forgejo_admin/basketball-api
1
0
Fork 1
Code Issues 10 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Cleanup: remove password rendering from registration confirmation flow #168

New issue
Closed
opened 2026-03-25 00:50:13 +00:00 by forgejo_admin · 2 comments
forgejo_admin commented 2026-03-25 00:50:13 +00:00
Owner
Copy link

Type

Feature

Lineage

Discovered during QA review of PR #167 (enterprise login)

Repo

forgejo_admin/basketball-api

User Story

As a platform operator
I want all password rendering removed from registration flows
So that the enterprise passwordless model is fully consistent

Context

PR #167 removed plaintext passwords from announcement emails but two remnants remain:

  1. register.py confirmation page renders an empty password field due to backward-compatible password: "" return from create_account_for_parent()
  2. send_registration_email() in services/email.py still has password rendering logic in the template

File Targets

  • src/basketball_api/routes/register.py — remove password from confirmation response, update messaging
  • src/basketball_api/services/email.py — update send_registration_email() template to remove password rendering
    • Lines 88-93: plaintext password block
    • Lines 172-188: HTML password block
  • src/basketball_api/services/keycloak.py — remove password: "" from create_account_for_parent() return

Cross-Repo Note

westside-appsrc/routes/(app)/register/+page.svelte line 156 reads result.password from the API response. This will break if the password key is removed without a corresponding frontend update. Coordinate or verify frontend handles missing key gracefully.

Acceptance Criteria

  • Confirmation page shows "set your password" messaging instead of empty password
  • Registration email shows "set your password" messaging instead of password field
  • create_account_for_parent() no longer returns password key
  • westside-app frontend doesn't break (check if it reads password from response)

Test Expectations

  • Registration confirmation response has no password key
  • Registration email contains "set your password" messaging
  • Run command: pytest tests/ -k "register" -v

Constraints

  • Must not break westside-app frontend — check if it reads the password field from the response
  • Follow enterprise passwordless pattern from PR #167

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • PR #167 (enterprise login — parent change)
  • Issue #129 (enterprise login)
### Type Feature ### Lineage Discovered during QA review of PR #167 (enterprise login) ### Repo `forgejo_admin/basketball-api` ### User Story As a platform operator I want all password rendering removed from registration flows So that the enterprise passwordless model is fully consistent ### Context PR #167 removed plaintext passwords from announcement emails but two remnants remain: 1. `register.py` confirmation page renders an empty password field due to backward-compatible `password: ""` return from `create_account_for_parent()` 2. `send_registration_email()` in `services/email.py` still has password rendering logic in the template ### File Targets - `src/basketball_api/routes/register.py` — remove password from confirmation response, update messaging - `src/basketball_api/services/email.py` — update `send_registration_email()` template to remove password rendering - Lines 88-93: plaintext password block - Lines 172-188: HTML password block - `src/basketball_api/services/keycloak.py` — remove `password: ""` from `create_account_for_parent()` return ### Cross-Repo Note **westside-app** — `src/routes/(app)/register/+page.svelte` line 156 reads `result.password` from the API response. This will break if the password key is removed without a corresponding frontend update. Coordinate or verify frontend handles missing key gracefully. ### Acceptance Criteria - [ ] Confirmation page shows "set your password" messaging instead of empty password - [ ] Registration email shows "set your password" messaging instead of password field - [ ] `create_account_for_parent()` no longer returns password key - [ ] westside-app frontend doesn't break (check if it reads password from response) ### Test Expectations - [ ] Registration confirmation response has no password key - [ ] Registration email contains "set your password" messaging - Run command: `pytest tests/ -k "register" -v` ### Constraints - Must not break westside-app frontend — check if it reads the password field from the response - Follow enterprise passwordless pattern from PR #167 ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - PR #167 (enterprise login — parent change) - Issue #129 (enterprise login)
forgejo_admin commented 2026-03-27 21:57:38 +00:00
Author
Owner
Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-353-2026-03-27

Template is complete and traceability labels are in place. All 3 file targets verified in codebase. However, two issues found:

  • Cross-repo scope undocumented: westside-app reads result.password at src/routes/(app)/register/+page.svelte:156 (optional chaining won't crash, but confirmation UI will show empty credentials). Ticket must state whether a westside-app PR is also needed or explicitly defer it.
  • Missing file target: email.py has TWO password rendering paths -- plaintext (lines 88-93) and HTML credential block (_render_credentials_section, lines 172-188). Both must be listed so the agent doesn't miss one.
  • keycloak.py:330 already returns password: "" (empty string for backward compat) -- the ticket should note this is the source of the empty password field being rendered.
## Scope Review: NEEDS_REFINEMENT Review note: `review-353-2026-03-27` Template is complete and traceability labels are in place. All 3 file targets verified in codebase. However, two issues found: - **Cross-repo scope undocumented:** westside-app reads `result.password` at `src/routes/(app)/register/+page.svelte:156` (optional chaining won't crash, but confirmation UI will show empty credentials). Ticket must state whether a westside-app PR is also needed or explicitly defer it. - **Missing file target:** `email.py` has TWO password rendering paths -- plaintext (lines 88-93) and HTML credential block (`_render_credentials_section`, lines 172-188). Both must be listed so the agent doesn't miss one. - `keycloak.py:330` already returns `password: ""` (empty string for backward compat) -- the ticket should note this is the source of the empty password field being rendered.
forgejo_admin commented 2026-03-27 22:05:19 +00:00
Author
Owner
Copy link

Issue body updated per scope review corrections.

Issue body updated per scope review corrections.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
hotfix-029-division-enum
205-clean-test-data-from-production-db-playe
114-email-verification
147-feat-add-get-jersey-player-info-endpoint
124-feat-many-to-many-player-team-assignment
125-feat-add-new-players-manually-seydou-gou
126-feat-team-placement-congratulations-emai
121-admin-teams-spa-endpoints
70-add-graduating-class-to-roster-api-respo
59-fix-auth-test
62-phase-4l-sveltekit-dashboard-wkq-tailsca
11-phase-1a-fix-ci-pipeline-venv-in-test-st
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/basketball-api#168
No description provided.