feat: updated the html template

Restructure Validate nil check, rename expectErr to fail with
early-return, trim trailing newlines in test assertions, remove
t.Parallel from subtests, inline short config literals, restore
struct field comments in web.Config.

cmd/community/server.go

@@ -75,7 +75,7 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		},
 		signoz.NewEmailingProviderFactories(),
 		signoz.NewCacheProviderFactories(),
-		signoz.NewWebProviderFactories(),
+		signoz.NewWebProviderFactories(config.Global),
 		func(sqlstore sqlstore.SQLStore) factory.NamedMap[factory.ProviderFactory[sqlschema.SQLSchema, sqlschema.Config]] {
 			return signoz.NewSQLSchemaProviderFactories(sqlstore)
 		},

cmd/enterprise/server.go

@@ -96,7 +96,7 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		},
 		signoz.NewEmailingProviderFactories(),
 		signoz.NewCacheProviderFactories(),
-		signoz.NewWebProviderFactories(),
+		signoz.NewWebProviderFactories(config.Global),
 		func(sqlstore sqlstore.SQLStore) factory.NamedMap[factory.ProviderFactory[sqlschema.SQLSchema, sqlschema.Config]] {
 			existingFactories := signoz.NewSQLSchemaProviderFactories(sqlstore)
 			if err := existingFactories.Add(postgressqlschema.NewFactory(sqlstore)); err != nil {

conf/example.yaml

@@ -6,6 +6,8 @@
 ##################### Global #####################
 global:
   # the url under which the signoz apiserver is externally reachable.
+  # the path component (e.g. /signoz in https://example.com/signoz) is used
+  # as the base path for all HTTP routes (both API and web frontend).
   external_url: <unset>
   # the url where the SigNoz backend receives telemetry data (traces, metrics, logs) from instrumented applications.
   ingestion_url: <unset>
@@ -50,8 +52,8 @@ pprof:
 web:
   # Whether to enable the web frontend
   enabled: true
-  # The prefix to serve web on
-  prefix: /
+  # The index file to use as the SPA entrypoint.
+  index: index.html
   # The directory containing the static build files.
   directory: /etc/signoz/web
 

docs/api/openapi.yml

@@ -3892,6 +3892,8 @@ components:
           type: string
         oldPassword:
           type: string
+        userId:
+          type: string
       type: object
     TypesDeprecatedUser:
       properties:
@@ -4270,6 +4272,63 @@ paths:
       summary: Get resources
       tags:
       - authz
+  /api/v1/changePassword/{id}:
+    post:
+      deprecated: false
+      description: This endpoint changes the password by id
+      operationId: ChangePassword
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesChangePasswordRequest'
+      responses:
+        "204":
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Change password
+      tags:
+      - users
   /api/v1/channels:
     get:
       deprecated: false
@@ -6009,9 +6068,9 @@ paths:
       - fields
   /api/v1/getResetPasswordToken/{id}:
     get:
-      deprecated: true
+      deprecated: false
       description: This endpoint returns the reset password token by id
-      operationId: GetResetPasswordTokenDeprecated
+      operationId: GetResetPasswordToken
       parameters:
       - in: path
         name: id
@@ -10835,129 +10894,6 @@ paths:
       summary: Update user v2
       tags:
       - users
-  /api/v2/users/{id}/reset_password_tokens:
-    get:
-      deprecated: false
-      description: This endpoint returns the existing reset password token for a user.
-      operationId: GetResetPasswordToken
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/TypesResetPasswordToken'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Get reset password token for a user
-      tags:
-      - users
-    put:
-      deprecated: false
-      description: This endpoint creates or regenerates a reset password token for
-        a user. If a valid token exists, it is returned. If expired, a new one is
-        created.
-      operationId: CreateResetPasswordToken
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "201":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/TypesResetPasswordToken'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: Created
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Create or regenerate reset password token for a user
-      tags:
-      - users
   /api/v2/users/{id}/roles:
     get:
       deprecated: false
@@ -11198,57 +11134,6 @@ paths:
       summary: Update my user v2
       tags:
       - users
-  /api/v2/users/me/factor_password:
-    put:
-      deprecated: false
-      description: This endpoint updates the password of the user I belong to
-      operationId: UpdateMyPassword
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/TypesChangePasswordRequest'
-      responses:
-        "204":
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Updates my password
-      tags:
-      - users
   /api/v2/zeus/hosts:
     get:
       deprecated: false

ee/query-service/app/server.go

@@ -262,6 +262,20 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h
 		return nil, err
 	}
 
+	routePrefix := s.config.Global.ExternalPath()
+	if routePrefix != "" {
+		prefixed := http.StripPrefix(routePrefix, handler)
+		handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			switch req.URL.Path {
+			case "/api/v1/health", "/api/v2/healthz", "/api/v2/readyz", "/api/v2/livez":
+				r.ServeHTTP(w, req)
+				return
+			}
+
+			prefixed.ServeHTTP(w, req)
+		})
+	}
+
 	return &http.Server{
 		Handler: handler,
 	}, nil

frontend/.gitignore

@@ -28,4 +28,7 @@ e2e/test-plan/saved-views/
 e2e/test-plan/service-map/
 e2e/test-plan/services/
 e2e/test-plan/traces/
-e2e/test-plan/user-preferences/
+e2e/test-plan/user-preferences/
+
+# Generated by `vite build` — do not commit
+index.html.gotmpl

frontend/index.html

@@ -2,6 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
+		<base href="[[.BaseHref]]" />
 		<meta
 			http-equiv="Cache-Control"
 			content="no-cache, no-store, must-revalidate, max-age: 0"
@@ -59,7 +60,7 @@
 		<meta data-react-helmet="true" name="docusaurus_locale" content="en" />
 		<meta data-react-helmet="true" name="docusaurus_tag" content="default" />
 		<meta name="robots" content="noindex" />
-		<link data-react-helmet="true" rel="shortcut icon" href="/favicon.ico" />
+		<link data-react-helmet="true" rel="shortcut icon" href="favicon.ico" />
 	</head>
 	<body data-theme="default">
 		<noscript>You need to enable JavaScript to run this app.</noscript>
@@ -113,7 +114,7 @@
 				})(document, 'script');
 			}
 		</script>
-		<link rel="stylesheet" href="/css/uPlot.min.css" />
+		<link rel="stylesheet" href="css/uPlot.min.css" />
 		<script type="module" src="./src/index.tsx"></script>
 	</body>
 </html>

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -4837,6 +4837,10 @@ export interface TypesChangePasswordRequestDTO {
 	 * @type string
 	 */
 	oldPassword?: string;
+	/**
+	 * @type string
+	 */
+	userId?: string;
 }
 
 export interface TypesDeprecatedUserDTO {
@@ -5200,6 +5204,9 @@ export type AuthzResources200 = {
 	status: string;
 };
 
+export type ChangePasswordPathParameters = {
+	id: string;
+};
 export type ListChannels200 = {
 	/**
 	 * @type array
@@ -5597,10 +5604,10 @@ export type GetFieldsValues200 = {
 	status: string;
 };
 
-export type GetResetPasswordTokenDeprecatedPathParameters = {
+export type GetResetPasswordTokenPathParameters = {
 	id: string;
 };
-export type GetResetPasswordTokenDeprecated200 = {
+export type GetResetPasswordToken200 = {
 	data: TypesResetPasswordTokenDTO;
 	/**
 	 * @type string
@@ -6572,28 +6579,6 @@ export type GetUser200 = {
 export type UpdateUserPathParameters = {
 	id: string;
 };
-export type GetResetPasswordTokenPathParameters = {
-	id: string;
-};
-export type GetResetPasswordToken200 = {
-	data: TypesResetPasswordTokenDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type CreateResetPasswordTokenPathParameters = {
-	id: string;
-};
-export type CreateResetPasswordToken201 = {
-	data: TypesResetPasswordTokenDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
 export type GetRolesByUserIDPathParameters = {
 	id: string;
 };

frontend/src/api/generated/services/users/index.ts

@@ -20,15 +20,12 @@ import { useMutation, useQuery } from 'react-query';
 import type { BodyType, ErrorType } from '../../../generatedAPIInstance';
 import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
 import type {
+	ChangePasswordPathParameters,
 	CreateInvite201,
-	CreateResetPasswordToken201,
-	CreateResetPasswordTokenPathParameters,
 	DeleteUserPathParameters,
 	GetMyUser200,
 	GetMyUserDeprecated200,
 	GetResetPasswordToken200,
-	GetResetPasswordTokenDeprecated200,
-	GetResetPasswordTokenDeprecatedPathParameters,
 	GetResetPasswordTokenPathParameters,
 	GetRolesByUserID200,
 	GetRolesByUserIDPathParameters,
@@ -57,35 +54,133 @@ import type {
 } from '../sigNoz.schemas';
 
 /**
- * This endpoint returns the reset password token by id
- * @deprecated
- * @summary Get reset password token
+ * This endpoint changes the password by id
+ * @summary Change password
  */
-export const getResetPasswordTokenDeprecated = (
-	{ id }: GetResetPasswordTokenDeprecatedPathParameters,
+export const changePassword = (
+	{ id }: ChangePasswordPathParameters,
+	typesChangePasswordRequestDTO: BodyType<TypesChangePasswordRequestDTO>,
 	signal?: AbortSignal,
 ) => {
-	return GeneratedAPIInstance<GetResetPasswordTokenDeprecated200>({
+	return GeneratedAPIInstance<void>({
+		url: `/api/v1/changePassword/${id}`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesChangePasswordRequestDTO,
+		signal,
+	});
+};
+
+export const getChangePasswordMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof changePassword>>,
+		TError,
+		{
+			pathParams: ChangePasswordPathParameters;
+			data: BodyType<TypesChangePasswordRequestDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof changePassword>>,
+	TError,
+	{
+		pathParams: ChangePasswordPathParameters;
+		data: BodyType<TypesChangePasswordRequestDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['changePassword'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof changePassword>>,
+		{
+			pathParams: ChangePasswordPathParameters;
+			data: BodyType<TypesChangePasswordRequestDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return changePassword(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type ChangePasswordMutationResult = NonNullable<
+	Awaited<ReturnType<typeof changePassword>>
+>;
+export type ChangePasswordMutationBody = BodyType<TypesChangePasswordRequestDTO>;
+export type ChangePasswordMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Change password
+ */
+export const useChangePassword = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof changePassword>>,
+		TError,
+		{
+			pathParams: ChangePasswordPathParameters;
+			data: BodyType<TypesChangePasswordRequestDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof changePassword>>,
+	TError,
+	{
+		pathParams: ChangePasswordPathParameters;
+		data: BodyType<TypesChangePasswordRequestDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getChangePasswordMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint returns the reset password token by id
+ * @summary Get reset password token
+ */
+export const getResetPasswordToken = (
+	{ id }: GetResetPasswordTokenPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetResetPasswordToken200>({
 		url: `/api/v1/getResetPasswordToken/${id}`,
 		method: 'GET',
 		signal,
 	});
 };
 
-export const getGetResetPasswordTokenDeprecatedQueryKey = ({
+export const getGetResetPasswordTokenQueryKey = ({
 	id,
-}: GetResetPasswordTokenDeprecatedPathParameters) => {
+}: GetResetPasswordTokenPathParameters) => {
 	return [`/api/v1/getResetPasswordToken/${id}`] as const;
 };
 
-export const getGetResetPasswordTokenDeprecatedQueryOptions = <
-	TData = Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>,
+export const getGetResetPasswordTokenQueryOptions = <
+	TData = Awaited<ReturnType<typeof getResetPasswordToken>>,
 	TError = ErrorType<RenderErrorResponseDTO>
 >(
-	{ id }: GetResetPasswordTokenDeprecatedPathParameters,
+	{ id }: GetResetPasswordTokenPathParameters,
 	options?: {
 		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>,
+			Awaited<ReturnType<typeof getResetPasswordToken>>,
 			TError,
 			TData
 		>;
@@ -94,11 +189,11 @@ export const getGetResetPasswordTokenDeprecatedQueryOptions = <
 	const { query: queryOptions } = options ?? {};
 
 	const queryKey =
-		queryOptions?.queryKey ?? getGetResetPasswordTokenDeprecatedQueryKey({ id });
+		queryOptions?.queryKey ?? getGetResetPasswordTokenQueryKey({ id });
 
 	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>
-	> = ({ signal }) => getResetPasswordTokenDeprecated({ id }, signal);
+		Awaited<ReturnType<typeof getResetPasswordToken>>
+	> = ({ signal }) => getResetPasswordToken({ id }, signal);
 
 	return {
 		queryKey,
@@ -106,39 +201,35 @@ export const getGetResetPasswordTokenDeprecatedQueryOptions = <
 		enabled: !!id,
 		...queryOptions,
 	} as UseQueryOptions<
-		Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>,
+		Awaited<ReturnType<typeof getResetPasswordToken>>,
 		TError,
 		TData
 	> & { queryKey: QueryKey };
 };
 
-export type GetResetPasswordTokenDeprecatedQueryResult = NonNullable<
-	Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>
+export type GetResetPasswordTokenQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getResetPasswordToken>>
 >;
-export type GetResetPasswordTokenDeprecatedQueryError = ErrorType<RenderErrorResponseDTO>;
+export type GetResetPasswordTokenQueryError = ErrorType<RenderErrorResponseDTO>;
 
 /**
- * @deprecated
  * @summary Get reset password token
  */
 
-export function useGetResetPasswordTokenDeprecated<
-	TData = Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>,
+export function useGetResetPasswordToken<
+	TData = Awaited<ReturnType<typeof getResetPasswordToken>>,
 	TError = ErrorType<RenderErrorResponseDTO>
 >(
-	{ id }: GetResetPasswordTokenDeprecatedPathParameters,
+	{ id }: GetResetPasswordTokenPathParameters,
 	options?: {
 		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getResetPasswordTokenDeprecated>>,
+			Awaited<ReturnType<typeof getResetPasswordToken>>,
 			TError,
 			TData
 		>;
 	},
 ): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getGetResetPasswordTokenDeprecatedQueryOptions(
-		{ id },
-		options,
-	);
+	const queryOptions = getGetResetPasswordTokenQueryOptions({ id }, options);
 
 	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
 		queryKey: QueryKey;
@@ -150,16 +241,15 @@ export function useGetResetPasswordTokenDeprecated<
 }
 
 /**
- * @deprecated
  * @summary Get reset password token
  */
-export const invalidateGetResetPasswordTokenDeprecated = async (
+export const invalidateGetResetPasswordToken = async (
 	queryClient: QueryClient,
-	{ id }: GetResetPasswordTokenDeprecatedPathParameters,
+	{ id }: GetResetPasswordTokenPathParameters,
 	options?: InvalidateOptions,
 ): Promise<QueryClient> => {
 	await queryClient.invalidateQueries(
-		{ queryKey: getGetResetPasswordTokenDeprecatedQueryKey({ id }) },
+		{ queryKey: getGetResetPasswordTokenQueryKey({ id }) },
 		options,
 	);
 
@@ -1317,189 +1407,6 @@ export const useUpdateUser = <
 
 	return useMutation(mutationOptions);
 };
-/**
- * This endpoint returns the existing reset password token for a user.
- * @summary Get reset password token for a user
- */
-export const getResetPasswordToken = (
-	{ id }: GetResetPasswordTokenPathParameters,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<GetResetPasswordToken200>({
-		url: `/api/v2/users/${id}/reset_password_tokens`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getGetResetPasswordTokenQueryKey = ({
-	id,
-}: GetResetPasswordTokenPathParameters) => {
-	return [`/api/v2/users/${id}/reset_password_tokens`] as const;
-};
-
-export const getGetResetPasswordTokenQueryOptions = <
-	TData = Awaited<ReturnType<typeof getResetPasswordToken>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: GetResetPasswordTokenPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getResetPasswordToken>>,
-			TError,
-			TData
-		>;
-	},
-) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey =
-		queryOptions?.queryKey ?? getGetResetPasswordTokenQueryKey({ id });
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof getResetPasswordToken>>
-	> = ({ signal }) => getResetPasswordToken({ id }, signal);
-
-	return {
-		queryKey,
-		queryFn,
-		enabled: !!id,
-		...queryOptions,
-	} as UseQueryOptions<
-		Awaited<ReturnType<typeof getResetPasswordToken>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type GetResetPasswordTokenQueryResult = NonNullable<
-	Awaited<ReturnType<typeof getResetPasswordToken>>
->;
-export type GetResetPasswordTokenQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Get reset password token for a user
- */
-
-export function useGetResetPasswordToken<
-	TData = Awaited<ReturnType<typeof getResetPasswordToken>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: GetResetPasswordTokenPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getResetPasswordToken>>,
-			TError,
-			TData
-		>;
-	},
-): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getGetResetPasswordTokenQueryOptions({ id }, options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary Get reset password token for a user
- */
-export const invalidateGetResetPasswordToken = async (
-	queryClient: QueryClient,
-	{ id }: GetResetPasswordTokenPathParameters,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getGetResetPasswordTokenQueryKey({ id }) },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint creates or regenerates a reset password token for a user. If a valid token exists, it is returned. If expired, a new one is created.
- * @summary Create or regenerate reset password token for a user
- */
-export const createResetPasswordToken = ({
-	id,
-}: CreateResetPasswordTokenPathParameters) => {
-	return GeneratedAPIInstance<CreateResetPasswordToken201>({
-		url: `/api/v2/users/${id}/reset_password_tokens`,
-		method: 'PUT',
-	});
-};
-
-export const getCreateResetPasswordTokenMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createResetPasswordToken>>,
-		TError,
-		{ pathParams: CreateResetPasswordTokenPathParameters },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof createResetPasswordToken>>,
-	TError,
-	{ pathParams: CreateResetPasswordTokenPathParameters },
-	TContext
-> => {
-	const mutationKey = ['createResetPasswordToken'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof createResetPasswordToken>>,
-		{ pathParams: CreateResetPasswordTokenPathParameters }
-	> = (props) => {
-		const { pathParams } = props ?? {};
-
-		return createResetPasswordToken(pathParams);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type CreateResetPasswordTokenMutationResult = NonNullable<
-	Awaited<ReturnType<typeof createResetPasswordToken>>
->;
-
-export type CreateResetPasswordTokenMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Create or regenerate reset password token for a user
- */
-export const useCreateResetPasswordToken = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createResetPasswordToken>>,
-		TError,
-		{ pathParams: CreateResetPasswordTokenPathParameters },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof createResetPasswordToken>>,
-	TError,
-	{ pathParams: CreateResetPasswordTokenPathParameters },
-	TContext
-> => {
-	const mutationOptions = getCreateResetPasswordTokenMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
 /**
  * This endpoint returns the user roles by user id
  * @summary Get user roles
@@ -1943,84 +1850,3 @@ export const useUpdateMyUserV2 = <
 
 	return useMutation(mutationOptions);
 };
-/**
- * This endpoint updates the password of the user I belong to
- * @summary Updates my password
- */
-export const updateMyPassword = (
-	typesChangePasswordRequestDTO: BodyType<TypesChangePasswordRequestDTO>,
-) => {
-	return GeneratedAPIInstance<void>({
-		url: `/api/v2/users/me/factor_password`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: typesChangePasswordRequestDTO,
-	});
-};
-
-export const getUpdateMyPasswordMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateMyPassword>>,
-		TError,
-		{ data: BodyType<TypesChangePasswordRequestDTO> },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateMyPassword>>,
-	TError,
-	{ data: BodyType<TypesChangePasswordRequestDTO> },
-	TContext
-> => {
-	const mutationKey = ['updateMyPassword'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateMyPassword>>,
-		{ data: BodyType<TypesChangePasswordRequestDTO> }
-	> = (props) => {
-		const { data } = props ?? {};
-
-		return updateMyPassword(data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateMyPasswordMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateMyPassword>>
->;
-export type UpdateMyPasswordMutationBody = BodyType<TypesChangePasswordRequestDTO>;
-export type UpdateMyPasswordMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Updates my password
- */
-export const useUpdateMyPassword = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateMyPassword>>,
-		TError,
-		{ data: BodyType<TypesChangePasswordRequestDTO> },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateMyPassword>>,
-	TError,
-	{ data: BodyType<TypesChangePasswordRequestDTO> },
-	TContext
-> => {
-	const mutationOptions = getUpdateMyPasswordMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};

frontend/src/api/generatedAPIInstance.ts

@@ -1,5 +1,6 @@
 import {
 	interceptorRejected,
+	interceptorsRequestBasePath,
 	interceptorsRequestResponse,
 	interceptorsResponse,
 } from 'api';
@@ -17,6 +18,7 @@ export const GeneratedAPIInstance = <T>(
 	return generatedAPIAxiosInstance({ ...config }).then(({ data }) => data);
 };
 
+generatedAPIAxiosInstance.interceptors.request.use(interceptorsRequestBasePath);
 generatedAPIAxiosInstance.interceptors.request.use(interceptorsRequestResponse);
 generatedAPIAxiosInstance.interceptors.response.use(
 	interceptorsResponse,

frontend/src/api/index.ts

@@ -11,6 +11,7 @@ import axios, {
 import { ENVIRONMENT } from 'constants/env';
 import { Events } from 'constants/events';
 import { LOCALSTORAGE } from 'constants/localStorage';
+import { getBasePath } from 'utils/getBasePath';
 import { eventEmitter } from 'utils/getEventEmitter';
 
 import apiV1, { apiAlertManager, apiV2, apiV3, apiV4, apiV5 } from './apiV1';
@@ -67,6 +68,34 @@ export const interceptorsRequestResponse = (
 	return value;
 };
 
+// Prepends the runtime base path to outgoing requests so API calls work under
+// a URL prefix (e.g. /signoz/api/v1/…). No-op for root deployments and dev
+// (dev baseURL is a full http:// URL, not an absolute path).
+export const interceptorsRequestBasePath = (
+	value: InternalAxiosRequestConfig,
+): InternalAxiosRequestConfig => {
+	const basePath = getBasePath();
+	if (basePath === '/') {
+		return value;
+	}
+
+	if (value.baseURL?.startsWith('/')) {
+		// Relative baseURL: '/api/v1/' → '/signoz/api/v1/'
+		value.baseURL = basePath + value.baseURL.slice(1);
+	} else if (value.baseURL?.startsWith('http')) {
+		// Absolute baseURL (e.g. VITE_FRONTEND_API_ENDPOINT set for dev/testing):
+		// 'https://host/api/v1/' → 'https://host/signoz/api/v1/'
+		const url = new URL(value.baseURL);
+		url.pathname = basePath + url.pathname.slice(1);
+		value.baseURL = url.toString();
+	} else if (!value.baseURL && value.url?.startsWith('/')) {
+		// Generated instance: baseURL is '' in prod, path is in url
+		value.url = basePath + value.url.slice(1);
+	}
+
+	return value;
+};
+
 export const interceptorRejected = async (
 	value: AxiosResponse<any>,
 ): Promise<AxiosResponse<any>> => {
@@ -133,6 +162,7 @@ const instance = axios.create({
 });
 
 instance.interceptors.request.use(interceptorsRequestResponse);
+instance.interceptors.request.use(interceptorsRequestBasePath);
 instance.interceptors.response.use(interceptorsResponse, interceptorRejected);
 
 export const AxiosAlertManagerInstance = axios.create({
@@ -147,6 +177,7 @@ ApiV2Instance.interceptors.response.use(
 	interceptorRejected,
 );
 ApiV2Instance.interceptors.request.use(interceptorsRequestResponse);
+ApiV2Instance.interceptors.request.use(interceptorsRequestBasePath);
 
 // axios V3
 export const ApiV3Instance = axios.create({
@@ -158,6 +189,7 @@ ApiV3Instance.interceptors.response.use(
 	interceptorRejected,
 );
 ApiV3Instance.interceptors.request.use(interceptorsRequestResponse);
+ApiV3Instance.interceptors.request.use(interceptorsRequestBasePath);
 //
 
 // axios V4
@@ -170,6 +202,7 @@ ApiV4Instance.interceptors.response.use(
 	interceptorRejected,
 );
 ApiV4Instance.interceptors.request.use(interceptorsRequestResponse);
+ApiV4Instance.interceptors.request.use(interceptorsRequestBasePath);
 //
 
 // axios V5
@@ -182,6 +215,7 @@ ApiV5Instance.interceptors.response.use(
 	interceptorRejected,
 );
 ApiV5Instance.interceptors.request.use(interceptorsRequestResponse);
+ApiV5Instance.interceptors.request.use(interceptorsRequestBasePath);
 //
 
 // axios Base
@@ -194,6 +228,7 @@ LogEventAxiosInstance.interceptors.response.use(
 	interceptorRejectedBase,
 );
 LogEventAxiosInstance.interceptors.request.use(interceptorsRequestResponse);
+LogEventAxiosInstance.interceptors.request.use(interceptorsRequestBasePath);
 //
 
 AxiosAlertManagerInstance.interceptors.response.use(
@@ -201,6 +236,7 @@ AxiosAlertManagerInstance.interceptors.response.use(
 	interceptorRejected,
 );
 AxiosAlertManagerInstance.interceptors.request.use(interceptorsRequestResponse);
+AxiosAlertManagerInstance.interceptors.request.use(interceptorsRequestBasePath);
 
 export { apiV1 };
 export default instance;

frontend/src/api/v1/factor_password/changeMyPassword.ts

@@ -0,0 +1,27 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import { PayloadProps, Props } from 'types/api/user/changeMyPassword';
+
+const changeMyPassword = async (
+	props: Props,
+): Promise<SuccessResponseV2<PayloadProps>> => {
+	try {
+		const response = await axios.post<PayloadProps>(
+			`/changePassword/${props.userId}`,
+			{
+				...props,
+			},
+		);
+
+		return {
+			httpStatusCode: response.status,
+			data: response.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default changeMyPassword;

frontend/src/api/v1/factor_password/getResetPasswordToken.ts

@@ -0,0 +1,28 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import {
+	GetResetPasswordToken,
+	PayloadProps,
+	Props,
+} from 'types/api/user/getResetPasswordToken';
+
+const getResetPasswordToken = async (
+	props: Props,
+): Promise<SuccessResponseV2<GetResetPasswordToken>> => {
+	try {
+		const response = await axios.get<PayloadProps>(
+			`/getResetPasswordToken/${props.userId}`,
+		);
+
+		return {
+			httpStatusCode: response.status,
+			data: response.data.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default getResetPasswordToken;

frontend/src/components/EditMemberDrawer/EditMemberDrawer.tsx

@@ -10,9 +10,8 @@ import { Skeleton, Tooltip } from 'antd';
 import { convertToApiError } from 'api/ErrorResponseHandlerForGeneratedAPIs';
 import type { RenderErrorResponseDTO } from 'api/generated/services/sigNoz.schemas';
 import {
-	useCreateResetPasswordToken,
+	getResetPasswordToken,
 	useDeleteUser,
-	useGetResetPasswordToken,
 	useGetUser,
 	useUpdateMyUserV2,
 	useUpdateUser,
@@ -56,27 +55,6 @@ function getDeleteTooltip(
 	return undefined;
 }
 
-function getInviteButtonLabel(
-	isLoading: boolean,
-	existingToken: { expiresAt?: Date } | undefined,
-	isExpired: boolean,
-	notFound: boolean,
-): string {
-	if (isLoading) {
-		return 'Checking invite...';
-	}
-	if (existingToken && !isExpired) {
-		return 'Copy Invite Link';
-	}
-	if (isExpired) {
-		return 'Regenerate Invite Link';
-	}
-	if (notFound) {
-		return 'Generate Invite Link';
-	}
-	return 'Copy Invite Link';
-}
-
 function toSaveApiError(err: unknown): APIError {
 	return (
 		convertToApiError(err as AxiosError<RenderErrorResponseDTO>) ??
@@ -105,11 +83,9 @@ function EditMemberDrawer({
 	const [localRole, setLocalRole] = useState('');
 	const [isSaving, setIsSaving] = useState(false);
 	const [saveErrors, setSaveErrors] = useState<SaveError[]>([]);
+	const [isGeneratingLink, setIsGeneratingLink] = useState(false);
 	const [showDeleteConfirm, setShowDeleteConfirm] = useState(false);
 	const [resetLink, setResetLink] = useState<string | null>(null);
-	const [resetLinkExpiresAt, setResetLinkExpiresAt] = useState<string | null>(
-		null,
-	);
 	const [showResetLinkDialog, setShowResetLinkDialog] = useState(false);
 	const [hasCopiedResetLink, setHasCopiedResetLink] = useState(false);
 	const [linkType, setLinkType] = useState<'invite' | 'reset' | null>(null);
@@ -145,27 +121,6 @@ function EditMemberDrawer({
 		applyDiff,
 	} = useMemberRoleManager(member?.id ?? '', open && !!member?.id);
 
-	// Token status query for invited users
-	const {
-		data: tokenQueryData,
-		isLoading: isLoadingTokenStatus,
-		isError: tokenNotFound,
-	} = useGetResetPasswordToken(
-		{ id: member?.id ?? '' },
-		{ query: { enabled: open && !!member?.id && isInvited } },
-	);
-
-	const existingToken = tokenQueryData?.data;
-	const isTokenExpired =
-		existingToken != null &&
-		new Date(String(existingToken.expiresAt)) < new Date();
-
-	// Create/regenerate token mutation
-	const {
-		mutateAsync: createTokenMutation,
-		isLoading: isGeneratingLink,
-	} = useCreateResetPasswordToken();
-
 	const fetchedDisplayName =
 		fetchedUser?.data?.displayName ?? member?.name ?? '';
 	const fetchedUserId = fetchedUser?.data?.id;
@@ -383,21 +338,12 @@ function EditMemberDrawer({
 		if (!member) {
 			return;
 		}
+		setIsGeneratingLink(true);
 		try {
-			const response = await createTokenMutation({
-				pathParams: { id: member.id },
-			});
+			const response = await getResetPasswordToken({ id: member.id });
 			if (response?.data?.token) {
 				const link = `${window.location.origin}/password-reset?token=${response.data.token}`;
 				setResetLink(link);
-				setResetLinkExpiresAt(
-					response.data.expiresAt
-						? formatTimezoneAdjustedTimestamp(
-								String(response.data.expiresAt),
-								DATE_TIME_FORMATS.DASH_DATETIME,
-						  )
-						: null,
-				);
 				setHasCopiedResetLink(false);
 				setLinkType(isInvited ? 'invite' : 'reset');
 				setShowResetLinkDialog(true);
@@ -413,8 +359,10 @@ function EditMemberDrawer({
 				err as AxiosError<RenderErrorResponseDTO, unknown> | null,
 			);
 			showErrorModal(errMsg as APIError);
+		} finally {
+			setIsGeneratingLink(false);
 		}
-	}, [member, isInvited, onClose, showErrorModal, createTokenMutation]);
+	}, [member, isInvited, onClose, showErrorModal]);
 
 	const [copyState, copyToClipboard] = useCopyToClipboard();
 	const handleCopyResetLink = useCallback((): void => {
@@ -620,19 +568,12 @@ function EditMemberDrawer({
 								<Button
 									className="edit-member-drawer__footer-btn edit-member-drawer__footer-btn--warning"
 									onClick={handleGenerateResetLink}
-									disabled={isGeneratingLink || isRootUser || isLoadingTokenStatus}
+									disabled={isGeneratingLink || isRootUser}
 								>
 									<RefreshCw size={12} />
-									{isGeneratingLink
-										? 'Generating...'
-										: isInvited
-										? getInviteButtonLabel(
-												isLoadingTokenStatus,
-												existingToken,
-												isTokenExpired,
-												tokenNotFound,
-										  )
-										: 'Generate Password Reset Link'}
+									{isGeneratingLink && 'Generating...'}
+									{!isGeneratingLink && isInvited && 'Copy Invite Link'}
+									{!isGeneratingLink && !isInvited && 'Generate Password Reset Link'}
 								</Button>
 							</span>
 						</Tooltip>
@@ -682,7 +623,6 @@ function EditMemberDrawer({
 				open={showResetLinkDialog}
 				linkType={linkType}
 				resetLink={resetLink}
-				expiresAt={resetLinkExpiresAt}
 				hasCopied={hasCopiedResetLink}
 				onClose={(): void => {
 					setShowResetLinkDialog(false);

frontend/src/components/EditMemberDrawer/ResetLinkDialog.tsx

@@ -6,7 +6,6 @@ interface ResetLinkDialogProps {
 	open: boolean;
 	linkType: 'invite' | 'reset' | null;
 	resetLink: string | null;
-	expiresAt: string | null;
 	hasCopied: boolean;
 	onClose: () => void;
 	onCopy: () => void;
@@ -16,7 +15,6 @@ function ResetLinkDialog({
 	open,
 	linkType,
 	resetLink,
-	expiresAt,
 	hasCopied,
 	onClose,
 	onCopy,
@@ -55,11 +53,6 @@ function ResetLinkDialog({
 						{hasCopied ? 'Copied!' : 'Copy'}
 					</Button>
 				</div>
-				{expiresAt && (
-					<p className="reset-link-dialog__description">
-						This link expires on {expiresAt}.
-					</p>
-				)}
 			</div>
 		</DialogWrapper>
 	);

frontend/src/components/EditMemberDrawer/__tests__/EditMemberDrawer.test.tsx

@@ -2,9 +2,8 @@ import type { ReactNode } from 'react';
 import { toast } from '@signozhq/sonner';
 import { convertToApiError } from 'api/ErrorResponseHandlerForGeneratedAPIs';
 import {
-	useCreateResetPasswordToken,
+	getResetPasswordToken,
 	useDeleteUser,
-	useGetResetPasswordToken,
 	useGetUser,
 	useSetRoleByUserID,
 	useUpdateMyUserV2,
@@ -56,8 +55,7 @@ jest.mock('api/generated/services/users', () => ({
 	useUpdateUser: jest.fn(),
 	useUpdateMyUserV2: jest.fn(),
 	useSetRoleByUserID: jest.fn(),
-	useGetResetPasswordToken: jest.fn(),
-	useCreateResetPasswordToken: jest.fn(),
+	getResetPasswordToken: jest.fn(),
 }));
 
 jest.mock('api/ErrorResponseHandlerForGeneratedAPIs', () => ({
@@ -84,7 +82,7 @@ jest.mock('react-use', () => ({
 const ROLES_ENDPOINT = '*/api/v1/roles';
 
 const mockDeleteMutate = jest.fn();
-const mockCreateTokenMutateAsync = jest.fn();
+const mockGetResetPasswordToken = jest.mocked(getResetPasswordToken);
 
 const showErrorModal = jest.fn();
 jest.mock('providers/ErrorModalProvider', () => ({
@@ -186,31 +184,6 @@ describe('EditMemberDrawer', () => {
 			mutate: mockDeleteMutate,
 			isLoading: false,
 		});
-		// Token query: valid token for invited members
-		(useGetResetPasswordToken as jest.Mock).mockReturnValue({
-			data: {
-				data: {
-					token: 'invite-tok-valid',
-					id: 'token-1',
-					expiresAt: new Date(Date.now() + 86400000).toISOString(),
-				},
-			},
-			isLoading: false,
-			isError: false,
-		});
-		// Create token mutation
-		mockCreateTokenMutateAsync.mockResolvedValue({
-			status: 'success',
-			data: {
-				token: 'reset-tok-abc',
-				id: 'user-1',
-				expiresAt: new Date(Date.now() + 86400000).toISOString(),
-			},
-		});
-		(useCreateResetPasswordToken as jest.Mock).mockReturnValue({
-			mutateAsync: mockCreateTokenMutateAsync,
-			isLoading: false,
-		});
 	});
 
 	afterEach(() => {
@@ -384,40 +357,6 @@ describe('EditMemberDrawer', () => {
 		expect(screen.queryByText('Last Modified')).not.toBeInTheDocument();
 	});
 
-	it('shows "Regenerate Invite Link" when token is expired', () => {
-		(useGetResetPasswordToken as jest.Mock).mockReturnValue({
-			data: {
-				data: {
-					token: 'old-tok',
-					id: 'token-1',
-					expiresAt: new Date(Date.now() - 86400000).toISOString(), // expired yesterday
-				},
-			},
-			isLoading: false,
-			isError: false,
-		});
-
-		renderDrawer({ member: invitedMember });
-
-		expect(
-			screen.getByRole('button', { name: /regenerate invite link/i }),
-		).toBeInTheDocument();
-	});
-
-	it('shows "Generate Invite Link" when no token exists', () => {
-		(useGetResetPasswordToken as jest.Mock).mockReturnValue({
-			data: undefined,
-			isLoading: false,
-			isError: true,
-		});
-
-		renderDrawer({ member: invitedMember });
-
-		expect(
-			screen.getByRole('button', { name: /generate invite link/i }),
-		).toBeInTheDocument();
-	});
-
 	it('calls deleteUser after confirming revoke invite for invited members', async () => {
 		const onComplete = jest.fn();
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
@@ -670,7 +609,7 @@ describe('EditMemberDrawer', () => {
 			).not.toBeInTheDocument();
 		});
 
-		it('does not call createResetPasswordToken when Reset Link is clicked while disabled (root)', async () => {
+		it('does not call getResetPasswordToken when Reset Link is clicked while disabled (root)', async () => {
 			const user = userEvent.setup({ pointerEventsCheck: 0 });
 			renderDrawer();
 
@@ -678,16 +617,20 @@ describe('EditMemberDrawer', () => {
 				screen.getByRole('button', { name: /generate password reset link/i }),
 			);
 
-			expect(mockCreateTokenMutateAsync).not.toHaveBeenCalled();
+			expect(mockGetResetPasswordToken).not.toHaveBeenCalled();
 		});
 	});
 
 	describe('Generate Password Reset Link', () => {
 		beforeEach(() => {
 			mockCopyToClipboard.mockClear();
+			mockGetResetPasswordToken.mockResolvedValue({
+				status: 'success',
+				data: { token: 'reset-tok-abc', id: 'user-1' },
+			});
 		});
 
-		it('calls POST and opens the reset link dialog with the generated link and expiry', async () => {
+		it('calls getResetPasswordToken and opens the reset link dialog with the generated link', async () => {
 			const user = userEvent.setup({ pointerEventsCheck: 0 });
 
 			renderDrawer();
@@ -699,12 +642,11 @@ describe('EditMemberDrawer', () => {
 			const dialog = await screen.findByRole('dialog', {
 				name: /password reset link/i,
 			});
-			expect(mockCreateTokenMutateAsync).toHaveBeenCalledWith({
-				pathParams: { id: 'user-1' },
+			expect(mockGetResetPasswordToken).toHaveBeenCalledWith({
+				id: 'user-1',
 			});
 			expect(dialog).toBeInTheDocument();
 			expect(dialog).toHaveTextContent('reset-tok-abc');
-			expect(dialog).toHaveTextContent(/this link expires on/i);
 		});
 
 		it('copies the link to clipboard and shows "Copied!" on the button', async () => {

frontend/src/constants/localStorage.ts

@@ -37,5 +37,4 @@ export enum LOCALSTORAGE {
 	SHOW_FREQUENCY_CHART = 'SHOW_FREQUENCY_CHART',
 	DISSMISSED_COST_METER_INFO = 'DISMISSED_COST_METER_INFO',
 	DISMISSED_API_KEYS_DEPRECATION_BANNER = 'DISMISSED_API_KEYS_DEPRECATION_BANNER',
-	LICENSE_KEY_CALLOUT_DISMISSED = 'LICENSE_KEY_CALLOUT_DISMISSED',
 }

frontend/src/container/DashboardContainer/visualization/charts/ChartWrapper/ChartWrapper.tsx

@@ -25,7 +25,6 @@ export default function ChartWrapper({
 	showTooltip = true,
 	showLegend = true,
 	canPinTooltip = false,
-	pinKey,
 	syncMode,
 	syncKey,
 	onDestroy = noop,
@@ -94,7 +93,6 @@ export default function ChartWrapper({
 							<TooltipPlugin
 								config={config}
 								canPinTooltip={canPinTooltip}
-								pinKey={pinKey}
 								syncMode={syncMode}
 								maxWidth={Math.max(
 									TOOLTIP_MIN_WIDTH,

frontend/src/container/DashboardContainer/visualization/charts/types.ts

@@ -14,8 +14,6 @@ interface BaseChartProps {
 	showLegend?: boolean;
 	timezone?: Timezone;
 	canPinTooltip?: boolean;
-	/** Key that pins the tooltip while hovering. Defaults to DEFAULT_PIN_TOOLTIP_KEY ('l'). */
-	pinKey?: string;
 	yAxisUnit?: string;
 	decimalPrecision?: PrecisionOption;
 	pinnedTooltipElement?: (clickData: TooltipClickData) => React.ReactNode;

frontend/src/container/DashboardContainer/visualization/panels/BarPanel/BarPanel.tsx

@@ -121,7 +121,6 @@ function BarPanel(props: PanelWrapperProps): JSX.Element {
 					legendConfig={{
 						position: widget?.legendPosition ?? LegendPosition.BOTTOM,
 					}}
-					canPinTooltip
 					plotRef={onPlotRef}
 					onDestroy={onPlotDestroy}
 					yAxisUnit={widget.yAxisUnit}

frontend/src/container/DashboardContainer/visualization/panels/TimeSeriesPanel/TimeSeriesPanel.tsx

@@ -112,7 +112,6 @@ function TimeSeriesPanel(props: PanelWrapperProps): JSX.Element {
 					legendConfig={{
 						position: widget?.legendPosition ?? LegendPosition.BOTTOM,
 					}}
-					canPinTooltip
 					yAxisUnit={widget.yAxisUnit}
 					decimalPrecision={widget.decimalPrecision}
 					timezone={timezone}

frontend/src/container/GeneralSettings/GeneralSettings.tsx

@@ -38,7 +38,6 @@ import {
 } from 'types/api/settings/getRetention';
 import { USER_ROLES } from 'types/roles';
 
-import LicenseRowDismissibleCallout from './LicenseKeyRow/LicenseRowDismissibleCallout/LicenseRowDismissibleCallout';
 import Retention from './Retention';
 import StatusMessage from './StatusMessage';
 import { ActionItemsContainer, ErrorText, ErrorTextContainer } from './styles';
@@ -684,12 +683,7 @@ function GeneralSettings({
 					{showCustomDomainSettings && activeLicense?.key && (
 						<div className="custom-domain-card-divider" />
 					)}
-					{activeLicense?.key && (
-						<>
-							<LicenseKeyRow />
-							<LicenseRowDismissibleCallout />
-						</>
-					)}
+					{activeLicense?.key && <LicenseKeyRow />}
 				</div>
 			)}
 

frontend/src/container/GeneralSettings/LicenseKeyRow/LicenseRowDismissibleCallout/LicenseRowDismissible.styles.scss

@@ -1,31 +0,0 @@
-.license-key-callout {
-	margin: var(--spacing-4) var(--spacing-6);
-	width: auto;
-
-	.license-key-callout__description {
-		display: flex;
-		align-items: baseline;
-		gap: var(--spacing-2);
-		min-width: 0;
-		flex-wrap: wrap;
-		font-size: 13px;
-	}
-
-	.license-key-callout__link {
-		display: inline-flex;
-		align-items: center;
-		padding: var(--spacing-1) var(--spacing-3);
-		border-radius: 2px;
-		background: var(--callout-primary-background);
-		color: var(--callout-primary-description);
-		font-family: 'SF Mono', 'Fira Code', 'Fira Mono', monospace;
-		font-size: var(--paragraph-base-400-font-size);
-		text-decoration: none;
-
-		&:hover {
-			background: var(--callout-primary-border);
-			color: var(--callout-primary-icon);
-			text-decoration: none;
-		}
-	}
-}

frontend/src/container/GeneralSettings/LicenseKeyRow/LicenseRowDismissibleCallout/LicenseRowDismissibleCallout.tsx

@@ -1,83 +0,0 @@
-import { useState } from 'react';
-import { Link } from 'react-router-dom';
-import { Callout } from '@signozhq/callout';
-import getLocalStorageApi from 'api/browser/localstorage/get';
-import setLocalStorageApi from 'api/browser/localstorage/set';
-import { FeatureKeys } from 'constants/features';
-import { LOCALSTORAGE } from 'constants/localStorage';
-import ROUTES from 'constants/routes';
-import { useGetTenantLicense } from 'hooks/useGetTenantLicense';
-import { useAppContext } from 'providers/App/App';
-import { USER_ROLES } from 'types/roles';
-
-import './LicenseRowDismissible.styles.scss';
-
-function LicenseRowDismissibleCallout(): JSX.Element | null {
-	const [isCalloutDismissed, setIsCalloutDismissed] = useState<boolean>(
-		() =>
-			getLocalStorageApi(LOCALSTORAGE.LICENSE_KEY_CALLOUT_DISMISSED) === 'true',
-	);
-
-	const { user, featureFlags } = useAppContext();
-	const { isCloudUser } = useGetTenantLicense();
-
-	const isAdmin = user.role === USER_ROLES.ADMIN;
-	const isEditor = user.role === USER_ROLES.EDITOR;
-
-	const isGatewayEnabled =
-		featureFlags?.find((feature) => feature.name === FeatureKeys.GATEWAY)
-			?.active || false;
-
-	const hasServiceAccountsAccess = isAdmin;
-
-	const hasIngestionAccess =
-		(isCloudUser && !isGatewayEnabled) ||
-		(isGatewayEnabled && (isAdmin || isEditor));
-
-	const handleDismissCallout = (): void => {
-		setLocalStorageApi(LOCALSTORAGE.LICENSE_KEY_CALLOUT_DISMISSED, 'true');
-		setIsCalloutDismissed(true);
-	};
-
-	return !isCalloutDismissed ? (
-		<Callout
-			type="info"
-			size="small"
-			showIcon
-			dismissable
-			onClose={handleDismissCallout}
-			className="license-key-callout"
-			description={
-				<div className="license-key-callout__description">
-					This is <strong>NOT</strong> your ingestion or Service account key.
-					{(hasServiceAccountsAccess || hasIngestionAccess) && (
-						<>
-							{' '}
-							Find your{' '}
-							{hasServiceAccountsAccess && (
-								<Link
-									to={ROUTES.SERVICE_ACCOUNTS_SETTINGS}
-									className="license-key-callout__link"
-								>
-									Service account here
-								</Link>
-							)}
-							{hasServiceAccountsAccess && hasIngestionAccess && ' and '}
-							{hasIngestionAccess && (
-								<Link
-									to={ROUTES.INGESTION_SETTINGS}
-									className="license-key-callout__link"
-								>
-									Ingestion key here
-								</Link>
-							)}
-							.
-						</>
-					)}
-				</div>
-			}
-		/>
-	) : null;
-}
-
-export default LicenseRowDismissibleCallout;

frontend/src/container/GeneralSettings/LicenseKeyRow/LicenseRowDismissibleCallout/__tests__/LicenseRowDismissibleCallout.test.tsx

@@ -1,229 +0,0 @@
-import { FeatureKeys } from 'constants/features';
-import { LOCALSTORAGE } from 'constants/localStorage';
-import ROUTES from 'constants/routes';
-import { useGetTenantLicense } from 'hooks/useGetTenantLicense';
-import { render, screen, userEvent } from 'tests/test-utils';
-import { USER_ROLES } from 'types/roles';
-
-import LicenseRowDismissibleCallout from '../LicenseRowDismissibleCallout';
-
-const getDescription = (): HTMLElement =>
-	screen.getByText(
-		(_, el) =>
-			el?.classList?.contains('license-key-callout__description') ?? false,
-	);
-
-const queryDescription = (): HTMLElement | null =>
-	screen.queryByText(
-		(_, el) =>
-			el?.classList?.contains('license-key-callout__description') ?? false,
-	);
-
-jest.mock('hooks/useGetTenantLicense', () => ({
-	useGetTenantLicense: jest.fn(),
-}));
-
-const mockLicense = (isCloudUser: boolean): void => {
-	(useGetTenantLicense as jest.Mock).mockReturnValue({
-		isCloudUser,
-		isEnterpriseSelfHostedUser: !isCloudUser,
-		isCommunityUser: false,
-		isCommunityEnterpriseUser: false,
-	});
-};
-
-const renderCallout = (
-	role: string,
-	isCloudUser: boolean,
-	gatewayActive: boolean,
-): void => {
-	mockLicense(isCloudUser);
-	render(
-		<LicenseRowDismissibleCallout />,
-		{},
-		{
-			role,
-			appContextOverrides: {
-				featureFlags: [
-					{
-						name: FeatureKeys.GATEWAY,
-						active: gatewayActive,
-						usage: 0,
-						usage_limit: -1,
-						route: '',
-					},
-				],
-			},
-		},
-	);
-};
-
-describe('LicenseRowDismissibleCallout', () => {
-	beforeEach(() => {
-		localStorage.clear();
-		jest.clearAllMocks();
-	});
-
-	describe('callout content per access level', () => {
-		it.each([
-			{
-				scenario: 'viewer, non-cloud, gateway off — base text only, no links',
-				role: USER_ROLES.VIEWER,
-				isCloudUser: false,
-				gatewayActive: false,
-				serviceAccountLink: false,
-				ingestionLink: false,
-				expectedText: 'This is NOT your ingestion or Service account key.',
-			},
-			{
-				scenario: 'admin, non-cloud, gateway off — service accounts link only',
-				role: USER_ROLES.ADMIN,
-				isCloudUser: false,
-				gatewayActive: false,
-				serviceAccountLink: true,
-				ingestionLink: false,
-				expectedText:
-					'This is NOT your ingestion or Service account key. Find your Service account here.',
-			},
-			{
-				scenario: 'viewer, cloud, gateway off — ingestion link only',
-				role: USER_ROLES.VIEWER,
-				isCloudUser: true,
-				gatewayActive: false,
-				serviceAccountLink: false,
-				ingestionLink: true,
-				expectedText:
-					'This is NOT your ingestion or Service account key. Find your Ingestion key here.',
-			},
-			{
-				scenario: 'admin, cloud, gateway off — both links',
-				role: USER_ROLES.ADMIN,
-				isCloudUser: true,
-				gatewayActive: false,
-				serviceAccountLink: true,
-				ingestionLink: true,
-				expectedText:
-					'This is NOT your ingestion or Service account key. Find your Service account here and Ingestion key here.',
-			},
-			{
-				scenario: 'admin, non-cloud, gateway on — both links',
-				role: USER_ROLES.ADMIN,
-				isCloudUser: false,
-				gatewayActive: true,
-				serviceAccountLink: true,
-				ingestionLink: true,
-				expectedText:
-					'This is NOT your ingestion or Service account key. Find your Service account here and Ingestion key here.',
-			},
-			{
-				scenario: 'editor, non-cloud, gateway on — ingestion link only',
-				role: USER_ROLES.EDITOR,
-				isCloudUser: false,
-				gatewayActive: true,
-				serviceAccountLink: false,
-				ingestionLink: true,
-				expectedText:
-					'This is NOT your ingestion or Service account key. Find your Ingestion key here.',
-			},
-			{
-				scenario: 'editor, cloud, gateway off — ingestion link only',
-				role: USER_ROLES.EDITOR,
-				isCloudUser: true,
-				gatewayActive: false,
-				serviceAccountLink: false,
-				ingestionLink: true,
-				expectedText:
-					'This is NOT your ingestion or Service account key. Find your Ingestion key here.',
-			},
-		])(
-			'$scenario',
-			({
-				role,
-				isCloudUser,
-				gatewayActive,
-				serviceAccountLink,
-				ingestionLink,
-				expectedText,
-			}) => {
-				renderCallout(role, isCloudUser, gatewayActive);
-
-				const description = getDescription();
-				expect(description).toBeInTheDocument();
-				expect(description).toHaveTextContent(expectedText);
-
-				if (serviceAccountLink) {
-					expect(
-						screen.getByRole('link', { name: /Service account here/ }),
-					).toBeInTheDocument();
-				} else {
-					expect(
-						screen.queryByRole('link', { name: /Service account here/ }),
-					).not.toBeInTheDocument();
-				}
-
-				if (ingestionLink) {
-					expect(
-						screen.getByRole('link', { name: /Ingestion key here/ }),
-					).toBeInTheDocument();
-				} else {
-					expect(
-						screen.queryByRole('link', { name: /Ingestion key here/ }),
-					).not.toBeInTheDocument();
-				}
-			},
-		);
-	});
-
-	describe('Link routing', () => {
-		it('should link to service accounts settings', () => {
-			renderCallout(USER_ROLES.ADMIN, false, false);
-
-			const link = screen.getByRole('link', {
-				name: /Service account here/,
-			}) as HTMLAnchorElement;
-
-			expect(link.getAttribute('href')).toBe(ROUTES.SERVICE_ACCOUNTS_SETTINGS);
-		});
-
-		it('should link to ingestion settings', () => {
-			renderCallout(USER_ROLES.VIEWER, true, false);
-
-			const link = screen.getByRole('link', {
-				name: /Ingestion key here/,
-			}) as HTMLAnchorElement;
-
-			expect(link.getAttribute('href')).toBe(ROUTES.INGESTION_SETTINGS);
-		});
-	});
-
-	describe('Dismissal functionality', () => {
-		it('should hide callout when dismiss button is clicked', async () => {
-			const user = userEvent.setup();
-			renderCallout(USER_ROLES.ADMIN, false, false);
-
-			expect(getDescription()).toBeInTheDocument();
-
-			await user.click(screen.getByRole('button'));
-
-			expect(queryDescription()).not.toBeInTheDocument();
-		});
-
-		it('should persist dismissal in localStorage', async () => {
-			const user = userEvent.setup();
-			renderCallout(USER_ROLES.ADMIN, false, false);
-
-			await user.click(screen.getByRole('button'));
-
-			expect(
-				localStorage.getItem(LOCALSTORAGE.LICENSE_KEY_CALLOUT_DISMISSED),
-			).toBe('true');
-		});
-
-		it('should not render when localStorage dismissal is set', () => {
-			localStorage.setItem(LOCALSTORAGE.LICENSE_KEY_CALLOUT_DISMISSED, 'true');
-			renderCallout(USER_ROLES.ADMIN, false, false);
-
-			expect(queryDescription()).not.toBeInTheDocument();
-		});
-	});
-});

frontend/src/container/MySettings/UserInfo/index.tsx

@@ -2,10 +2,8 @@ import { useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import { Button, Input, Modal, Typography } from 'antd';
 import logEvent from 'api/common/logEvent';
-import {
-	updateMyPassword,
-	useUpdateMyUserV2,
-} from 'api/generated/services/users';
+import { useUpdateMyUserV2 } from 'api/generated/services/users';
+import changeMyPassword from 'api/v1/factor_password/changeMyPassword';
 import { useNotifications } from 'hooks/useNotifications';
 import { Check, FileTerminal, MailIcon, UserIcon } from 'lucide-react';
 import { useAppContext } from 'providers/App/App';
@@ -55,9 +53,10 @@ function UserInfo(): JSX.Element {
 		try {
 			setIsLoading(true);
 
-			await updateMyPassword({
+			await changeMyPassword({
 				newPassword: updatePassword,
 				oldPassword: currentPassword,
+				userId: user.id,
 			});
 			notifications.success({
 				message: t('success', {

frontend/src/lib/history.ts

@@ -1,3 +1,4 @@
 import { createBrowserHistory } from 'history';
+import { getBasePath } from 'utils/getBasePath';
 
-export default createBrowserHistory();
+export default createBrowserHistory({ basename: getBasePath() });

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/TooltipPlugin.tsx

@@ -16,6 +16,7 @@ import {
 } from './tooltipController';
 import {
 	DashboardCursorSync,
+	TooltipClickData,
 	TooltipControllerContext,
 	TooltipControllerState,
 	TooltipLayoutInfo,
@@ -30,8 +31,6 @@ const INTERACTIVE_CONTAINER_CLASSNAME = '.tooltip-plugin-container';
 // Delay before hiding an unpinned tooltip when the cursor briefly leaves
 // the plot – this avoids flicker when moving between nearby points.
 const HOVER_DISMISS_DELAY_MS = 100;
-// Default key that pins the tooltip while hovering over the chart.
-export const DEFAULT_PIN_TOOLTIP_KEY = 'l';
 
 // eslint-disable-next-line sonarjs/cognitive-complexity
 export default function TooltipPlugin({
@@ -43,7 +42,6 @@ export default function TooltipPlugin({
 	syncKey = '_tooltip_sync_global_',
 	pinnedTooltipElement,
 	canPinTooltip = false,
-	pinKey = DEFAULT_PIN_TOOLTIP_KEY,
 }: TooltipPluginProps): JSX.Element | null {
 	const containerRef = useRef<HTMLDivElement>(null);
 	const rafId = useRef<number | null>(null);
@@ -261,73 +259,68 @@ export default function TooltipPlugin({
 			}
 		};
 
-		// Pin the tooltip when the user presses the configured pin key while
-		// hovering over the chart. Uses getFocusedSeriesAtPosition with a
-		// synthetic event built from the current uPlot cursor position so the
-		// same series-resolution logic as click-pinning is reused.
-		const handleKeyDown = (event: KeyboardEvent): void => {
-			if (event.key.toLowerCase() !== pinKey.toLowerCase()) {
-				return;
-			}
+		// When pinning is enabled, a click on the plot overlay while
+		// hovering converts the transient tooltip into a pinned one.
+		// Uses getPlot(controller) to avoid closing over u (plot), which
+		// would retain the plot and detached canvases across unmounts.
+		const handleUPlotOverClick = (event: MouseEvent): void => {
 			const plot = getPlot(controller);
 			if (
-				!plot ||
-				!controller.hoverActive ||
-				controller.pinned ||
-				controller.focusedSeriesIndex == null
+				plot &&
+				event.target === plot.over &&
+				controller.hoverActive &&
+				!controller.pinned &&
+				controller.focusedSeriesIndex != null
 			) {
-				return;
+				const xValue = plot.posToVal(event.offsetX, 'x');
+				const yValue = plot.posToVal(event.offsetY, 'y');
+				const focusedSeries = getFocusedSeriesAtPosition(event, plot);
+
+				let clickedDataTimestamp = xValue;
+				if (focusedSeries) {
+					const dataIndex = plot.posToIdx(event.offsetX);
+					const xSeriesData = plot.data[0];
+					if (
+						xSeriesData &&
+						dataIndex >= 0 &&
+						dataIndex < xSeriesData.length &&
+						xSeriesData[dataIndex] !== undefined
+					) {
+						clickedDataTimestamp = xSeriesData[dataIndex];
+					}
+				}
+
+				const clickData: TooltipClickData = {
+					xValue,
+					yValue,
+					focusedSeries,
+					clickedDataTimestamp,
+					mouseX: event.offsetX,
+					mouseY: event.offsetY,
+					absoluteMouseX: event.clientX,
+					absoluteMouseY: event.clientY,
+				};
+
+				controller.clickData = clickData;
+
+				setTimeout(() => {
+					controller.pinned = true;
+					scheduleRender(true);
+				}, 0);
 			}
-
-			const cursorLeft = plot.cursor.left ?? -1;
-			const cursorTop = plot.cursor.top ?? -1;
-			if (cursorLeft < 0 || cursorTop < 0) {
-				return;
-			}
-
-			const plotRect = plot.over.getBoundingClientRect();
-			const syntheticEvent = ({
-				clientX: plotRect.left + cursorLeft,
-				clientY: plotRect.top + cursorTop,
-				target: plot.over,
-				offsetX: cursorLeft,
-				offsetY: cursorTop,
-			} as unknown) as MouseEvent;
-
-			const xValue = plot.posToVal(cursorLeft, 'x');
-			const yValue = plot.posToVal(cursorTop, 'y');
-			const focusedSeries = getFocusedSeriesAtPosition(syntheticEvent, plot);
-
-			const dataIndex = plot.posToIdx(cursorLeft);
-			let clickedDataTimestamp = xValue;
-			const xSeriesData = plot.data[0];
-			if (
-				xSeriesData &&
-				dataIndex >= 0 &&
-				dataIndex < xSeriesData.length &&
-				xSeriesData[dataIndex] !== undefined
-			) {
-				clickedDataTimestamp = xSeriesData[dataIndex];
-			}
-
-			controller.clickData = {
-				xValue,
-				yValue,
-				focusedSeries,
-				clickedDataTimestamp,
-				mouseX: cursorLeft,
-				mouseY: cursorTop,
-				absoluteMouseX: syntheticEvent.clientX,
-				absoluteMouseY: syntheticEvent.clientY,
-			};
-			controller.pinned = true;
-			scheduleRender(true);
 		};
 
-		// Called once per uPlot instance; used to store the instance on the controller.
+		let overClickHandler: ((event: MouseEvent) => void) | null = null;
+
+		// Called once per uPlot instance; used to store the instance
+		// on the controller and optionally attach the pinning handler.
 		const handleInit = (u: uPlot): void => {
 			controller.plot = u;
 			updateState({ hasPlot: true });
+			if (canPinTooltip) {
+				overClickHandler = handleUPlotOverClick;
+				u.over.addEventListener('click', overClickHandler);
+			}
 		};
 
 		// If the underlying data changes we drop any pinned tooltip,
@@ -372,9 +365,6 @@ export default function TooltipPlugin({
 
 		window.addEventListener('resize', handleWindowResize);
 		window.addEventListener('scroll', handleScroll, true);
-		if (canPinTooltip) {
-			document.addEventListener('keydown', handleKeyDown, true);
-		}
 
 		return (): void => {
 			layoutRef.current?.observer.disconnect();
@@ -382,9 +372,6 @@ export default function TooltipPlugin({
 			window.removeEventListener('scroll', handleScroll, true);
 			document.removeEventListener('mousedown', onOutsideInteraction, true);
 			document.removeEventListener('keydown', onOutsideInteraction, true);
-			if (canPinTooltip) {
-				document.removeEventListener('keydown', handleKeyDown, true);
-			}
 			cancelPendingRender();
 			removeReadyHook();
 			removeInitHook();
@@ -392,6 +379,13 @@ export default function TooltipPlugin({
 			removeSetSeriesHook();
 			removeSetLegendHook();
 			removeSetCursorHook();
+			if (overClickHandler) {
+				const plot = getPlot(controller);
+				if (plot) {
+					plot.over.removeEventListener('click', overClickHandler);
+				}
+				overClickHandler = null;
+			}
 			clearPlotReferences();
 		};
 		// eslint-disable-next-line react-hooks/exhaustive-deps
@@ -429,12 +423,8 @@ export default function TooltipPlugin({
 	}, [isHovering, hasPlot]);
 
 	const tooltipBody = useMemo(() => {
-		if (isPinned) {
-			if (pinnedTooltipElement != null && viewState.clickData != null) {
-				return pinnedTooltipElement(viewState.clickData);
-			}
-			// No custom pinned element — keep showing the last hover contents.
-			return contents ?? null;
+		if (isPinned && pinnedTooltipElement != null && viewState.clickData != null) {
+			return pinnedTooltipElement(viewState.clickData);
 		}
 
 		if (isHovering) {

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/tooltipController.ts

@@ -102,12 +102,6 @@ export function updateHoverState(
 	controller: TooltipControllerState,
 	syncTooltipWithDashboard: boolean,
 ): void {
-	// When pinned, keep hoverActive stable so the tooltip stays visible
-	// until explicitly dismissed — the cursor lock fires asynchronously
-	// and setSeries/setLegend can otherwise race and clear hoverActive.
-	if (controller.pinned) {
-		return;
-	}
 	// When the cursor is driven by dashboard‑level sync, we only show
 	// the tooltip if the plot is in viewport and at least one series
 	// is active. Otherwise we fall back to local interaction logic.

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/types.ts

@@ -37,8 +37,6 @@ export interface TooltipLayoutInfo {
 export interface TooltipPluginProps {
 	config: UPlotConfigBuilder;
 	canPinTooltip?: boolean;
-	/** Key that pins the tooltip while hovering. Defaults to DEFAULT_PIN_TOOLTIP_KEY ('l'). */
-	pinKey?: string;
 	syncMode?: DashboardCursorSync;
 	syncKey?: string;
 	render: (args: TooltipRenderArgs) => ReactNode;

frontend/src/lib/uPlotV2/plugins/__tests__/TooltipPlugin.test.ts

@@ -6,9 +6,7 @@ import type uPlot from 'uplot';
 
 import { TooltipRenderArgs } from '../../components/types';
 import { UPlotConfigBuilder } from '../../config/UPlotConfigBuilder';
-import TooltipPlugin, {
-	DEFAULT_PIN_TOOLTIP_KEY,
-} from '../TooltipPlugin/TooltipPlugin';
+import TooltipPlugin from '../TooltipPlugin/TooltipPlugin';
 import { DashboardCursorSync } from '../TooltipPlugin/types';
 
 // Avoid depending on the full uPlot + onClickPlugin behaviour in these tests.
@@ -62,7 +60,7 @@ function getHandler(config: ConfigMock, hookName: string): HookHandler {
 function createFakePlot(): {
 	over: HTMLDivElement;
 	setCursor: jest.Mock<void, [uPlot.Cursor]>;
-	cursor: { event: Record<string, unknown>; left: number; top: number };
+	cursor: { event: Record<string, unknown> };
 	posToVal: jest.Mock<number, [value: number]>;
 	posToIdx: jest.Mock<number, []>;
 	data: [number[], number[]];
@@ -73,9 +71,7 @@ function createFakePlot(): {
 	return {
 		over,
 		setCursor: jest.fn(),
-		// left / top are set to valid values so keyboard-pin tests do not
-		// hit the "cursor off-screen" guard inside handleKeyDown.
-		cursor: { event: {}, left: 50, top: 50 },
+		cursor: { event: {} },
 		// In real uPlot these map overlay coordinates to data-space values.
 		posToVal: jest.fn((value: number) => value),
 		posToIdx: jest.fn(() => 0),
@@ -249,21 +245,18 @@ describe('TooltipPlugin', () => {
 	// ---- Pin behaviour ----------------------------------------------------------
 
 	describe('pin behaviour', () => {
-		it('pins the tooltip when canPinTooltip is true and the pinKey is pressed while hovering', () => {
+		it('pins the tooltip when canPinTooltip is true and overlay is clicked', () => {
 			const config = createConfigMock();
 
-			renderAndActivateHover(config, undefined, { canPinTooltip: true });
+			const fakePlot = renderAndActivateHover(config, undefined, {
+				canPinTooltip: true,
+			});
 
 			const container = screen.getByTestId('tooltip-plugin-container');
 			expect(container.classList.contains('pinned')).toBe(false);
 
 			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
+				fakePlot.over.dispatchEvent(new MouseEvent('click', { bubbles: true }));
 			});
 
 			return waitFor(() => {
@@ -279,7 +272,7 @@ describe('TooltipPlugin', () => {
 				React.createElement('div', null, 'pinned-tooltip'),
 			);
 
-			renderAndActivateHover(
+			const fakePlot = renderAndActivateHover(
 				config,
 				() => React.createElement('div', null, 'hover-tooltip'),
 				{
@@ -291,12 +284,7 @@ describe('TooltipPlugin', () => {
 			expect(screen.getByText('hover-tooltip')).toBeInTheDocument();
 
 			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
+				fakePlot.over.dispatchEvent(new MouseEvent('click', { bubbles: true }));
 			});
 
 			await waitFor(() => {
@@ -330,14 +318,9 @@ describe('TooltipPlugin', () => {
 				getHandler(config, 'setSeries')(fakePlot, 1, { focus: true });
 			});
 
-			// Pin the tooltip via the keyboard shortcut.
+			// Pin the tooltip.
 			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
+				fakePlot.over.dispatchEvent(new MouseEvent('click', { bubbles: true }));
 			});
 
 			// Wait until the tooltip is actually pinned (pointer events enabled)
@@ -386,14 +369,9 @@ describe('TooltipPlugin', () => {
 				jest.runAllTimers();
 			});
 
-			// Pin via keyboard.
+			// Pin.
 			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
+				fakePlot.over.dispatchEvent(new MouseEvent('click', { bubbles: true }));
 				jest.runAllTimers();
 			});
 
@@ -439,14 +417,8 @@ describe('TooltipPlugin', () => {
 				jest.runAllTimers();
 			});
 
-			// Pin via keyboard.
 			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
+				fakePlot.over.dispatchEvent(new MouseEvent('click', { bubbles: true }));
 				jest.runAllTimers();
 			});
 
@@ -495,14 +467,8 @@ describe('TooltipPlugin', () => {
 				jest.runAllTimers();
 			});
 
-			// Pin via keyboard.
 			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
+				fakePlot.over.dispatchEvent(new MouseEvent('click', { bubbles: true }));
 				jest.runAllTimers();
 			});
 
@@ -532,170 +498,6 @@ describe('TooltipPlugin', () => {
 		});
 	});
 
-	// ---- Keyboard pin edge cases ------------------------------------------------
-
-	describe('keyboard pin edge cases', () => {
-		it('does not pin when cursor coordinates are negative (cursor off-screen)', () => {
-			const config = createConfigMock();
-
-			render(
-				React.createElement(TooltipPlugin, {
-					config,
-					render: () => React.createElement('div', null, 'tooltip-body'),
-					syncMode: DashboardCursorSync.None,
-					canPinTooltip: true,
-				}),
-			);
-
-			// Negative cursor coords — handleKeyDown bails out before pinning.
-			const fakePlot = {
-				...createFakePlot(),
-				cursor: { event: {}, left: -1, top: -1 },
-			};
-
-			act(() => {
-				getHandler(config, 'init')(fakePlot);
-				getHandler(config, 'setSeries')(fakePlot, 1, { focus: true });
-			});
-
-			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
-			});
-
-			const container = screen.getByTestId('tooltip-plugin-container');
-			expect(container.classList.contains('pinned')).toBe(false);
-		});
-
-		it('does not pin when hover is not active', () => {
-			const config = createConfigMock();
-
-			render(
-				React.createElement(TooltipPlugin, {
-					config,
-					render: () => React.createElement('div', null, 'tooltip-body'),
-					syncMode: DashboardCursorSync.None,
-					canPinTooltip: true,
-				}),
-			);
-
-			const fakePlot = createFakePlot();
-
-			act(() => {
-				// Initialise the plot but do NOT call setSeries – hoverActive stays false.
-				getHandler(config, 'init')(fakePlot);
-			});
-
-			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
-			});
-
-			// The container exists once the plot is initialised, but it should
-			// be hidden and not pinned since hover was never activated.
-			const container = screen.getByTestId('tooltip-plugin-container');
-			expect(container.classList.contains('pinned')).toBe(false);
-			expect(container.classList.contains('visible')).toBe(false);
-		});
-
-		it('ignores other keys and only pins on the configured pinKey', async () => {
-			const config = createConfigMock();
-
-			renderAndActivateHover(config, undefined, {
-				canPinTooltip: true,
-				pinKey: 'p',
-			});
-
-			// Default key 'l' should NOT pin when pinKey is 'p'.
-			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', {
-						key: DEFAULT_PIN_TOOLTIP_KEY,
-						bubbles: true,
-					}),
-				);
-			});
-
-			await waitFor(() => {
-				expect(
-					screen
-						.getByTestId('tooltip-plugin-container')
-						.classList.contains('pinned'),
-				).toBe(false);
-			});
-
-			// Custom pin key 'p' SHOULD pin.
-			act(() => {
-				document.body.dispatchEvent(
-					new KeyboardEvent('keydown', { key: 'p', bubbles: true }),
-				);
-			});
-
-			await waitFor(() => {
-				expect(
-					screen
-						.getByTestId('tooltip-plugin-container')
-						.classList.contains('pinned'),
-				).toBe(true);
-			});
-		});
-
-		it('does not register a keydown listener when canPinTooltip is false', () => {
-			const config = createConfigMock();
-			const addSpy = jest.spyOn(document, 'addEventListener');
-
-			render(
-				React.createElement(TooltipPlugin, {
-					config,
-					render: () => null,
-					syncMode: DashboardCursorSync.None,
-					canPinTooltip: false,
-				}),
-			);
-
-			const keydownCalls = addSpy.mock.calls.filter(
-				([type]) => type === 'keydown',
-			);
-			expect(keydownCalls).toHaveLength(0);
-		});
-
-		it('removes the keydown pin listener on unmount', () => {
-			const config = createConfigMock();
-			const addSpy = jest.spyOn(document, 'addEventListener');
-			const removeSpy = jest.spyOn(document, 'removeEventListener');
-
-			const { unmount } = render(
-				React.createElement(TooltipPlugin, {
-					config,
-					render: () => null,
-					syncMode: DashboardCursorSync.None,
-					canPinTooltip: true,
-				}),
-			);
-
-			const pinListenerCall = addSpy.mock.calls.find(
-				([type]) => type === 'keydown',
-			);
-			expect(pinListenerCall).toBeDefined();
-			if (!pinListenerCall) {
-				return;
-			}
-			const [, pinListener, pinOptions] = pinListenerCall;
-
-			unmount();
-
-			expect(removeSpy).toHaveBeenCalledWith('keydown', pinListener, pinOptions);
-		});
-	});
-
 	// ---- Cursor sync ------------------------------------------------------------
 
 	describe('cursor sync', () => {

frontend/src/mocks-server/handlers.ts

@@ -191,6 +191,17 @@ export const handlers = [
 			}),
 		),
 	),
+	rest.post('http://localhost/api/v1/changePassword', (_, res, ctx) =>
+		res(
+			ctx.status(403),
+			ctx.json({
+				status: 'error',
+				errorType: 'forbidden',
+				error: 'invalid credentials',
+			}),
+		),
+	),
+
 	rest.get(
 		'http://localhost/api/v3/autocomplete/aggregate_attributes',
 		(req, res, ctx) =>

frontend/src/pages/ErrorBoundaryFallback/ErrorBoundaryFallback.tsx

@@ -2,6 +2,7 @@ import { useCallback } from 'react';
 import { Button } from 'antd';
 import ROUTES from 'constants/routes';
 import { useGetTenantLicense } from 'hooks/useGetTenantLicense';
+import history from 'lib/history';
 import { Home, LifeBuoy } from 'lucide-react';
 import { handleContactSupport } from 'pages/Integrations/utils';
 
@@ -11,8 +12,9 @@ import './ErrorBoundaryFallback.styles.scss';
 
 function ErrorBoundaryFallback(): JSX.Element {
 	const handleReload = (): void => {
-		// Go to home page
-		window.location.href = ROUTES.HOME;
+		// Use history.push so the navigation stays within the base path prefix
+		// (window.location.href would strip any /signoz/ prefix).
+		history.push(ROUTES.HOME);
 	};
 
 	const { isCloudUser: isCloudUserVal } = useGetTenantLicense();

frontend/src/types/api/user/changeMyPassword.ts

@@ -0,0 +1,12 @@
+import { User } from 'types/reducer/app';
+
+export interface Props {
+	oldPassword: string;
+	newPassword: string;
+	userId: User['userId'];
+}
+
+export interface PayloadProps {
+	status: string;
+	data: string;
+}

frontend/src/types/api/user/getResetPasswordToken.ts

@@ -0,0 +1,15 @@
+import { User } from 'types/reducer/app';
+
+export interface Props {
+	userId: User['userId'];
+}
+
+export interface GetResetPasswordToken {
+	token: string;
+	userId: string;
+}
+
+export interface PayloadProps {
+	data: GetResetPasswordToken;
+	status: string;
+}

frontend/src/utils/__tests__/getBasePath.test.ts

@@ -0,0 +1,50 @@
+import { getBasePath } from 'utils/getBasePath';
+
+/**
+ * Contract tests for getBasePath().
+ *
+ * These lock down the exact DOM-reading contract so that any future change to
+ * the utility (or to how index.html injects the <base> tag) surfaces
+ * immediately as a test failure.
+ */
+describe('getBasePath', () => {
+	afterEach(() => {
+		// Remove any <base> elements added during the test.
+		document.head.querySelectorAll('base').forEach((el) => el.remove());
+	});
+
+	it('returns the href from the <base> tag when present', () => {
+		const base = document.createElement('base');
+		base.setAttribute('href', '/signoz/');
+		document.head.appendChild(base);
+
+		expect(getBasePath()).toBe('/signoz/');
+	});
+
+	it('returns "/" when no <base> tag exists in the document', () => {
+		expect(getBasePath()).toBe('/');
+	});
+
+	it('returns "/" when the <base> tag has no href attribute', () => {
+		const base = document.createElement('base');
+		document.head.appendChild(base);
+
+		expect(getBasePath()).toBe('/');
+	});
+
+	it('returns the href unchanged when it already has a trailing slash', () => {
+		const base = document.createElement('base');
+		base.setAttribute('href', '/my/nested/path/');
+		document.head.appendChild(base);
+
+		expect(getBasePath()).toBe('/my/nested/path/');
+	});
+
+	it('appends a trailing slash when the href is missing one', () => {
+		const base = document.createElement('base');
+		base.setAttribute('href', '/signoz');
+		document.head.appendChild(base);
+
+		expect(getBasePath()).toBe('/signoz/');
+	});
+});

frontend/src/utils/getBasePath.ts

@@ -0,0 +1,17 @@
+/**
+ * Returns the base path for this SigNoz deployment by reading the
+ * `<base href>` element injected into index.html by the Go backend at
+ * serve time.
+ *
+ * Always returns a string ending with `/` (e.g. `/`, `/signoz/`).
+ * Falls back to `/` when no `<base>` element is present so the app
+ * behaves correctly in local Vite dev and unit-test environments.
+ *
+ * @internal — consume through `src/lib/history` and the axios interceptor;
+ * do not read `<base>` directly anywhere else in the codebase.
+ */
+export function getBasePath(): string {
+	const href = document.querySelector('base')?.getAttribute('href') ?? '/';
+	// Trailing slash is required for relative asset resolution and API prefixing.
+	return href.endsWith('/') ? href : `${href}/`;
+}

frontend/vite.config.ts

@@ -10,6 +10,18 @@ import { createHtmlPlugin } from 'vite-plugin-html';
 import { ViteImageOptimizer } from 'vite-plugin-image-optimizer';
 import tsconfigPaths from 'vite-tsconfig-paths';
 
+// In dev the Go backend is not involved, so replace the [[.BaseHref]] placeholder
+// with "/" so relative assets resolve correctly from the Vite dev server.
+function devBasePathPlugin(): Plugin {
+	return {
+		name: 'dev-base-path',
+		apply: 'serve',
+		transformIndexHtml(html): string {
+			return html.replace('[[.BaseHref]]', '/');
+		},
+	};
+}
+
 function rawMarkdownPlugin(): Plugin {
 	return {
 		name: 'raw-markdown',
@@ -32,6 +44,7 @@ export default defineConfig(
 		const plugins = [
 			tsconfigPaths(),
 			rawMarkdownPlugin(),
+			devBasePathPlugin(),
 			react(),
 			createHtmlPlugin({
 				inject: {
@@ -124,6 +137,7 @@ export default defineConfig(
 				'process.env.TUNNEL_DOMAIN': JSON.stringify(env.VITE_TUNNEL_DOMAIN),
 				'process.env.DOCS_BASE_URL': JSON.stringify(env.VITE_DOCS_BASE_URL),
 			},
+			base: './',
 			build: {
 				sourcemap: true,
 				outDir: 'build',

pkg/apiserver/signozapiserver/user.go

@@ -213,8 +213,8 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/getResetPasswordToken/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetResetPasswordTokenDeprecated), handler.OpenAPIDef{
-		ID:                  "GetResetPasswordTokenDeprecated",
+	if err := router.Handle("/api/v1/getResetPasswordToken/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetResetPasswordToken), handler.OpenAPIDef{
+		ID:                  "GetResetPasswordToken",
 		Tags:                []string{"users"},
 		Summary:             "Get reset password token",
 		Description:         "This endpoint returns the reset password token by id",
@@ -224,46 +224,12 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          true,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v2/users/{id}/reset_password_tokens", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetResetPasswordToken), handler.OpenAPIDef{
-		ID:                  "GetResetPasswordToken",
-		Tags:                []string{"users"},
-		Summary:             "Get reset password token for a user",
-		Description:         "This endpoint returns the existing reset password token for a user.",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(types.ResetPasswordToken),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v2/users/{id}/reset_password_tokens", handler.New(provider.authZ.AdminAccess(provider.userHandler.CreateResetPasswordToken), handler.OpenAPIDef{
-		ID:                  "CreateResetPasswordToken",
-		Tags:                []string{"users"},
-		Summary:             "Create or regenerate reset password token for a user",
-		Description:         "This endpoint creates or regenerates a reset password token for a user. If a valid token exists, it is returned. If expired, a new one is created.",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(types.ResetPasswordToken),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
 	if err := router.Handle("/api/v1/resetPassword", handler.New(provider.authZ.OpenAccess(provider.userHandler.ResetPassword), handler.OpenAPIDef{
 		ID:                  "ResetPassword",
 		Tags:                []string{"users"},
@@ -281,11 +247,11 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v2/users/me/factor_password", handler.New(provider.authZ.OpenAccess(provider.userHandler.ChangePassword), handler.OpenAPIDef{
-		ID:                  "UpdateMyPassword",
+	if err := router.Handle("/api/v1/changePassword/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.ChangePassword), handler.OpenAPIDef{
+		ID:                  "ChangePassword",
 		Tags:                []string{"users"},
-		Summary:             "Updates my password",
-		Description:         "This endpoint updates the password of the user I belong to",
+		Summary:             "Change password",
+		Description:         "This endpoint changes the password by id",
 		Request:             new(types.ChangePasswordRequest),
 		RequestContentType:  "application/json",
 		Response:            nil,
@@ -294,7 +260,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPut).GetError(); err != nil {
+	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 

pkg/global/config.go

@@ -2,6 +2,8 @@ package global
 
 import (
 	"net/url"
+	"path"
+	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
 
@@ -37,5 +39,34 @@ func newConfig() factory.Config {
 }
 
 func (c Config) Validate() error {
+	if c.ExternalURL != nil {
+		if c.ExternalURL.Path != "" && c.ExternalURL.Path != "/" {
+			if !strings.HasPrefix(c.ExternalURL.Path, "/") {
+				return errors.NewInvalidInputf(ErrCodeInvalidGlobalConfig, "global::external_url path must start with '/', got %q", c.ExternalURL.Path)
+			}
+		}
+	}
+
 	return nil
 }
+
+func (c Config) ExternalPath() string {
+	if c.ExternalURL == nil || c.ExternalURL.Path == "" || c.ExternalURL.Path == "/" {
+		return ""
+	}
+
+	p := path.Clean("/" + c.ExternalURL.Path)
+	if p == "/" {
+		return ""
+	}
+
+	return p
+}
+
+func (c Config) ExternalPathTrailing() string {
+	if p := c.ExternalPath(); p != "" {
+		return p + "/"
+	}
+
+	return "/"
+}

pkg/global/config_test.go

@@ -0,0 +1,139 @@
+package global
+
+import (
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestExternalPath(t *testing.T) {
+	testCases := []struct {
+		name     string
+		config   Config
+		expected string
+	}{
+		{
+			name:     "NilURL",
+			config:   Config{ExternalURL: nil},
+			expected: "",
+		},
+		{
+			name:     "EmptyPath",
+			config:   Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: ""}},
+			expected: "",
+		},
+		{
+			name:     "RootPath",
+			config:   Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/"}},
+			expected: "",
+		},
+		{
+			name:     "SingleSegment",
+			config:   Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/signoz"}},
+			expected: "/signoz",
+		},
+		{
+			name:     "TrailingSlash",
+			config:   Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/signoz/"}},
+			expected: "/signoz",
+		},
+		{
+			name:     "MultiSegment",
+			config:   Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/a/b/c"}},
+			expected: "/a/b/c",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.expected, tc.config.ExternalPath())
+		})
+	}
+}
+
+func TestExternalPathTrailing(t *testing.T) {
+	testCases := []struct {
+		name     string
+		config   Config
+		expected string
+	}{
+		{
+			name:     "NilURL",
+			config:   Config{ExternalURL: nil},
+			expected: "/",
+		},
+		{
+			name:     "EmptyPath",
+			config:   Config{ExternalURL: &url.URL{Path: ""}},
+			expected: "/",
+		},
+		{
+			name:     "RootPath",
+			config:   Config{ExternalURL: &url.URL{Path: "/"}},
+			expected: "/",
+		},
+		{
+			name:     "SingleSegment",
+			config:   Config{ExternalURL: &url.URL{Path: "/signoz"}},
+			expected: "/signoz/",
+		},
+		{
+			name:     "MultiSegment",
+			config:   Config{ExternalURL: &url.URL{Path: "/a/b/c"}},
+			expected: "/a/b/c/",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.expected, tc.config.ExternalPathTrailing())
+		})
+	}
+}
+
+func TestValidate(t *testing.T) {
+	testCases := []struct {
+		name   string
+		config Config
+		fail   bool
+	}{
+		{
+			name:   "NilURL",
+			config: Config{ExternalURL: nil},
+			fail:   false,
+		},
+		{
+			name:   "EmptyPath",
+			config: Config{ExternalURL: &url.URL{Path: ""}},
+			fail:   false,
+		},
+		{
+			name:   "RootPath",
+			config: Config{ExternalURL: &url.URL{Path: "/"}},
+			fail:   false,
+		},
+		{
+			name:   "ValidPath",
+			config: Config{ExternalURL: &url.URL{Path: "/signoz"}},
+			fail:   false,
+		},
+		{
+			name:   "NoLeadingSlash",
+			config: Config{ExternalURL: &url.URL{Path: "signoz"}},
+			fail:   true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.config.Validate()
+			if tc.fail {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+		})
+	}
+}

pkg/modules/user/impluser/getter.go

@@ -218,10 +218,6 @@ func (module *getter) GetRolesByUserID(ctx context.Context, userID valuer.UUID)
 	return userRoles, nil
 }
 
-func (module *getter) GetResetPasswordTokenByOrgIDAndUserID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	return module.store.GetResetPasswordTokenByOrgIDAndUserID(ctx, orgID, userID)
-}
-
 func (module *getter) GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error) {
 	return module.store.GetUsersByOrgIDAndRoleID(ctx, orgID, roleID)
 }

pkg/modules/user/impluser/handler.go

@@ -25,7 +25,7 @@ func NewHandler(setter root.Setter, getter root.Getter) root.Handler {
 	return &handler{setter: setter, getter: getter}
 }
 
-func (handler *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
+func (h *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -41,7 +41,7 @@ func (handler *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	invites, err := handler.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), &types.PostableBulkInviteRequest{
+	invites, err := h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), &types.PostableBulkInviteRequest{
 		Invites: []types.PostableInvite{req},
 	})
 	if err != nil {
@@ -52,7 +52,7 @@ func (handler *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusCreated, invites[0])
 }
 
-func (handler *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
+func (h *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -74,7 +74,7 @@ func (handler *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
-	_, err = handler.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), &req)
+	_, err = h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), &req)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -83,7 +83,7 @@ func (handler *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request
 	render.Success(rw, http.StatusCreated, nil)
 }
 
-func (handler *handler) GetUserDeprecated(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -95,7 +95,7 @@ func (handler *handler) GetUserDeprecated(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	user, err := handler.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -104,7 +104,7 @@ func (handler *handler) GetUserDeprecated(w http.ResponseWriter, r *http.Request
 	render.Success(w, http.StatusOK, user)
 }
 
-func (handler *handler) GetUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -116,13 +116,13 @@ func (handler *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := handler.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
 	if err != nil {
 		render.Error(w, err)
 		return
 	}
 
-	userRoles, err := handler.getter.GetRolesByUserID(ctx, user.ID)
+	userRoles, err := h.getter.GetRolesByUserID(ctx, user.ID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -136,7 +136,7 @@ func (handler *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, userWithRoles)
 }
 
-func (handler *handler) GetMyUserDeprecated(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetMyUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -146,7 +146,7 @@ func (handler *handler) GetMyUserDeprecated(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	user, err := handler.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -155,7 +155,7 @@ func (handler *handler) GetMyUserDeprecated(w http.ResponseWriter, r *http.Reque
 	render.Success(w, http.StatusOK, user)
 }
 
-func (handler *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -165,13 +165,13 @@ func (handler *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := handler.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
 	}
 
-	userRoles, err := handler.getter.GetRolesByUserID(ctx, user.ID)
+	userRoles, err := h.getter.GetRolesByUserID(ctx, user.ID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -185,7 +185,7 @@ func (handler *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, userWithRoles)
 }
 
-func (handler *handler) UpdateMyUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) UpdateMyUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -201,7 +201,7 @@ func (handler *handler) UpdateMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	_, err = handler.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), updatableUser)
+	_, err = h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), updatableUser)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -210,7 +210,7 @@ func (handler *handler) UpdateMyUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (handler *handler) ListUsersDeprecated(w http.ResponseWriter, r *http.Request) {
+func (h *handler) ListUsersDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -220,7 +220,7 @@ func (handler *handler) ListUsersDeprecated(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	users, err := handler.getter.ListDeprecatedUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	users, err := h.getter.ListDeprecatedUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -229,7 +229,7 @@ func (handler *handler) ListUsersDeprecated(w http.ResponseWriter, r *http.Reque
 	render.Success(w, http.StatusOK, users)
 }
 
-func (handler *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
+func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -239,7 +239,7 @@ func (handler *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	users, err := handler.getter.ListUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	users, err := h.getter.ListUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -248,7 +248,7 @@ func (handler *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, users)
 }
 
-func (handler *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Request) {
+func (h *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -266,7 +266,7 @@ func (handler *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	updatedUser, err := handler.setter.UpdateUserDeprecated(ctx, valuer.MustNewUUID(claims.OrgID), id, &user)
+	updatedUser, err := h.setter.UpdateUserDeprecated(ctx, valuer.MustNewUUID(claims.OrgID), id, &user)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -275,7 +275,7 @@ func (handler *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Requ
 	render.Success(w, http.StatusOK, updatedUser)
 }
 
-func (handler *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -298,7 +298,7 @@ func (handler *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	_, err = handler.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), updatableUser)
+	_, err = h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), updatableUser)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -307,7 +307,7 @@ func (handler *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (handler *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -319,7 +319,7 @@ func (handler *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := handler.setter.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.IdentityID()); err != nil {
+	if err := h.setter.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.IdentityID()); err != nil {
 		render.Error(w, err)
 		return
 	}
@@ -327,7 +327,7 @@ func (handler *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (handler *handler) GetResetPasswordTokenDeprecated(w http.ResponseWriter, r *http.Request) {
+func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -354,62 +354,6 @@ func (handler *handler) GetResetPasswordTokenDeprecated(w http.ResponseWriter, r
 	render.Success(w, http.StatusOK, token)
 }
 
-func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	userID, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	token, err := handler.getter.GetResetPasswordTokenByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), userID)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	render.Success(w, http.StatusOK, token)
-}
-
-func (handler *handler) CreateResetPasswordToken(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	userID, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	user, err := handler.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), userID)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	token, err := handler.setter.GetOrCreateResetPasswordToken(ctx, user.ID)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	render.Success(w, http.StatusCreated, token)
-}
-
 func (handler *handler) ResetPassword(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -433,19 +377,13 @@ func (handler *handler) ChangePassword(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
 	var req types.ChangePasswordRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		render.Error(w, err)
 		return
 	}
 
-	err = handler.setter.UpdatePassword(ctx, valuer.MustNewUUID(claims.UserID), req.OldPassword, req.NewPassword)
+	err := handler.setter.UpdatePassword(ctx, req.UserID, req.OldPassword, req.NewPassword)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -454,7 +392,7 @@ func (handler *handler) ChangePassword(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (handler *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
+func (h *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -464,7 +402,7 @@ func (handler *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err := handler.setter.ForgotPassword(ctx, req.OrgID, req.Email, req.FrontendBaseURL)
+	err := h.setter.ForgotPassword(ctx, req.OrgID, req.Email, req.FrontendBaseURL)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -473,7 +411,7 @@ func (handler *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (handler *handler) GetRolesByUserID(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetRolesByUserID(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -485,13 +423,13 @@ func (handler *handler) GetRolesByUserID(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	user, err := handler.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
 	if err != nil {
 		render.Error(w, err)
 		return
 	}
 
-	userRoles, err := handler.getter.GetRolesByUserID(ctx, user.ID)
+	userRoles, err := h.getter.GetRolesByUserID(ctx, user.ID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -505,7 +443,7 @@ func (handler *handler) GetRolesByUserID(w http.ResponseWriter, r *http.Request)
 	render.Success(w, http.StatusOK, roles)
 }
 
-func (handler *handler) SetRoleByUserID(w http.ResponseWriter, r *http.Request) {
+func (h *handler) SetRoleByUserID(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -533,7 +471,7 @@ func (handler *handler) SetRoleByUserID(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	if err := handler.setter.AddUserRole(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), postableRole.Name); err != nil {
+	if err := h.setter.AddUserRole(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), postableRole.Name); err != nil {
 		render.Error(w, err)
 		return
 	}
@@ -541,7 +479,7 @@ func (handler *handler) SetRoleByUserID(w http.ResponseWriter, r *http.Request)
 	render.Success(w, http.StatusOK, nil)
 }
 
-func (handler *handler) RemoveUserRoleByRoleID(w http.ResponseWriter, r *http.Request) {
+func (h *handler) RemoveUserRoleByRoleID(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -559,7 +497,7 @@ func (handler *handler) RemoveUserRoleByRoleID(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	if err := handler.setter.RemoveUserRole(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), valuer.MustNewUUID(roleID)); err != nil {
+	if err := h.setter.RemoveUserRole(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), valuer.MustNewUUID(roleID)); err != nil {
 		render.Error(w, err)
 		return
 	}
@@ -567,7 +505,7 @@ func (handler *handler) RemoveUserRoleByRoleID(w http.ResponseWriter, r *http.Re
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (handler *handler) GetUsersByRoleID(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUsersByRoleID(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -579,7 +517,7 @@ func (handler *handler) GetUsersByRoleID(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	users, err := handler.getter.GetUsersByOrgIDAndRoleID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(roleID))
+	users, err := h.getter.GetUsersByOrgIDAndRoleID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(roleID))
 	if err != nil {
 		render.Error(w, err)
 		return

pkg/modules/user/impluser/store.go

@@ -359,26 +359,6 @@ func (store *store) GetResetPasswordTokenByPasswordID(ctx context.Context, passw
 	return resetPasswordToken, nil
 }
 
-func (store *store) GetResetPasswordTokenByOrgIDAndUserID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	resetPasswordToken := new(types.ResetPasswordToken)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(resetPasswordToken).
-		Join("JOIN factor_password ON factor_password.id = reset_password_token.password_id").
-		Join("JOIN users ON users.id = factor_password.user_id").
-		Where("factor_password.user_id = ?", userID).
-		Where("users.org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrResetPasswordTokenNotFound, "reset password token for user %s does not exist", userID)
-	}
-
-	return resetPasswordToken, nil
-}
-
 func (store *store) DeleteResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) error {
 	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().
 		Model(&types.ResetPasswordToken{}).

pkg/modules/user/user.go

@@ -80,9 +80,6 @@ type Getter interface {
 	// Get factor password by user id.
 	GetFactorPasswordByUserID(context.Context, valuer.UUID) (*types.FactorPassword, error)
 
-	// Get reset password token by org id and user id.
-	GetResetPasswordTokenByOrgIDAndUserID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.ResetPasswordToken, error)
-
 	// Gets single Non-Deleted user by email and org id
 	GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error)
 
@@ -115,9 +112,7 @@ type Handler interface {
 	GetUsersByRoleID(http.ResponseWriter, *http.Request)
 
 	// Reset Password
-	GetResetPasswordTokenDeprecated(http.ResponseWriter, *http.Request)
 	GetResetPasswordToken(http.ResponseWriter, *http.Request)
-	CreateResetPasswordToken(http.ResponseWriter, *http.Request)
 	ResetPassword(http.ResponseWriter, *http.Request)
 	ChangePassword(http.ResponseWriter, *http.Request)
 	ForgotPassword(http.ResponseWriter, *http.Request)

pkg/query-service/app/http_handler.go

@@ -587,7 +587,6 @@ func (aH *APIHandler) RegisterRoutes(router *mux.Router, am *middleware.AuthZ) {
 	router.HandleFunc("/api/v1/query_filter/analyze", am.ViewAccess(aH.QueryParserAPI.AnalyzeQueryFilter)).Methods(http.MethodPost)
 }
 
-
 func Intersection(a, b []int) (c []int) {
 	m := make(map[int]bool)
 

pkg/query-service/app/server.go

@@ -244,6 +244,20 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 		return nil, err
 	}
 
+	routePrefix := s.config.Global.ExternalPath()
+	if routePrefix != "" {
+		prefixed := http.StripPrefix(routePrefix, handler)
+		handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			switch req.URL.Path {
+			case "/api/v1/health", "/api/v2/healthz", "/api/v2/readyz", "/api/v2/livez":
+				r.ServeHTTP(w, req)
+				return
+			}
+
+			prefixed.ServeHTTP(w, req)
+		})
+	}
+
 	return &http.Server{
 		Handler: handler,
 	}, nil

pkg/signoz/provider.go

@@ -88,9 +88,9 @@ func NewCacheProviderFactories() factory.NamedMap[factory.ProviderFactory[cache.
 	)
 }
 
-func NewWebProviderFactories() factory.NamedMap[factory.ProviderFactory[web.Web, web.Config]] {
+func NewWebProviderFactories(globalConfig global.Config) factory.NamedMap[factory.ProviderFactory[web.Web, web.Config]] {
 	return factory.MustNewNamedMap(
-		routerweb.NewFactory(),
+		routerweb.NewFactory(globalConfig),
 		noopweb.NewFactory(),
 	)
 }

pkg/signoz/provider_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager/nfmanagertest"
 	"github.com/SigNoz/signoz/pkg/analytics"
 	"github.com/SigNoz/signoz/pkg/flagger"
+	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -34,7 +35,7 @@ func TestNewProviderFactories(t *testing.T) {
 	})
 
 	assert.NotPanics(t, func() {
-		NewWebProviderFactories()
+		NewWebProviderFactories(global.Config{})
 	})
 
 	assert.NotPanics(t, func() {

pkg/types/factor_password.go

@@ -31,8 +31,9 @@ type PostableResetPassword struct {
 }
 
 type ChangePasswordRequest struct {
-	OldPassword string `json:"oldPassword"`
-	NewPassword string `json:"newPassword"`
+	UserID      valuer.UUID `json:"userId"`
+	OldPassword string      `json:"oldPassword"`
+	NewPassword string      `json:"newPassword"`
 }
 
 type PostableForgotPassword struct {

pkg/types/user.go

@@ -284,7 +284,6 @@ type UserStore interface {
 	GetPasswordByUserID(ctx context.Context, userID valuer.UUID) (*FactorPassword, error)
 	GetResetPasswordToken(ctx context.Context, token string) (*ResetPasswordToken, error)
 	GetResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) (*ResetPasswordToken, error)
-	GetResetPasswordTokenByOrgIDAndUserID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*ResetPasswordToken, error)
 	DeleteResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) error
 	UpdatePassword(ctx context.Context, password *FactorPassword) error
 

pkg/web/config.go

@@ -8,10 +8,11 @@ import (
 type Config struct {
 	// Whether the web package is enabled.
 	Enabled bool `mapstructure:"enabled"`
-	// The prefix to serve the files from
-	Prefix string `mapstructure:"prefix"`
-	// The directory containing the static build files. The root of this directory should
-	// have an index.html file.
+
+	// The name of the index file to serve.
+	Index string `mapstructure:"index"`
+
+	// The directory from which to serve the web files.
 	Directory string `mapstructure:"directory"`
 }
 
@@ -22,7 +23,7 @@ func NewConfigFactory() factory.ConfigFactory {
 func newConfig() factory.Config {
 	return &Config{
 		Enabled:   true,
-		Prefix:    "/",
+		Index:     "index.html",
 		Directory: "/etc/signoz/web",
 	}
 }

pkg/web/config_test.go

@@ -12,7 +12,6 @@ import (
 )
 
 func TestNewWithEnvProvider(t *testing.T) {
-	t.Setenv("SIGNOZ_WEB_PREFIX", "/web")
 	t.Setenv("SIGNOZ_WEB_ENABLED", "false")
 
 	conf, err := config.New(
@@ -37,7 +36,7 @@ func TestNewWithEnvProvider(t *testing.T) {
 
 	expected := &Config{
 		Enabled:   false,
-		Prefix:    "/web",
+		Index:     def.Index,
 		Directory: def.Directory,
 	}
 

pkg/web/routerweb/provider.go

@@ -8,56 +8,55 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/web"
 	"github.com/gorilla/mux"
 )
 
-const (
-	indexFileName string = "index.html"
-)
-
 type provider struct {
-	config web.Config
+	config        web.Config
+	indexContents []byte
+	fileHandler   http.Handler
 }
 
-func NewFactory() factory.ProviderFactory[web.Web, web.Config] {
-	return factory.NewProviderFactory(factory.MustNewName("router"), New)
+func NewFactory(globalConfig global.Config) factory.ProviderFactory[web.Web, web.Config] {
+	return factory.NewProviderFactory(factory.MustNewName("router"), func(ctx context.Context, settings factory.ProviderSettings, config web.Config) (web.Web, error) {
+		return New(ctx, settings, config, globalConfig)
+	})
 }
 
-func New(ctx context.Context, settings factory.ProviderSettings, config web.Config) (web.Web, error) {
+func New(ctx context.Context, settings factory.ProviderSettings, config web.Config, globalConfig global.Config) (web.Web, error) {
 	fi, err := os.Stat(config.Directory)
 	if err != nil {
 		return nil, errors.WrapInvalidInputf(err, errors.CodeInvalidInput, "cannot access web directory")
 	}
 
-	ok := fi.IsDir()
-	if !ok {
+	if !fi.IsDir() {
 		return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "web directory is not a directory")
 	}
 
-	fi, err = os.Stat(filepath.Join(config.Directory, indexFileName))
+	indexPath := filepath.Join(config.Directory, config.Index)
+	raw, err := os.ReadFile(indexPath)
 	if err != nil {
-		return nil, errors.WrapInvalidInputf(err, errors.CodeInvalidInput, "cannot access %q in web directory", indexFileName)
+		return nil, errors.WrapInvalidInputf(err, errors.CodeInvalidInput, "cannot read %q in web directory", config.Index)
 	}
 
-	if os.IsNotExist(err) || fi.IsDir() {
-		return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "%q does not exist", indexFileName)
-	}
+	logger := factory.NewScopedProviderSettings(settings, "github.com/SigNoz/signoz/pkg/web/routerweb").Logger()
+	indexContents := web.NewIndex(ctx, logger, config.Index, raw, web.TemplateData{BaseHref: globalConfig.ExternalPathTrailing()})
 
 	return &provider{
-		config: config,
+		config:        config,
+		indexContents: indexContents,
+		fileHandler:   http.FileServer(http.Dir(config.Directory)),
 	}, nil
 }
 
 func (provider *provider) AddToRouter(router *mux.Router) error {
 	cache := middleware.NewCache(0)
-	err := router.PathPrefix(provider.config.Prefix).
+	err := router.PathPrefix("/").
 		Handler(
-			http.StripPrefix(
-				provider.config.Prefix,
-				cache.Wrap(http.HandlerFunc(provider.ServeHTTP)),
-			),
+			cache.Wrap(http.HandlerFunc(provider.ServeHTTP)),
 		).GetError()
 	if err != nil {
 		return errors.WrapInternalf(err, errors.CodeInternal, "unable to add web to router")
@@ -75,7 +74,7 @@ func (provider *provider) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	if err != nil {
 		// if the file doesn't exist, serve index.html
 		if os.IsNotExist(err) {
-			http.ServeFile(rw, req, filepath.Join(provider.config.Directory, indexFileName))
+			provider.serveIndex(rw)
 			return
 		}
 
@@ -87,10 +86,15 @@ func (provider *provider) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	if fi.IsDir() {
 		// path is a directory, serve index.html
-		http.ServeFile(rw, req, filepath.Join(provider.config.Directory, indexFileName))
+		provider.serveIndex(rw)
 		return
 	}
 
 	// otherwise, use http.FileServer to serve the static file
-	http.FileServer(http.Dir(provider.config.Directory)).ServeHTTP(rw, req)
+	provider.fileHandler.ServeHTTP(rw, req)
+}
+
+func (provider *provider) serveIndex(rw http.ResponseWriter) {
+	rw.Header().Set("Content-Type", "text/html; charset=utf-8")
+	_, _ = rw.Write(provider.indexContents)
 }

pkg/web/routerweb/provider_test.go

@@ -5,45 +5,113 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/SigNoz/signoz/pkg/factory/factorytest"
+	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/web"
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func TestServeHttpWithoutPrefix(t *testing.T) {
-	t.Parallel()
-	fi, err := os.Open(filepath.Join("testdata", indexFileName))
-	require.NoError(t, err)
+func startServer(t *testing.T, config web.Config, globalConfig global.Config) string {
+	t.Helper()
 
-	expected, err := io.ReadAll(fi)
-	require.NoError(t, err)
-
-	web, err := New(context.Background(), factorytest.NewSettings(), web.Config{Prefix: "/", Directory: filepath.Join("testdata")})
+	web, err := New(context.Background(), factorytest.NewSettings(), config, globalConfig)
 	require.NoError(t, err)
 
 	router := mux.NewRouter()
-	err = web.AddToRouter(router)
-	require.NoError(t, err)
+	require.NoError(t, web.AddToRouter(router))
 
 	listener, err := net.Listen("tcp", "localhost:0")
 	require.NoError(t, err)
 
-	server := &http.Server{
-		Handler: router,
+	server := &http.Server{Handler: router}
+	go func() { _ = server.Serve(listener) }()
+	t.Cleanup(func() { _ = server.Close() })
+
+	return "http://" + listener.Addr().String()
+}
+
+func httpGet(t *testing.T, url string) string {
+	t.Helper()
+
+	res, err := http.DefaultClient.Get(url)
+	require.NoError(t, err)
+	defer func() { _ = res.Body.Close() }()
+
+	body, err := io.ReadAll(res.Body)
+	require.NoError(t, err)
+
+	return string(body)
+}
+
+func TestServeTemplatedIndex(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name         string
+		path         string
+		globalConfig global.Config
+		expected     string
+	}{
+		{
+			name:         "RootBaseHrefAtRoot",
+			path:         "/",
+			globalConfig: global.Config{},
+			expected:     `<html><head><base href="/" /></head><body>Welcome to test data!!!</body></html>`,
+		},
+		{
+			name:         "RootBaseHrefAtNonExistentPath",
+			path:         "/does-not-exist",
+			globalConfig: global.Config{},
+			expected:     `<html><head><base href="/" /></head><body>Welcome to test data!!!</body></html>`,
+		},
+		{
+			name:         "RootBaseHrefAtDirectory",
+			path:         "/assets",
+			globalConfig: global.Config{},
+			expected:     `<html><head><base href="/" /></head><body>Welcome to test data!!!</body></html>`,
+		},
+		{
+			name:         "SubPathBaseHrefAtRoot",
+			path:         "/",
+			globalConfig: global.Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/signoz"}},
+			expected:     `<html><head><base href="/signoz/" /></head><body>Welcome to test data!!!</body></html>`,
+		},
+		{
+			name:         "SubPathBaseHrefAtNonExistentPath",
+			path:         "/does-not-exist",
+			globalConfig: global.Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/signoz"}},
+			expected:     `<html><head><base href="/signoz/" /></head><body>Welcome to test data!!!</body></html>`,
+		},
+		{
+			name:         "SubPathBaseHrefAtDirectory",
+			path:         "/assets",
+			globalConfig: global.Config{ExternalURL: &url.URL{Scheme: "https", Host: "example.com", Path: "/signoz"}},
+			expected:     `<html><head><base href="/signoz/" /></head><body>Welcome to test data!!!</body></html>`,
+		},
 	}
 
-	go func() {
-		_ = server.Serve(listener)
-	}()
-	defer func() {
-		_ = server.Close()
-	}()
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			base := startServer(t, web.Config{Index: "valid_template.html", Directory: "testdata"}, testCase.globalConfig)
+
+			assert.Equal(t, testCase.expected, strings.TrimSuffix(httpGet(t, base+testCase.path), "\n"))
+		})
+	}
+}
+
+func TestServeNoTemplateIndex(t *testing.T) {
+	t.Parallel()
+
+	expected, err := os.ReadFile(filepath.Join("testdata", "no_template.html"))
+	require.NoError(t, err)
 
 	testCases := []struct {
 		name string
@@ -54,11 +122,7 @@ func TestServeHttpWithoutPrefix(t *testing.T) {
 			path: "/",
 		},
 		{
-			name: "Index",
-			path: "/" + indexFileName,
-		},
-		{
-			name: "DoesNotExist",
+			name: "NonExistentPath",
 			path: "/does-not-exist",
 		},
 		{
@@ -67,104 +131,55 @@ func TestServeHttpWithoutPrefix(t *testing.T) {
 		},
 	}
 
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			res, err := http.DefaultClient.Get("http://" + listener.Addr().String() + tc.path)
-			require.NoError(t, err)
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			base := startServer(t, web.Config{Index: "no_template.html", Directory: "testdata"}, global.Config{})
 
-			defer func() {
-				_ = res.Body.Close()
-			}()
-
-			actual, err := io.ReadAll(res.Body)
-			require.NoError(t, err)
-
-			assert.Equal(t, expected, actual)
+			assert.Equal(t, string(expected), httpGet(t, base+testCase.path))
 		})
 	}
-
 }
 
-func TestServeHttpWithPrefix(t *testing.T) {
+func TestServeInvalidTemplateIndex(t *testing.T) {
 	t.Parallel()
-	fi, err := os.Open(filepath.Join("testdata", indexFileName))
+
+	expected, err := os.ReadFile(filepath.Join("testdata", "invalid_template.html"))
 	require.NoError(t, err)
 
-	expected, err := io.ReadAll(fi)
-	require.NoError(t, err)
-
-	web, err := New(context.Background(), factorytest.NewSettings(), web.Config{Prefix: "/web", Directory: filepath.Join("testdata")})
-	require.NoError(t, err)
-
-	router := mux.NewRouter()
-	err = web.AddToRouter(router)
-	require.NoError(t, err)
-
-	listener, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-
-	server := &http.Server{
-		Handler: router,
-	}
-
-	go func() {
-		_ = server.Serve(listener)
-	}()
-	defer func() {
-		_ = server.Close()
-	}()
-
 	testCases := []struct {
-		name  string
-		path  string
-		found bool
+		name string
+		path string
 	}{
 		{
-			name:  "Root",
-			path:  "/web",
-			found: true,
+			name: "Root",
+			path: "/",
 		},
 		{
-			name:  "Index",
-			path:  "/web/" + indexFileName,
-			found: true,
+			name: "NonExistentPath",
+			path: "/does-not-exist",
 		},
 		{
-			name:  "FileDoesNotExist",
-			path:  "/web/does-not-exist",
-			found: true,
-		},
-		{
-			name:  "Directory",
-			path:  "/web/assets",
-			found: true,
-		},
-		{
-			name:  "DoesNotExist",
-			path:  "/does-not-exist",
-			found: false,
+			name: "Directory",
+			path: "/assets",
 		},
 	}
 
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			res, err := http.DefaultClient.Get("http://" + listener.Addr().String() + tc.path)
-			require.NoError(t, err)
-
-			defer func() {
-				_ = res.Body.Close()
-			}()
-
-			if tc.found {
-				actual, err := io.ReadAll(res.Body)
-				require.NoError(t, err)
-
-				assert.Equal(t, expected, actual)
-			} else {
-				assert.Equal(t, http.StatusNotFound, res.StatusCode)
-			}
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			base := startServer(t, web.Config{Index: "invalid_template.html", Directory: "testdata"}, global.Config{ExternalURL: &url.URL{Path: "/signoz"}})
 
+			assert.Equal(t, string(expected), httpGet(t, base+testCase.path))
 		})
 	}
-
+}
+
+func TestServeStaticFilesUnchanged(t *testing.T) {
+	t.Parallel()
+
+	expected, err := os.ReadFile(filepath.Join("testdata", "assets", "style.css"))
+	require.NoError(t, err)
+
+	base := startServer(t, web.Config{Index: "valid_template.html", Directory: "testdata"}, global.Config{ExternalURL: &url.URL{Path: "/signoz"}})
+
+	assert.Equal(t, string(expected), httpGet(t, base+"/assets/style.css"))
 }

pkg/web/routerweb/testdata/assets/index.css

@@ -1,3 +0,0 @@
-#root {
-  background-color: red;
-}

pkg/web/routerweb/testdata/assets/style.css

@@ -0,0 +1 @@
+body { color: red; }

pkg/web/routerweb/testdata/index.html

@@ -1 +0,0 @@
-<h1>Welcome to test data!!!</h1>

pkg/web/routerweb/testdata/invalid_template.html

@@ -0,0 +1 @@
+<html><head><base href="[[." /></head><body>Bad template</body></html>

pkg/web/routerweb/testdata/no_template.html

@@ -0,0 +1 @@
+<html><head></head><body>No template here</body></html>

pkg/web/routerweb/testdata/valid_template.html

@@ -0,0 +1 @@
+<html><head><base href="[[.BaseHref]]" /></head><body>Welcome to test data!!!</body></html>

pkg/web/template.go

@@ -0,0 +1,42 @@
+package web
+
+import (
+	"bytes"
+	"context"
+	"log/slog"
+	"text/template"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+)
+
+// Field names map to the HTML attributes they populate in the template:
+//   - BaseHref  → <base href="[[.BaseHref]]" />
+type TemplateData struct {
+	BaseHref string
+}
+
+// If the template cannot be parsed or executed, the raw bytes are
+// returned unchanged and the error is logged.
+func NewIndex(ctx context.Context, logger *slog.Logger, name string, raw []byte, data TemplateData) []byte {
+	result, err := NewIndexE(name, raw, data)
+	if err != nil {
+		logger.ErrorContext(ctx, "cannot render index template, serving raw file", slog.String("name", name), errors.Attr(err))
+		return raw
+	}
+
+	return result
+}
+
+func NewIndexE(name string, raw []byte, data TemplateData) ([]byte, error) {
+	tmpl, err := template.New(name).Delims("[[", "]]").Parse(string(raw))
+	if err != nil {
+		return nil, errors.WrapInvalidInputf(err, errors.CodeInvalidInput, "cannot parse %q as template", name)
+	}
+
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, data); err != nil {
+		return nil, errors.WrapInvalidInputf(err, errors.CodeInvalidInput, "cannot execute template for %q", name)
+	}
+
+	return buf.Bytes(), nil
+}

tests/integration/src/passwordauthn/03_password.py

@@ -39,14 +39,20 @@ def test_change_password(
     )
     assert response.status_code == HTTPStatus.NO_CONTENT
 
+    # Get the user id via v2
+    found_user = find_user_by_email(signoz, admin_token, PASSWORD_USER_EMAIL)
+
     # Try logging in with the password
     token = get_token(PASSWORD_USER_EMAIL, PASSWORD_USER_PASSWORD)
     assert token is not None
 
     # Try changing the password with a bad old password which should fail
-    response = requests.put(
-        signoz.self.host_configs["8080"].get("/api/v2/users/me/factor_password"),
+    response = requests.post(
+        signoz.self.host_configs["8080"].get(
+            f"/api/v1/changePassword/{found_user['id']}"
+        ),
         json={
+            "userId": f"{found_user['id']}",
             "oldPassword": "password",
             "newPassword": PASSWORD_USER_PASSWORD,
         },
@@ -57,9 +63,12 @@ def test_change_password(
     assert response.status_code == HTTPStatus.BAD_REQUEST
 
     # Try changing the password with a good old password
-    response = requests.put(
-        signoz.self.host_configs["8080"].get("/api/v2/users/me/factor_password"),
+    response = requests.post(
+        signoz.self.host_configs["8080"].get(
+            f"/api/v1/changePassword/{found_user['id']}"
+        ),
         json={
+            "userId": f"{found_user['id']}",
             "oldPassword": PASSWORD_USER_PASSWORD,
             "newPassword": "password123Znew$",
         },
@@ -82,42 +91,17 @@ def test_reset_password(
     # Get the user id via v2
     found_user = find_user_by_email(signoz, admin_token, PASSWORD_USER_EMAIL)
 
-    # Create a reset password token via v2 PUT
-    response = requests.put(
-        signoz.self.host_configs["8080"].get(
-            f"/api/v2/users/{found_user['id']}/reset_password_tokens"
-        ),
-        headers={"Authorization": f"Bearer {admin_token}"},
-        timeout=2,
-    )
-
-    assert response.status_code == HTTPStatus.CREATED, response.text
-    token_data = response.json()["data"]
-    assert "token" in token_data
-    assert "expiresAt" in token_data
-    token = token_data["token"]
-
-    # Calling PUT again should return the same token (still valid)
-    response = requests.put(
-        signoz.self.host_configs["8080"].get(
-            f"/api/v2/users/{found_user['id']}/reset_password_tokens"
-        ),
-        headers={"Authorization": f"Bearer {admin_token}"},
-        timeout=2,
-    )
-    assert response.status_code == HTTPStatus.CREATED, response.text
-    assert response.json()["data"]["token"] == token
-
-    # GET should also return the same token
     response = requests.get(
         signoz.self.host_configs["8080"].get(
-            f"/api/v2/users/{found_user['id']}/reset_password_tokens"
+            f"/api/v1/getResetPasswordToken/{found_user['id']}"
         ),
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
     )
-    assert response.status_code == HTTPStatus.OK, response.text
-    assert response.json()["data"]["token"] == token
+
+    assert response.status_code == HTTPStatus.OK
+
+    token = response.json()["data"]["token"]
 
     # Reset the password with a bad password which should fail
     response = requests.post(
@@ -156,29 +140,18 @@ def test_reset_password_with_no_password(
         )
         assert result.rowcount == 1
 
-    # GET should return 404 since there's no password (and thus no token)
+    # Generate a new reset password token
     response = requests.get(
         signoz.self.host_configs["8080"].get(
-            f"/api/v2/users/{found_user['id']}/reset_password_tokens"
-        ),
-        headers={"Authorization": f"Bearer {admin_token}"},
-        timeout=2,
-    )
-    assert response.status_code == HTTPStatus.NOT_FOUND, response.text
-
-    # Generate a new reset password token via v2 PUT
-    response = requests.put(
-        signoz.self.host_configs["8080"].get(
-            f"/api/v2/users/{found_user['id']}/reset_password_tokens"
+            f"/api/v1/getResetPasswordToken/{found_user['id']}"
         ),
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
     )
 
-    assert response.status_code == HTTPStatus.CREATED, response.text
-    token_data = response.json()["data"]
-    assert "expiresAt" in token_data
-    token = token_data["token"]
+    assert response.status_code == HTTPStatus.OK
+
+    token = response.json()["data"]["token"]
 
     # Reset the password with a good password
     response = requests.post(
@@ -289,22 +262,32 @@ def test_forgot_password_creates_reset_token(
     )
     assert response.status_code == HTTPStatus.NO_CONTENT
 
-    # Verify reset password token was created via the v2 GET endpoint
+    # Verify reset password token was created by querying the database
     found_user = find_user_by_email(signoz, admin_token, forgot_email)
 
-    response = requests.get(
-        signoz.self.host_configs["8080"].get(
-            f"/api/v2/users/{found_user['id']}/reset_password_tokens"
-        ),
-        headers={"Authorization": f"Bearer {admin_token}"},
-        timeout=2,
-    )
-    assert response.status_code == HTTPStatus.OK, response.text
-    token_data = response.json()["data"]
-    reset_token = token_data["token"]
+    reset_token = None
+    # Query the database directly to get the reset password token
+    # First get the password_id from factor_password, then get the token
+    with signoz.sqlstore.conn.connect() as conn:
+        result = conn.execute(
+            sql.text(
+                """
+                SELECT rpt.token
+                FROM reset_password_token rpt
+                JOIN factor_password fp ON rpt.password_id = fp.id
+                WHERE fp.user_id = :user_id
+            """
+            ),
+            {"user_id": found_user["id"]},
+        )
+        row = result.fetchone()
+        assert (
+            row is not None
+        ), "Reset password token should exist after calling forgotPassword"
+        reset_token = row[0]
+
     assert reset_token is not None
     assert reset_token != ""
-    assert "expiresAt" in token_data
 
     # Reset password with a valid strong password
     response = requests.post(