Add email+password recovery mode with lookup-key gating (#13897)

<img width="534" height="649" alt="image"
src="https://github.com/user-attachments/assets/722fab95-a38d-4bb4-882a-2f3bb9afec12"
/>

## Summary
- support mode=emailpassword recovery links by prompting for new email +
password
- gate auto-open reset flow on required params:
  - mode=password (or warning=RECOVERY_DO_NOT_SHARE) requires email
  - mode=emailpassword requires lookupKey
- pass lookupKey through reset flow as oldLookupKey
- defer browser-push confirmation until password-reset flow is finished
(so push modal no longer overlays the recovery modal)
- preserve backwards compatibility for legacy localStorage payloads
- fix password-reset saga so success is not dispatched after a failed
reset attempt

## Validation
- cd packages/web && npx eslint
src/components/password-reset/PasswordResetModal.tsx
src/components/password-reset/store/actions.ts
src/components/password-reset/store/sagas.tsx
src/common/store/pages/signon/sagas.ts
- cd packages/common && npx eslint src/services/auth/authService.ts
- cd packages/web && npm run typecheck (fails due existing unrelated
error in src/pages/oauth-login-page/hooks.ts(50,21): TS18047)

Author: raymondjacobson

packages/common/src/services/auth/authService.ts

@@ -37,10 +37,12 @@ export type AuthService = {
   signOut: () => Promise<void>
   resetPassword: ({
     username,
-    password
+    password,
+    oldLookupKey
   }: {
     username: string
     password: string
+    oldLookupKey?: string
   }) => Promise<void>
   getWallet: () => EthWallet | null
   generateRecoveryInfo: () => Promise<{ login: string; host: string }>
@@ -84,12 +86,18 @@ export const createAuthService = ({
 
   const resetPassword = async ({
     username,
-    password
+    password,
+    oldLookupKey
   }: {
     username: string
     password: string
+    oldLookupKey?: string
   }) => {
-    return hedgehogInstance.resetPassword({ username, password })
+    return hedgehogInstance.resetPassword({
+      username,
+      password,
+      oldLookupKey
+    })
   }
 
   const generateRecoveryInfo = async () => {

packages/web/index.html

@@ -66,10 +66,16 @@
     <script async type="text/javascript">
       // Account recovery
       try {
+        const RESET_REQUIRED_KEY = 'password-reset-required'
         const urlParams = new URLSearchParams(window.location.search)
         const useHashRouting = '%USE_HASH_ROUTING%' === 'true'
         const login = urlParams.get('login')
         const warning = urlParams.get('warning')
+        const mode = urlParams.get('mode')
+        const email = urlParams.get('email')
+        const lookupKey = urlParams.get('lookupKey')
+        const hasEmail = Boolean(email)
+        const hasLookupKey = Boolean(lookupKey)
 
         let entropy = null
         if (login) {
@@ -82,9 +88,38 @@
           redirectUrl += location.pathname
           window.history.replaceState({}, document.title, redirectUrl)
         }
-        if (warning === 'RECOVERY_DO_NOT_SHARE') {
-          const email = urlParams.get('email')
-          window.localStorage.setItem('password-reset-required', email)
+
+        const isEmailPasswordRecovery = mode === 'emailpassword'
+        const isPasswordRecovery =
+          !isEmailPasswordRecovery &&
+          (warning === 'RECOVERY_DO_NOT_SHARE' || mode === 'password')
+        const isRecoveryMode = isPasswordRecovery || isEmailPasswordRecovery
+
+        if (isRecoveryMode) {
+          let resetPayload = null
+
+          if (isEmailPasswordRecovery && hasLookupKey) {
+            resetPayload = {
+              mode: 'emailpassword',
+              email: email ?? undefined,
+              lookupKey
+            }
+          } else if (isPasswordRecovery && hasEmail) {
+            resetPayload = {
+              mode: 'password',
+              email
+            }
+          }
+
+          if (resetPayload) {
+            window.localStorage.setItem(
+              RESET_REQUIRED_KEY,
+              JSON.stringify(resetPayload)
+            )
+          } else {
+            window.localStorage.removeItem(RESET_REQUIRED_KEY)
+          }
+
           let redirectUrl = location.protocol + '//' + location.host
           if (useHashRouting) {
             redirectUrl += '/#'

packages/web/src/common/store/pages/signon/sagas.ts

@@ -98,6 +98,7 @@ const { toast } = toastActions
 
 const SIGN_UP_TIMEOUT_MILLIS = 20 /* min */ * 60 * 1000
 const DEFAULT_HANDLE_VERIFICATION_TIMEOUT_MILLIS = 5_000
+const PASSWORD_RESET_REQUIRED_KEY = 'password-reset-required'
 
 const messages = {
   incompleteAccount:
@@ -107,6 +108,11 @@ const messages = {
     'Your account has been deactivated. Please contact support.'
 }
 
+const hasPendingPasswordReset = () => {
+  if (typeof window === 'undefined') return false
+  return Boolean(window.localStorage.getItem(PASSWORD_RESET_REQUIRED_KEY))
+}
+
 function* getDefautFollowUserIds() {
   const { ENVIRONMENT } = yield* getContext('env')
   // Users ID to filter out of the suggested artists to follow list and to follow by default
@@ -958,6 +964,9 @@ function* signIn(action: ReturnType<typeof signOnActions.signIn>) {
       yield* put(requestPushNotificationPermissions())
     } else {
       setHasRequestedBrowserPermission()
+      while (hasPendingPasswordReset()) {
+        yield* delay(500)
+      }
       yield* put(accountActions.showPushNotificationConfirmation())
       if (user.handle === 'fbtest') {
         yield put(pushRoute('/fb/share'))