forgejo_admin/basketball-api
1
0
Fork 1
Code Issues 10 Pull requests 3 Projects Releases Packages Wiki Activity Actions

fix: remove password rendering from registration flow #198

Merged
forgejo_admin merged 1 commit from 168-remove-password-rendering into main 2026-03-28 00:07:52 +00:00
Conversation 1 Commits 1 Files changed 4 +27 -31
forgejo_admin commented 2026-03-27 22:16:14 +00:00
Owner
Copy link

Summary

  • Remove all plaintext password display from registration confirmation pages, email templates, and JSON API responses
  • Users now see "Set Your Password" messaging directing them to Keycloak's self-service email flow
  • Aligns with enterprise passwordless model established in PR #167

Changes

  • src/basketball_api/services/keycloak.py: Remove password: "" key from create_account_for_parent() return dict
  • src/basketball_api/services/email.py: Replace password field with "Set Your Password" instructions in both plaintext and HTML email templates
  • src/basketball_api/routes/register.py: Replace password display with set-password instructions on confirmation page; remove result["password"] from JSON API response
  • tests/test_keycloak_integration.py: Update assertion to expect no password key in result

Test Plan

  • Tests pass locally (47 passed across test_account_creation, test_health, test_promo_registration)
  • ruff format and ruff check clean
  • Manual verification: registration email shows "Set Your Password" messaging
  • Manual verification: confirmation page shows set-password instructions
  • Manual verification: JSON API response has no password key
  • Cross-repo: westside-app register/+page.svelte:156 reads result.password -- tracked separately

Review Checklist

  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive

Related Notes

  • Closes #168
  • Parent: PR #167 (enterprise login)
  • Cross-repo concern: westside-app frontend reads result.password (tracked in issue #168)
## Summary - Remove all plaintext password display from registration confirmation pages, email templates, and JSON API responses - Users now see "Set Your Password" messaging directing them to Keycloak's self-service email flow - Aligns with enterprise passwordless model established in PR #167 ## Changes - `src/basketball_api/services/keycloak.py`: Remove `password: ""` key from `create_account_for_parent()` return dict - `src/basketball_api/services/email.py`: Replace password field with "Set Your Password" instructions in both plaintext and HTML email templates - `src/basketball_api/routes/register.py`: Replace password display with set-password instructions on confirmation page; remove `result["password"]` from JSON API response - `tests/test_keycloak_integration.py`: Update assertion to expect no `password` key in result ## Test Plan - [x] Tests pass locally (47 passed across test_account_creation, test_health, test_promo_registration) - [x] ruff format and ruff check clean - [ ] Manual verification: registration email shows "Set Your Password" messaging - [ ] Manual verification: confirmation page shows set-password instructions - [ ] Manual verification: JSON API response has no `password` key - [ ] Cross-repo: westside-app `register/+page.svelte:156` reads `result.password` -- tracked separately ## Review Checklist - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - Closes #168 - Parent: PR #167 (enterprise login) - Cross-repo concern: westside-app frontend reads `result.password` (tracked in issue #168)
fix: add data fix script for contradictory jersey state (#171)
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
f762fe6983 
Player id=161 has jersey_option=opt_out + jersey_order_status=pending
in the players table, but a pending Reversible Jersey order (#14) in
the orders table. Neither path completed payment. Script resets player
jersey fields to NULL/none and cancels pending orders. Also checks
sibling players under the same parent for the same contradictory state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin force-pushed 168-remove-password-rendering from f762fe6983
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
to 51e5a3002f
All checks were successful
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
2026-03-27 22:19:08 +00:00 Compare
forgejo_admin commented 2026-03-27 22:19:29 +00:00
Author
Owner
Copy link

QA Review

VERDICT: APPROVE

Diff Analysis (4 files, +27/-31)

All changes are tightly scoped to the issue requirements:

  1. keycloak.py -- create_account_for_parent() return dict drops password: "". Comment updated. Clean.
  2. email.py -- Plaintext template (lines 88-93) and HTML _build_credentials_html (lines 172-188) both replace password rendering with "Set Your Password" instructions pointing to Keycloak email. The cred_password variable is fully removed. Docstring updated.
  3. register.py -- Confirmation page HTML replaces password display with set-password messaging. JSON API response drops result["password"]. Comments updated.
  4. test_keycloak_integration.py -- Assertion updated from result["password"] == "" to "password" not in result.

Verification

  • 47 tests pass (test_account_creation, test_health, test_promo_registration)
  • ruff format + check clean
  • No secrets, no unrelated changes
  • DB-dependent test errors are pre-existing fixture issues (unrelated)

Cross-Repo Note

westside-app register/+page.svelte:156 reads result.password -- documented in PR body and issue #168 as a separate concern. This is correctly scoped as basketball-api only.

Nits

None.

## QA Review **VERDICT: APPROVE** ### Diff Analysis (4 files, +27/-31) All changes are tightly scoped to the issue requirements: 1. **keycloak.py** -- `create_account_for_parent()` return dict drops `password: ""`. Comment updated. Clean. 2. **email.py** -- Plaintext template (lines 88-93) and HTML `_build_credentials_html` (lines 172-188) both replace password rendering with "Set Your Password" instructions pointing to Keycloak email. The `cred_password` variable is fully removed. Docstring updated. 3. **register.py** -- Confirmation page HTML replaces password display with set-password messaging. JSON API response drops `result["password"]`. Comments updated. 4. **test_keycloak_integration.py** -- Assertion updated from `result["password"] == ""` to `"password" not in result`. ### Verification - 47 tests pass (test_account_creation, test_health, test_promo_registration) - ruff format + check clean - No secrets, no unrelated changes - DB-dependent test errors are pre-existing fixture issues (unrelated) ### Cross-Repo Note westside-app `register/+page.svelte:156` reads `result.password` -- documented in PR body and issue #168 as a separate concern. This is correctly scoped as basketball-api only. ### Nits None.
forgejo_admin deleted branch 168-remove-password-rendering 2026-03-28 00:07:52 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/basketball-api!198
No description provided.