Social auth: password set up flow

[hlbmtc]

Updated user account settings. If you signed up via Google/Facebook, we now show a disclaimer that you need to set up a password:

Clicking email change now shows an error toast:

The user is prompted to set up a password via the email password reset flow:

Slightly modified password reset page + added extra copy:

closes #2091

Summary by CodeRabbit

• New Features

  • Added password setup workflow for accounts created via social login with confirmation emails
  • Enforced password requirement before changing email address
  • Introduced notification banner for accounts without passwords
  • Extended localization for password management flows across multiple languages

• Improvements

  • Enhanced password reset page with improved UI and loading state indicators
  • Strengthened account security controls during email change operations
  • Improved user feedback and experience during password-related operations

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements password setup and email management flows for social-authentication users. It adds new localization strings, a backend endpoint to request password setup emails, updated user serialization to expose password status, frontend components for managing no-password states, and refactored account settings and password reset interfaces to handle users without existing passwords.

Changes

Cohort / File(s)	Summary
Localization Updates front_end/messages/{cs,en,es,pt,zh-TW,zh}.json	Added 6 new translation keys across all language files: passwordResetPageDescription, socialAccountNoPasswordBanner, noPasswordYet, sendSetPasswordEmail, sendSetPasswordEmailSuccess, and setPasswordRequiredForEmailChange.
Backend - User Serialization users/serializers.py	Added has_password field to UserPrivateSerializer with getter method returning user password status via has_usable_password().
Backend - User API Endpoint users/urls.py, users/views.py	New POST endpoint /users/me/request-set-password/ that sends password setup email to users without existing password; validates and returns HTTP 204 on success.
Frontend - Type Definitions front_end/src/types/users.ts	Added has_password: boolean field to CurrentUser type.
Frontend - API Client & Actions front_end/src/services/api/profile/profile.server.ts, front_end/src/app/(main)/accounts/settings/actions.tsx	Added sendSetPasswordEmail() method to API client and corresponding server action with error handling.
Frontend - Account Settings Components front_end/src/app/(main)/accounts/settings/account/components/change_password.tsx, no_password_banner.tsx, email_edit.tsx, page.tsx	New NoPasswordBanner component; refactored ChangePassword to accept hasPassword prop and conditionally render password-change or password-setup forms; added password requirement check before email changes; integrated banner in account page.
Frontend - Password Reset Flow front_end/src/app/(main)/accounts/reset/components/password_reset.tsx, actions.ts, page.tsx	Improved form layout with loading spinner; replaced client-side redirect with localized UI; changed post-reset navigation to account settings page; removed auth-session check in favor of translations.

Sequence Diagram

sequenceDiagram
    actor User
    participant Frontend as Frontend (React)
    participant Action as Server Action
    participant Backend as Backend API
    participant DB as Database

    User->>Frontend: Open Account Settings (no password)
    Frontend->>DB: Fetch current user profile
    DB-->>Frontend: Return user with has_password=false
    Frontend->>Frontend: Render NoPasswordBanner + email disabled
    
    User->>Frontend: Click "Send Set-Password Email"
    Frontend->>Action: sendSetPasswordEmail()
    Action->>Backend: POST /users/me/request-set-password/
    Backend->>DB: Check user.has_usable_password()
    Backend->>Backend: Send password reset email
    Backend-->>Action: HTTP 204 (success)
    Action-->>Frontend: {} success response
    Frontend->>Frontend: Show success toast
    
    User->>User: Click email link in password reset email
    User->>Frontend: Navigate to /accounts/reset?uid=X&token=Y
    Frontend->>Frontend: Load password reset form
    
    User->>Frontend: Submit new password
    Frontend->>Action: passwordResetConfirmAction(uid, token, password)
    Action->>Backend: POST /accounts/auth/password/reset/confirm/
    Backend->>DB: Set user password via set_password()
    Backend-->>Action: Success
    Action->>Frontend: Redirect to /accounts/settings/account/
    Frontend->>Frontend: User now has password, email edit enabled

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• DRF Tokens migration #4075: Introduces API-key-related migrations and modifications to authentication.models.ApiKey which are referenced in backend endpoint implementation.

Suggested reviewers

• elisescu
• cemreinanc
• ncarazon

Poem

🐰 A curious rabbit hops with glee,
Where social auth users now can see,
A path to set passwords oh so fine,
And change emails in a perfect line,
No more blockers—just freedom to run! 🔐

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Social auth: password set up flow' clearly and concisely summarizes the main change: enabling password setup for social authentication accounts.
Linked Issues check	✅ Passed	All coding requirements from issue #2091 are implemented: accounts without passwords now show a banner, email changes are blocked with error messaging until password is set, password setup flow works without requiring old password, and set-password emails are supported.
Out of Scope Changes check	✅ Passed	All changes are directly related to social auth password setup workflow. Translations, UI components, API endpoints, and serializer updates all support the core objectives without introducing unrelated functionality.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/2091-password-setup-flow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Preview Environment

Your preview environment is ready!

Resource	Details
🌐 Preview URL	https://metaculus-pr-4271-feat-2091-password-setup-flow-preview.mtcl.cc
📦 Docker Image	ghcr.io/metaculus/metaculus:feat-2091-password-setup-flow-0f58e45
🗄️ PostgreSQL	NeonDB branch preview/pr-4271-feat-2091-password-setup-flow
⚡ Redis	Fly Redis mtc-redis-pr-4271-feat-2091-password-setup-flow

Details

• Commit: 3072a78557e4f5cccf6b4121b21e0fd14a3168f8
• Branch: feat/2091-password-setup-flow
• Fly App: metaculus-pr-4271-feat-2091-password-setup-flow

---

ℹ️ Preview Environment Info

Isolation:

• PostgreSQL and Redis are fully isolated from production
• Each PR gets its own database branch and Redis instance
• Changes pushed to this PR will trigger a new deployment

Limitations:

• Background workers and cron jobs are not deployed in preview environments
• If you need to test background jobs, use Heroku staging environments

Cleanup:

• This preview will be automatically destroyed when the PR is closed

[hlbmtc]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.