Add password reset and Google OAuth authentication

[CarlosCanet]

Description

Implement password reset functionality and Google OAuth authentication using BetterAuth.

Tasks

Password Reset

• Configure BetterAuth password reset plugin
• Create forgot-password page with email input form
• Create reset-password page with token validation and new password form
• Setup Resend email service integration
• Create password reset email template
• Implement Server Actions for forgot/reset flows
• Add "Forgot password?" link to sign-in page
• Test complete password reset flow (email → token → reset → login)

Google OAuth

• Configure Google OAuth provider in src/lib/auth.ts
• Setup Google Cloud Console OAuth credentials
• Add GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET to .env
• Add Google sign-in button to sign-in page
• Add Google sign-up button to sign-up page
• Handle account linking for existing email users
• Map Google profile data to User model (username, email, image)
• Test Google OAuth login for new users
• Test Google OAuth login for existing users

Error Handling & UX

• Add error states for all flows
• User-friendly error messages
• Loading states during OAuth
• Success feedback messages
• Redirect handling after OAuth

Technical Details

Password Reset Flow

1. User enters email on forgot-password page
2. System generates secure token (1 hour expiration)
3. Email sent via Resend with reset link
4. User clicks link → reset-password page with token
5. User enters new password (with confirmation)
6. Token validated (exists, not expired, single-use)
7. Password updated, token invalidated
8. User redirected to sign-in with success message

Google OAuth Flow

// In src/lib/auth.ts
socialProviders: {
  google: {
    clientId: process.env.GOOGLE_CLIENT_ID as string,
    clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
    redirectURI: `${process.env.BETTER_AUTH_URL}/api/auth/callback/google`
  }
}

Email Template (Resend)

• Subject: "Reset your Advienté password"
• Body: Branded HTML with reset link
• Link format: ${baseURL}/reset-password?token=${token}
• Token expiration: 1 hour
• Single-use token enforcement

Security Considerations

• ✅ Secure token generation (cryptographically random)
• ✅ Token expiration (1 hour maximum)
• ✅ Single-use tokens (mark as used after reset)
• ✅ Rate limiting on forgot-password requests (prevent spam)
• ✅ HTTPS only cookies for OAuth
• ✅ CSRF protection for OAuth callback
• ✅ Validate redirect URLs (prevent open redirect)
• ✅ Password strength validation (HTML5 + server-side)
• ✅ Account linking validation (same email check)

Definition of Done

• Password reset flow works end-to-end
• Emails sent successfully via Resend
• Google OAuth works for new users
• Google OAuth works for existing users (account linking)
• All error states handled gracefully
• User-friendly email templates
• Security best practices implemented
• Manual testing completed
• Documentation updated in AGENTS.md

Dependencies

• ✅ Issue BetterAuth configuration #6 (BetterAuth configuration) - COMPLETE
• Issue Registration page (TDD) #7 (Registration page) - needed for testing OAuth sign-up
• Issue Login page (TDD) #8 (Login page) - needed for adding forgot password link
• Resend API key configured in .env
• Google Cloud Console project setup

Files to Create/Modify

• src/app/forgot-password/page.tsx (new)
• src/app/reset-password/page.tsx (update existing placeholder)
• src/app/sign-in/page.tsx (add forgot password link)
• src/app/sign-up/page.tsx (add Google sign-up button)
• src/lib/auth.ts (uncomment Google provider config)
• src/lib/email.ts (new - Resend integration)
• .env (add Resend + Google keys)

Phase: 1.2 Security & Auth Core
Milestone: MVP
Priority: High