/auth/password/reset/confirm/
    Backend->>DB: Set user password
    Backend-->>Action: Success
    Action->>Frontend: Redirect to /accounts/settings/account/
    Frontend->>Backend: GET /users/me
    Backend->>DB: Return has_password=true
    Frontend->>Frontend: Render updated settings (email edit enabled)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Social auth: password set up flow #4271: Directly touches the same translations, send-set-password flow, NoPasswordBanner, has_password serializer and backend endpoint — strong code-level overlap.
• Security improvements for email tokens #4202: Related changes to account settings and email/password UI flows affecting the same frontend areas.

Suggested reviewers

• aseckin
• elisescu
• cemreinanc

Poem

🐰 A rabbit nibbles keys and strings,
Hops through banners, toasts, and things,
Sends an email, sets a pass,
Unlocks the gate — no social impasse,
Hooray — users can change at last! 🎉

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Social auth: password set up flow' clearly and concisely summarizes the main change: enabling password setup for social authentication accounts.
Linked Issues check	✅ Passed	All coding requirements from issue #2091 are implemented: accounts without passwords now show a banner, email changes are blocked with error messaging until password is set, password setup flow works without requiring old password, and set-password emails are supported.
Out of Scope Changes check	✅ Passed	All changes are directly related to social auth password setup workflow. Translations, UI components, API endpoints, and serializer updates all support the core objectives without introducing unrelated functionality.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/2091-password-setup-flow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🧹 Preview Environment Cleaned Up

The preview environment for this PR has been destroyed.

Resource	Status
🌐 Preview App	✅ Deleted
🗄️ PostgreSQL Branch	✅ Deleted
⚡ Redis Database	✅ Deleted
🔧 GitHub Deployments	✅ Removed
📦 Docker Image	⚠️ Retained (auto-cleanup via GHCR policies)

---

Cleanup triggered by PR close at 2026-02-09T11:14:18Z

[hlbmtc]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[ncarazon]

LGTM

[elisescu]

LGTM