From 0fc8683108bc1e7113d79cc6fa926673025218f4 Mon Sep 17 00:00:00 2001
From: Nikita Pekin <nikita@frecency.com>
Date: Mon, 20 Mar 2023 22:41:57 -0400
Subject: [PATCH] Cognito auth 6/7 - add signout (#5867)

---
 .../src/authentication/cognito.ts             | 152 ++++++++++++++-
 .../src/authentication/components/common.tsx  |  16 ++
 .../components/forgotPassword.tsx             |  93 +++++++++
 .../src/authentication/components/login.tsx   |  21 +-
 .../components/registration.tsx               |  17 +-
 .../components/resetPassword.tsx              | 181 ++++++++++++++++++
 .../authentication/components/setUsername.tsx |  23 +--
 .../src/authentication/config.ts              |   2 +-
 .../src/authentication/listen.tsx             |   2 +
 .../src/authentication/providers/auth.tsx     |  38 ++++
 .../src/authentication/providers/session.tsx  |   7 +-
 .../src/authentication/service.tsx            |  74 ++++---
 .../src/authentication/src/components/app.tsx |  14 ++
 .../src/authentication/src/components/svg.tsx |  10 +-
 .../src/dashboard/components/dashboard.tsx    |   2 +
 15 files changed, 584 insertions(+), 68 deletions(-)
 create mode 100644 app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/forgotPassword.tsx
 create mode 100644 app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/resetPassword.tsx

diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/cognito.ts b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/cognito.ts
index cf90a6786a93..6ecb755c3086 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/cognito.ts
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/cognito.ts
@@ -49,10 +49,15 @@ const GITHUB_PROVIDER = 'Github'
 
 const MESSAGES = {
     signInWithPassword: {
-        userNotFound: 'User not found. Please register first.',
+        userNotFound: 'Username not found. Please register first.',
         userNotConfirmed: 'User is not confirmed. Please check your email for a confirmation link.',
         incorrectUsernameOrPassword: 'Incorrect username or password.',
     },
+    forgotPassword: {
+        userNotFound: 'Username not found. Please register first.',
+        userNotConfirmed:
+            'Cannot reset password for user with an unverified email. Please verify your email first.',
+    },
 }
 
 // ====================
@@ -98,6 +103,25 @@ function intoAmplifyErrorOrThrow(error: unknown): AmplifyError {
     }
 }
 
+// =================
+// === AuthError ===
+// =================
+
+/** Object returned by the AWS Amplify library when an auth error occurs. */
+interface AuthError {
+    name: string
+    log: string
+}
+
+/** Hints to TypeScript if we can safely cast an `unknown` error to an `AuthError`. */
+function isAuthError(error: unknown): error is AuthError {
+    if (error && typeof error === 'object') {
+        return 'name' in error && 'log' in error
+    } else {
+        return false
+    }
+}
+
 // ===============
 // === Cognito ===
 // ===============
@@ -107,7 +131,6 @@ function intoAmplifyErrorOrThrow(error: unknown): AmplifyError {
  * The caller can then handle them via pattern matching on the {@link results.Result} type. */
 export class Cognito {
     constructor(
-        // @ts-expect-error This will be used in a future PR.
         private readonly logger: loggerProvider.Logger,
         private readonly platform: platformModule.Platform,
         amplifyConfig: config.AmplifyConfig
@@ -169,6 +192,29 @@ export class Cognito {
         return signInWithPassword(username, password)
     }
 
+    /** Signs out the current user. */
+    signOut() {
+        return signOut(this.logger)
+    }
+
+    /** Sends a password reset email.
+     *
+     * The user will be able to reset their password by following the link in the email, which takes
+     * them to the "reset password" page of the application. The verification code will be filled in
+     * automatically. */
+    forgotPassword(email: string) {
+        return forgotPassword(email)
+    }
+
+    /** Submits a new password for the given email address.
+     *
+     * The user will have received a verification code in an email, which they will have entered on
+     * the "reset password" page of the application. This function will submit the new password
+     * along with the verification code, changing the user's password. */
+    forgotPasswordSubmit(email: string, code: string, password: string) {
+        return forgotPasswordSubmit(email, code, password)
+    }
+
     /** We want to signal to Amplify to fire a "custom state change" event when the user is
      * redirected back to the application after signing in via an external identity provider. This
      * is done so we get a chance to fix the location history. The location history is the history
@@ -294,7 +340,7 @@ const SIGN_UP_USERNAME_EXISTS_ERROR = {
 } as const
 
 const SIGN_UP_INVALID_PARAMETER_ERROR = {
-    internalCode: 'InvalidParameterEx[ception',
+    internalCode: 'InvalidParameterException',
     kind: 'InvalidParameter',
 } as const
 
@@ -428,3 +474,103 @@ function intoSignInWithPasswordErrorOrThrow(error: AmplifyError): SignInWithPass
             throw error
     }
 }
+
+// ======================
+// === ForgotPassword ===
+// ======================
+const FORGOT_PASSWORD_USER_NOT_CONFIRMED_ERROR = {
+    internalCode: 'InvalidParameterException',
+    kind: 'UserNotConfirmed',
+    message:
+        'Cannot reset password for the user as there is no registered/verified email or phone_number',
+} as const
+
+async function forgotPassword(email: string) {
+    return results.Result.wrapAsync(async () => {
+        await amplify.Auth.forgotPassword(email)
+    })
+        .then(result => result.mapErr(intoAmplifyErrorOrThrow))
+        .then(result => result.mapErr(intoForgotPasswordErrorOrThrow))
+}
+
+type ForgotPasswordErrorKind = 'UserNotConfirmed' | 'UserNotFound'
+
+export interface ForgotPasswordError {
+    kind: ForgotPasswordErrorKind
+    message: string
+}
+
+function intoForgotPasswordErrorOrThrow(error: AmplifyError): ForgotPasswordError {
+    if (error.code === 'UserNotFoundException') {
+        return {
+            kind: 'UserNotFound',
+            message: MESSAGES.forgotPassword.userNotFound,
+        }
+    } else if (
+        error.code === FORGOT_PASSWORD_USER_NOT_CONFIRMED_ERROR.internalCode &&
+        error.message === FORGOT_PASSWORD_USER_NOT_CONFIRMED_ERROR.message
+    ) {
+        return {
+            kind: FORGOT_PASSWORD_USER_NOT_CONFIRMED_ERROR.kind,
+            message: MESSAGES.forgotPassword.userNotConfirmed,
+        }
+    } else {
+        throw error
+    }
+}
+
+// ============================
+// === ForgotPasswordSubmit ===
+// ============================
+
+async function forgotPasswordSubmit(email: string, code: string, password: string) {
+    return results.Result.wrapAsync(async () => {
+        await amplify.Auth.forgotPasswordSubmit(email, code, password)
+    }).then(result => result.mapErr(intoForgotPasswordSubmitErrorOrThrow))
+}
+
+type ForgotPasswordSubmitErrorKind = 'AmplifyError' | 'AuthError'
+
+export interface ForgotPasswordSubmitError {
+    kind: ForgotPasswordSubmitErrorKind
+    message: string
+}
+
+function intoForgotPasswordSubmitErrorOrThrow(error: unknown): ForgotPasswordSubmitError {
+    if (isAuthError(error)) {
+        return {
+            kind: 'AuthError',
+            message: error.log,
+        }
+    } else if (isAmplifyError(error)) {
+        return {
+            kind: 'AmplifyError',
+            message: error.message,
+        }
+    } else {
+        throw error
+    }
+}
+
+// ===============
+// === SignOut ===
+// ===============
+
+async function signOut(logger: loggerProvider.Logger) {
+    // FIXME [NP]: https://github.com/enso-org/cloud-v2/issues/341
+    // For some reason, the redirect back to the IDE from the browser doesn't work correctly so this
+    // `await` throws a timeout error. As a workaround, we catch this error and force a refresh of
+    // the session manually by running the `signOut` again. This works because Amplify will see that
+    // we've already signed out and clear the cache accordingly. Ideally we should figure out how
+    // to fix the redirect and remove this `catch`. This has the unintended consequence of catching
+    // any other errors that might occur during sign out, that we really shouldn't be catching. This
+    // also has the unintended consequence of delaying the sign out process by a few seconds (until
+    // the timeout occurs).
+    try {
+        await amplify.Auth.signOut()
+    } catch (error) {
+        logger.error('Sign out failed', error)
+    } finally {
+        await amplify.Auth.signOut()
+    }
+}
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/common.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/common.tsx
index c282a1465ac6..9a8882b81b9e 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/common.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/common.tsx
@@ -8,6 +8,22 @@ import * as fontawesomeIcons from "@fortawesome/free-brands-svg-icons";
 
 import * as icons from "../../components/svg";
 
+// =============
+// === Input ===
+// =============
+
+export function Input(props: React.InputHTMLAttributes<HTMLInputElement>) {
+  return (
+    <input
+      {...props}
+      className={
+        "text-sm sm:text-base placeholder-gray-500 pl-10 pr-4 rounded-lg border border-gray-400 " +
+        "w-full py-2 focus:outline-none focus:border-blue-400"
+      }
+    />
+  );
+}
+
 // ===============
 // === SvgIcon ===
 // ===============
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/forgotPassword.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/forgotPassword.tsx
new file mode 100644
index 000000000000..b83b1d6e84ee
--- /dev/null
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/forgotPassword.tsx
@@ -0,0 +1,93 @@
+/** @file Container responsible for rendering and interactions in first half of forgot password
+ * flow. */
+import * as router from "react-router-dom";
+
+import * as app from "../../components/app";
+import * as auth from "../providers/auth";
+import * as common from "./common";
+import * as hooks from "../../hooks";
+import * as icons from "../../components/svg";
+import * as utils from "../../utils";
+
+// ======================
+// === ForgotPassword ===
+// ======================
+
+function ForgotPassword() {
+  const { forgotPassword } = auth.useAuth();
+
+  const [email, bindEmail] = hooks.useInput("");
+
+  return (
+    <div className="min-h-screen flex flex-col items-center justify-center bg-gray-300">
+      <div
+        className={
+          "flex flex-col bg-white shadow-md px-4 sm:px-6 md:px-8 lg:px-10 py-8 rounded-md w-full " +
+          "max-w-md"
+        }
+      >
+        <div className="font-medium self-center text-xl sm:text-2xl uppercase text-gray-800">
+          Forgot Your Password?
+        </div>
+        <div className="mt-10">
+          <form
+            onSubmit={utils.handleEvent(async () => {
+              await forgotPassword(email);
+            })}
+          >
+            <div className="flex flex-col mb-6">
+              <label
+                htmlFor="email"
+                className="mb-1 text-xs sm:text-sm tracking-wide text-gray-600"
+              >
+                E-Mail Address:
+              </label>
+              <div className="relative">
+                <common.SvgIcon data={icons.PATHS.at} />
+
+                <common.Input
+                  {...bindEmail}
+                  id="email"
+                  type="email"
+                  name="email"
+                  placeholder="E-Mail Address"
+                />
+              </div>
+            </div>
+            <div className="flex w-full">
+              <button
+                type="submit"
+                className={
+                  "flex items-center justify-center focus:outline-none text-white text-sm " +
+                  "sm:text-base bg-blue-600 hover:bg-blue-700 rounded py-2 w-full transition " +
+                  "duration-150 ease-in"
+                }
+              >
+                <span className="mr-2 uppercase">Send link</span>
+                <span>
+                  <icons.Svg data={icons.PATHS.rightArrow} />
+                </span>
+              </button>
+            </div>
+          </form>
+        </div>
+        <div className="flex justify-center items-center mt-6">
+          <router.Link
+            to={app.LOGIN_PATH}
+            className={
+              "inline-flex items-center font-bold text-blue-500 hover:text-blue-700 text-xs " +
+              "text-center"
+            }
+          >
+            <span>
+              <icons.Svg data={icons.PATHS.goBack} />
+            </span>
+            <span className="ml-2">Go back to login</span>
+          </router.Link>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+export default ForgotPassword;
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/login.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/login.tsx
index 1f5f3d4b6f10..faf4f7f72345 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/login.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/login.tsx
@@ -17,10 +17,6 @@ const BUTTON_CLASS_NAME =
   "relative mt-6 border rounded-md py-2 text-sm text-gray-800 " +
   "bg-gray-100 hover:bg-gray-200";
 
-const INPUT_CLASS_NAME =
-  "text-sm sm:text-base placeholder-gray-500 pl-10 pr-4 rounded-lg border " +
-  "border-gray-400 w-full py-2 focus:outline-none focus:border-blue-400";
-
 const LOGIN_QUERY_PARAMS = {
   email: "email",
 } as const;
@@ -87,13 +83,12 @@ function Login() {
               <div className="relative">
                 <common.SvgIcon data={icons.PATHS.at} />
 
-                <input
+                <common.Input
                   {...bindEmail}
                   required={true}
                   id="email"
                   type="email"
                   name="email"
-                  className={INPUT_CLASS_NAME}
                   placeholder="E-Mail Address"
                 />
               </div>
@@ -108,18 +103,28 @@ function Login() {
               <div className="relative">
                 <common.SvgIcon data={icons.PATHS.lock} />
 
-                <input
+                <common.Input
                   {...bindPassword}
                   required={true}
                   id="password"
                   type="password"
                   name="password"
-                  className={INPUT_CLASS_NAME}
                   placeholder="Password"
                 />
               </div>
             </div>
 
+            <div className="flex items-center mb-6 -mt-4">
+              <div className="flex ml-auto">
+                <router.Link
+                  to={app.FORGOT_PASSWORD_PATH}
+                  className="inline-flex text-xs sm:text-sm text-blue-500 hover:text-blue-700"
+                >
+                  Forgot Your Password?
+                </router.Link>
+              </div>
+            </div>
+
             <div className="flex w-full">
               <button
                 type="submit"
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/registration.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/registration.tsx
index ef32bcde5cf4..28354197d91c 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/registration.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/registration.tsx
@@ -9,14 +9,6 @@ import * as hooks from "../../hooks";
 import * as icons from "../../components/svg";
 import * as utils from "../../utils";
 
-// =================
-// === Constants ===
-// =================
-
-const INPUT_CLASS_NAME =
-  "text-sm sm:text-base placeholder-gray-500 pl-10 pr-4 rounded-lg border border-gray-400 w-full " +
-  "py-2 focus:outline-none focus:border-indigo-400";
-
 // ====================
 // === Registration ===
 // ====================
@@ -60,12 +52,11 @@ function Registration() {
             <div className="relative">
               <common.SvgIcon data={icons.PATHS.at} />
 
-              <input
+              <common.Input
                 {...bindEmail}
                 id="email"
                 type="email"
                 name="email"
-                className={INPUT_CLASS_NAME}
                 placeholder="E-Mail Address"
               />
             </div>
@@ -80,12 +71,11 @@ function Registration() {
             <div className="relative">
               <common.SvgIcon data={icons.PATHS.lock} />
 
-              <input
+              <common.Input
                 {...bindPassword}
                 id="password"
                 type="password"
                 name="password"
-                className={INPUT_CLASS_NAME}
                 placeholder="Password"
               />
             </div>
@@ -100,12 +90,11 @@ function Registration() {
             <div className="relative">
               <common.SvgIcon data={icons.PATHS.lock} />
 
-              <input
+              <common.Input
                 {...bindConfirmPassword}
                 id="password_confirmation"
                 type="password"
                 name="password_confirmation"
-                className={INPUT_CLASS_NAME}
                 placeholder="Confirm Password"
               />
             </div>
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/resetPassword.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/resetPassword.tsx
new file mode 100644
index 000000000000..27e7a430dfa2
--- /dev/null
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/resetPassword.tsx
@@ -0,0 +1,181 @@
+/** @file Container responsible for rendering and interactions in second half of forgot password
+ * flow. */
+import * as router from "react-router-dom";
+import toast from "react-hot-toast";
+
+import * as app from "../../components/app";
+import * as auth from "../providers/auth";
+import * as common from "./common";
+import * as hooks from "../../hooks";
+import * as icons from "../../components/svg";
+import * as utils from "../../utils";
+
+// =================
+// === Constants ===
+// =================
+
+const RESET_PASSWORD_QUERY_PARAMS = {
+  email: "email",
+  verificationCode: "verification_code",
+} as const;
+
+// =====================
+// === ResetPassword ===
+// =====================
+
+function ResetPassword() {
+  const { resetPassword } = auth.useAuth();
+  const { search } = router.useLocation();
+
+  const { verificationCode: initialCode, email: initialEmail } =
+    parseUrlSearchParams(search);
+
+  const [email, bindEmail] = hooks.useInput(initialEmail ?? "");
+  const [code, bindCode] = hooks.useInput(initialCode ?? "");
+  const [newPassword, bindNewPassword] = hooks.useInput("");
+  const [newPasswordConfirm, bindNewPasswordConfirm] = hooks.useInput("");
+
+  const handleSubmit = () => {
+    if (newPassword !== newPasswordConfirm) {
+      toast.error("Passwords do not match");
+      return Promise.resolve();
+    } else {
+      return resetPassword(email, code, newPassword);
+    }
+  };
+
+  return (
+    <div className="min-h-screen flex flex-col items-center justify-center bg-gray-300">
+      <div
+        className={
+          "flex flex-col bg-white shadow-md px-4 sm:px-6 md:px-8 lg:px-10 py-8 rounded-md w-full " +
+          "max-w-md"
+        }
+      >
+        <div className="font-medium self-center text-xl sm:text-2xl uppercase text-gray-800">
+          Reset Your Password
+        </div>
+        <div className="mt-10">
+          <form onSubmit={utils.handleEvent(handleSubmit)}>
+            <div className="flex flex-col mb-6">
+              <label
+                htmlFor="email"
+                className="mb-1 text-xs sm:text-sm tracking-wide text-gray-600"
+              >
+                E-Mail Address:
+              </label>
+              <div className="relative">
+                <common.SvgIcon data={icons.PATHS.at} />
+
+                <common.Input
+                  {...bindEmail}
+                  id="email"
+                  type="email"
+                  name="email"
+                  placeholder="E-Mail Address"
+                />
+              </div>
+            </div>
+            <div className="flex flex-col mb-6">
+              <label
+                htmlFor="code"
+                className="mb-1 text-xs sm:text-sm tracking-wide text-gray-600"
+              >
+                Confirmation Code:
+              </label>
+              <div className="relative">
+                <common.SvgIcon data={icons.PATHS.lock} />
+
+                <common.Input
+                  {...bindCode}
+                  id="code"
+                  type="text"
+                  name="code"
+                  placeholder="Confirmation Code"
+                />
+              </div>
+            </div>
+            <div className="flex flex-col mb-6">
+              <label
+                htmlFor="new_password"
+                className="mb-1 text-xs sm:text-sm tracking-wide text-gray-600"
+              >
+                New Password:
+              </label>
+              <div className="relative">
+                <common.SvgIcon data={icons.PATHS.lock} />
+
+                <common.Input
+                  {...bindNewPassword}
+                  id="new_password"
+                  type="password"
+                  name="new_password"
+                  placeholder="New Password"
+                />
+              </div>
+            </div>
+            <div className="flex flex-col mb-6">
+              <label
+                htmlFor="new_password_confirm"
+                className="mb-1 text-xs sm:text-sm tracking-wide text-gray-600"
+              >
+                Confirm New Password:
+              </label>
+              <div className="relative">
+                <common.SvgIcon data={icons.PATHS.lock} />
+
+                <common.Input
+                  {...bindNewPasswordConfirm}
+                  id="new_password_confirm"
+                  type="password"
+                  name="new_password_confirm"
+                  placeholder="Confirm New Password"
+                />
+              </div>
+            </div>
+            <div className="flex w-full">
+              <button
+                type="submit"
+                className={
+                  "flex items-center justify-center focus:outline-none text-white text-sm " +
+                  "sm:text-base bg-blue-600 hover:bg-blue-700 rounded py-2 w-full transition " +
+                  "duration-150 ease-in"
+                }
+              >
+                <span className="mr-2 uppercase">Reset</span>
+                <span>
+                  <icons.Svg data={icons.PATHS.rightArrow} />
+                </span>
+              </button>
+            </div>
+          </form>
+        </div>
+        <div className="flex justify-center items-center mt-6">
+          <router.Link
+            to={app.LOGIN_PATH}
+            className={
+              "inline-flex items-center font-bold text-blue-500 hover:text-blue-700 text-xs " +
+              "text-center"
+            }
+          >
+            <span>
+              <icons.Svg data={icons.PATHS.goBack} />
+            </span>
+            <span className="ml-2">Go back to login</span>
+          </router.Link>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function parseUrlSearchParams(search: string) {
+  const query = new URLSearchParams(search);
+  const verificationCode = query.get(
+    RESET_PASSWORD_QUERY_PARAMS.verificationCode
+  );
+  const email = query.get(RESET_PASSWORD_QUERY_PARAMS.email);
+  return { verificationCode, email };
+}
+
+export default ResetPassword;
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/setUsername.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/setUsername.tsx
index c64b1b0ff3ab..0a8f854a544e 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/setUsername.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/components/setUsername.tsx
@@ -2,6 +2,7 @@
  * registration. */
 
 import * as auth from "../providers/auth";
+import * as common from "./common";
 import * as hooks from "../../hooks";
 import * as icons from "../../components/svg";
 import * as utils from "../../utils";
@@ -18,7 +19,12 @@ function SetUsername() {
 
   return (
     <div className="min-h-screen flex flex-col items-center justify-center bg-gray-300">
-      <div className="flex flex-col bg-white shadow-md px-4 sm:px-6 md:px-8 lg:px-10 py-8 rounded-md w-full max-w-md">
+      <div
+        className={
+          "flex flex-col bg-white shadow-md px-4 sm:px-6 md:px-8 lg:px-10 py-8 rounded-md w-full " +
+          "max-w-md"
+        }
+      >
         <div className="font-medium self-center text-xl sm:text-2xl uppercase text-gray-800">
           Set your username
         </div>
@@ -30,19 +36,13 @@ function SetUsername() {
           >
             <div className="flex flex-col mb-6">
               <div className="relative">
-                <div className="inline-flex items-center justify-center absolute left-0 top-0 h-full w-10 text-gray-400">
-                  <icons.Svg data={icons.PATHS.at} />
-                </div>
+                <common.SvgIcon data={icons.PATHS.at} />
 
-                <input
+                <common.Input
                   {...bindUsername}
                   id="username"
                   type="text"
                   name="username"
-                  className={
-                    "text-sm sm:text-base placeholder-gray-500 pl-10 pr-4 rounded-lg border border-gray-400 " +
-                    "w-full py-2 focus:outline-none focus:border-blue-400"
-                  }
                   placeholder="Username"
                 />
               </div>
@@ -51,8 +51,9 @@ function SetUsername() {
               <button
                 type="submit"
                 className={
-                  "flex items-center justify-center focus:outline-none text-white text-sm sm:text-base bg-blue-600 " +
-                  "hover:bg-blue-700 rounded py-2 w-full transition duration-150 ease-in"
+                  "flex items-center justify-center focus:outline-none text-white text-sm " +
+                  "sm:text-base bg-blue-600 hover:bg-blue-700 rounded py-2 w-full transition " +
+                  "duration-150 ease-in"
                 }
               >
                 <span className="mr-2 uppercase">Set username</span>
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/config.ts b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/config.ts
index 222c677c825e..67c52ecb08b0 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/config.ts
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/config.ts
@@ -86,7 +86,7 @@ export interface AmplifyConfig {
     region: AwsRegion
     userPoolId: UserPoolId
     userPoolWebClientId: UserPoolWebClientId
-    urlOpener?: OAuthUrlOpener
+    urlOpener: OAuthUrlOpener | null
     domain: OAuthDomain
     scope: OAuthScope[]
     redirectSignIn: OAuthRedirect
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/listen.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/listen.tsx
index 81013b78704d..bee9d16cdf50 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/listen.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/listen.tsx
@@ -27,6 +27,8 @@ export enum AuthEvent {
   cognitoHostedUi = "cognitoHostedUI",
   /** Issued when the user completes the sign-in process (via email/password). */
   signIn = "signIn",
+  /** Issued when the user signs out. */
+  signOut = "signOut",
 }
 
 /** Returns `true` if the given `string` is an {@link AuthEvent}. */
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/auth.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/auth.tsx
index f7e3d7aaebae..5a92f373f2ef 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/auth.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/auth.tsx
@@ -23,6 +23,9 @@ const MESSAGES = {
   confirmSignUpSuccess: "Your account has been confirmed! Please log in.",
   setUsernameSuccess: "Your username has been set!",
   signInWithPasswordSuccess: "Successfully logged in!",
+  forgotPasswordSuccess: "We have sent you an email with further instructions!",
+  resetPasswordSuccess: "Successfully reset password!",
+  signOutSuccess: "Successfully logged out!",
   pleaseWait: "Please wait...",
 } as const;
 
@@ -85,6 +88,13 @@ interface AuthContextType {
   signInWithGoogle: () => Promise<void>;
   signInWithGitHub: () => Promise<void>;
   signInWithPassword: (email: string, password: string) => Promise<void>;
+  forgotPassword: (email: string) => Promise<void>;
+  resetPassword: (
+    email: string,
+    code: string,
+    password: string
+  ) => Promise<void>;
+  signOut: () => Promise<void>;
   /** Session containing the currently authenticated user's authentication information.
    *
    * If the user has not signed in, the session will be `null`. */
@@ -258,6 +268,31 @@ export function AuthProvider(props: AuthProviderProps) {
     toast.success(MESSAGES.setUsernameSuccess);
   };
 
+  const forgotPassword = async (email: string) =>
+    cognito.forgotPassword(email).then((result) => {
+      if (result.ok) {
+        toast.success(MESSAGES.forgotPasswordSuccess);
+        navigate(app.RESET_PASSWORD_PATH);
+      } else {
+        toast.error(result.val.message);
+      }
+    });
+
+  const resetPassword = async (email: string, code: string, password: string) =>
+    cognito.forgotPasswordSubmit(email, code, password).then((result) => {
+      if (result.ok) {
+        toast.success(MESSAGES.resetPasswordSuccess);
+        navigate(app.LOGIN_PATH);
+      } else {
+        toast.error(result.val.message);
+      }
+    });
+
+  const signOut = () =>
+    cognito.signOut().then(() => {
+      toast.success(MESSAGES.signOutSuccess);
+    });
+
   const value = {
     signUp: withLoadingToast(signUp),
     confirmSignUp: withLoadingToast(confirmSignUp),
@@ -265,6 +300,9 @@ export function AuthProvider(props: AuthProviderProps) {
     signInWithGoogle: cognito.signInWithGoogle.bind(cognito),
     signInWithGitHub: cognito.signInWithGitHub.bind(cognito),
     signInWithPassword: withLoadingToast(signInWithPassword),
+    forgotPassword: withLoadingToast(forgotPassword),
+    resetPassword: withLoadingToast(resetPassword),
+    signOut,
     session: userSession,
   };
 
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/session.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/session.tsx
index fb012ee42cf7..ef367b0e4bc0 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/session.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/providers/session.tsx
@@ -5,6 +5,7 @@ import * as react from "react";
 import * as results from "ts-results";
 
 import * as cognito from "../cognito";
+import * as error from "../../error";
 import * as hooks from "../../hooks";
 import * as listen from "../listen";
 
@@ -95,7 +96,8 @@ export function SessionProvider(props: SessionProviderProps) {
   react.useEffect(() => {
     const listener: listen.ListenerCallback = (event) => {
       switch (event) {
-        case listen.AuthEvent.signIn: {
+        case listen.AuthEvent.signIn:
+        case listen.AuthEvent.signOut: {
           refreshSession();
           break;
         }
@@ -112,6 +114,9 @@ export function SessionProvider(props: SessionProviderProps) {
           refreshSession();
           break;
         }
+        default: {
+          throw new error.UnreachableCaseError(event);
+        }
       }
     };
 
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/service.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/service.tsx
index a31c91537c5f..42e4fb8e16e5 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/service.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/authentication/service.tsx
@@ -21,9 +21,16 @@ import * as utils from "../utils";
 /** Pathname of the {@link URL} for deep links to the sign in page, after a redirect from a
  * federated identity provider. */
 const SIGN_IN_PATHNAME = "//auth";
+/** Pathname of the {@link URL} for deep links to the sign out page, after a redirect from a
+ * federated identity provider. */
+const SIGN_OUT_PATHNAME = "//auth";
 /** Pathname of the {@link URL} for deep links to the registration confirmation page, after a
  * redirect from an account verification email. */
 const CONFIRM_REGISTRATION_PATHNAME = "//auth/confirmation";
+/** Pathname of the {@link URL} for deep links to the login page, after a redirect from a reset
+ * password email. */
+const LOGIN_PATHNAME = "//auth/login";
+
 /** URL used as the OAuth redirect when running in the desktop app. */
 const DESKTOP_REDIRECT = utils.brand<auth.OAuthRedirect>(
   `${common.DEEP_LINK_SCHEME}://auth`
@@ -127,7 +134,7 @@ function loadAmplifyConfig(
 ): auth.AmplifyConfig {
   /** Load the environment-specific Amplify configuration. */
   const baseConfig = AMPLIFY_CONFIGS[config.ENVIRONMENT];
-  let urlOpener;
+  let urlOpener = null;
   if (platform === platformModule.Platform.desktop) {
     /** If we're running on the desktop, we want to override the default URL opener for OAuth
      * flows.  This is because the default URL opener opens the URL in the desktop app itself,
@@ -148,7 +155,7 @@ function loadAmplifyConfig(
   return {
     ...baseConfig,
     ...platformConfig,
-    ...(urlOpener ? { urlOpener } : {}),
+    urlOpener,
   };
 }
 
@@ -180,31 +187,47 @@ function setDeepLinkHandler(
   const onDeepLink = (url: string) => {
     const parsedUrl = new URL(url);
 
-    if (isConfirmRegistrationRedirect(parsedUrl)) {
-      /** Navigate to a relative URL to handle the confirmation link. */
-      const redirectUrl = `${app.CONFIRM_REGISTRATION_PATH}${parsedUrl.search}`;
-      navigate(redirectUrl);
-    } else if (isSignInRedirect(parsedUrl)) {
-      handleAuthResponse(url);
-    } else {
-      logger.error(`${url} is an unrecognized deep link. Ignoring.`);
+    switch (parsedUrl.pathname) {
+      /** If the user is being redirected after clicking the registration confirmation link in their
+       * email, then the URL will be for the confirmation page path. */
+      case CONFIRM_REGISTRATION_PATHNAME: {
+        const redirectUrl = `${app.CONFIRM_REGISTRATION_PATH}${parsedUrl.search}`;
+        navigate(redirectUrl);
+        break;
+      }
+      /** TODO [NP]: https://github.com/enso-org/cloud-v2/issues/339
+       * Don't use `enso://auth` for both authentication redirect & signout redirect so we don't
+       * have to disambiguate between the two on the `DASHBOARD_PATH`. */
+      case SIGN_OUT_PATHNAME:
+      case SIGN_IN_PATHNAME:
+        /** If the user is being redirected after a sign-out, then no query args will be present. */
+        if (parsedUrl.search === "") {
+          navigate(app.LOGIN_PATH);
+        } else {
+          handleAuthResponse(url);
+        }
+        break;
+      /** If the user is being redirected after finishing the password reset flow, then the URL will
+       * be for the login page. */
+      case LOGIN_PATHNAME:
+        navigate(app.LOGIN_PATH);
+        break;
+      /** If the user is being redirected from a password reset email, then we need to navigate to
+       * the password reset page, with the verification code and email passed in the URL so they can
+       * be filled in automatically. */
+      case app.RESET_PASSWORD_PATH: {
+        const resetPasswordRedirectUrl = `${app.RESET_PASSWORD_PATH}${parsedUrl.search}`;
+        navigate(resetPasswordRedirectUrl);
+        break;
+      }
+      default:
+        logger.error(`${url} is an unrecognized deep link. Ignoring.`);
     }
   };
 
   window.authenticationApi.setDeepLinkHandler(onDeepLink);
 }
 
-/** If the user is being redirected after clicking the registration confirmation link in their
- * email, then the URL will be for the confirmation page path. */
-function isConfirmRegistrationRedirect(url: URL) {
-  return url.pathname === CONFIRM_REGISTRATION_PATHNAME;
-}
-
-/** If the user is being redirected after a sign-out, then query args will be present. */
-function isSignInRedirect(url: URL) {
-  return url.pathname === SIGN_IN_PATHNAME && url.search !== "";
-}
-
 /** When the user is being redirected from a federated identity provider, then we need to pass the
  * URL to the Amplify library, which will parse the URL and complete the OAuth flow. */
 function handleAuthResponse(url: string) {
@@ -225,11 +248,10 @@ function handleAuthResponse(url: string) {
     try {
       /** # Safety
        *
-       * It is safe to disable the `no-unsafe-call` lint here
-       * because we know that the `Auth` object has the `_handleAuthResponse` method, and we
-       * know that it is safe to call it with the `url` argument. There is no way to prove
-       * this to the TypeScript compiler, because these methods are intentionally not part of
-       * the public AWS Amplify API. */
+       * It is safe to disable the `no-unsafe-call` lint here because we know that the `Auth` object
+       * has the `_handleAuthResponse` method, and we know that it is safe to call it with the `url`
+       * argument. There is no way to prove this to the TypeScript compiler, because these methods
+       * are intentionally not part of the public AWS Amplify API. */
       // @ts-expect-error `_handleAuthResponse` is a private method without typings.
       // eslint-disable-next-line @typescript-eslint/no-unsafe-call
       await amplify.Auth._handleAuthResponse(url);
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/components/app.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/components/app.tsx
index 55daafebee75..ae1746f56438 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/components/app.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/components/app.tsx
@@ -45,8 +45,10 @@ import * as platformModule from "../platform";
 import * as session from "../authentication/providers/session";
 import ConfirmRegistration from "../authentication/components/confirmRegistration";
 import Dashboard from "../dashboard/components/dashboard";
+import ForgotPassword from "../authentication/components/forgotPassword";
 import Login from "../authentication/components/login";
 import Registration from "../authentication/components/registration";
+import ResetPassword from "../authentication/components/resetPassword";
 import SetUsername from "../authentication/components/setUsername";
 
 // =================
@@ -61,6 +63,10 @@ export const LOGIN_PATH = "/login";
 export const REGISTRATION_PATH = "/registration";
 /** Path to the confirm registration page. */
 export const CONFIRM_REGISTRATION_PATH = "/confirmation";
+/** Path to the forgot password page. */
+export const FORGOT_PASSWORD_PATH = "/forgot-password";
+/** Path to the reset password page. */
+export const RESET_PASSWORD_PATH = "/password-reset";
 /** Path to the set username page. */
 export const SET_USERNAME_PATH = "/set-username";
 
@@ -157,6 +163,14 @@ function AppRouter(props: AppProps) {
                 path={CONFIRM_REGISTRATION_PATH}
                 element={<ConfirmRegistration />}
               />
+              <router.Route
+                path={FORGOT_PASSWORD_PATH}
+                element={<ForgotPassword />}
+              />
+              <router.Route
+                path={RESET_PASSWORD_PATH}
+                element={<ResetPassword />}
+              />
             </react.Fragment>
           </router.Routes>
         </authProvider.AuthProvider>
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/components/svg.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/components/svg.tsx
index c9457284f89a..cb36cc1c26b6 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/components/svg.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/components/svg.tsx
@@ -11,11 +11,13 @@
 /** Path data for the SVG icons used in app. */
 export const PATHS = {
   /** Path data for the `@` icon SVG. */
-  at: `M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 \
-8.959 0 01-4.5 1.207`,
+  at:
+    "M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 " +
+    "8.959 0 01-4.5 1.207",
   /** Path data for the lock icon SVG. */
-  lock: `M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 \
-0 00-8 0v4h8z`,
+  lock:
+    "M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 " +
+    "0 00-8 0v4h8z",
   /** Path data for the "right arrow" icon SVG. */
   rightArrow: "M13 9l3 3m0 0l-3 3m3-3H8m13 0a9 9 0 11-18 0 9 9 0 0118 0z",
   /** Path data for the "create account" icon SVG. */
diff --git a/app/ide-desktop/lib/dashboard/src/authentication/src/dashboard/components/dashboard.tsx b/app/ide-desktop/lib/dashboard/src/authentication/src/dashboard/components/dashboard.tsx
index 424968b36f1f..50f86469b2c7 100644
--- a/app/ide-desktop/lib/dashboard/src/authentication/src/dashboard/components/dashboard.tsx
+++ b/app/ide-desktop/lib/dashboard/src/authentication/src/dashboard/components/dashboard.tsx
@@ -8,11 +8,13 @@ import * as auth from "../../authentication/providers/auth";
 // =================
 
 function Dashboard() {
+  const { signOut } = auth.useAuth();
   const { accessToken } = auth.useFullUserSession();
   return (
     <>
       <h1>This is a placeholder page for the cloud dashboard.</h1>
       <p>Access token: {accessToken}</p>
+      <button onClick={signOut}>Log out</button>
     </>
   );
 }