feat(auth): validate reset password token on page load before showing form

frontend/src/container/ResetPassword/ResetPassword.styles.scss

@@ -21,6 +21,10 @@
 			justify-content: center;
 			margin-bottom: 8px;
 			color: var(--semantic-primary-foreground);
+
+			&--error {
+				color: var(--destructive);
+			}
 		}
 
 		.reset-password-header-title {

frontend/src/container/ResetPassword/TokenError.tsx

@@ -0,0 +1,35 @@
+import { CircleAlert } from '@signozhq/icons';
+import { Typography } from '@signozhq/ui/typography';
+import AuthError from 'components/AuthError/AuthError';
+import AuthPageContainer from 'components/AuthPageContainer';
+import APIError from 'types/api/error';
+
+import './ResetPassword.styles.scss';
+
+interface TokenErrorProps {
+	error?: APIError;
+}
+
+function TokenError({ error }: TokenErrorProps): JSX.Element {
+	return (
+		<AuthPageContainer>
+			<div className="reset-password-card">
+				<div className="reset-password-header">
+					<div className="reset-password-header-icon reset-password-header-icon--error">
+						<CircleAlert size={32} />
+					</div>
+					<Typography.Title level={4} className="reset-password-header-title">
+						Reset Password token is expired
+					</Typography.Title>
+					<Typography.Text className="reset-password-header-subtitle">
+						Password reset links are single-use and expire after a set period. Please
+						request a new password reset link.
+					</Typography.Text>
+				</div>
+				{error && <AuthError error={error} />}
+			</div>
+		</AuthPageContainer>
+	);
+}
+
+export default TokenError;

frontend/src/container/ResetPassword/__tests__/ResetPassword.test.tsx

@@ -1,4 +1,3 @@
-import { Logout } from 'api/utils';
 import ROUTES from 'constants/routes';
 import history from 'lib/history';
 import { rest, server } from 'mocks-server/server';
@@ -17,10 +16,6 @@ jest.mock('lib/history', () => ({
 	},
 }));
 
-jest.mock('api/utils', () => ({
-	Logout: jest.fn(),
-}));
-
 const mockSuccessNotification = jest.fn();
 const mockErrorNotification = jest.fn();
 
@@ -70,17 +65,6 @@ describe('ResetPassword Component', () => {
 			).toBeInTheDocument();
 			expect(screen.getByText(/signoz 1\.0\.0/i)).toBeInTheDocument();
 		});
-
-		it('redirects to login when token is missing', () => {
-			window.history.pushState({}, '', '/password-reset');
-
-			render(<ResetPassword version="1.0.0" />, undefined, {
-				initialRoute: '/password-reset',
-			});
-
-			expect(Logout).toHaveBeenCalled();
-			expect(mockHistoryPush).toHaveBeenCalledWith(ROUTES.LOGIN);
-		});
 	});
 
 	describe('Form Validation', () => {

frontend/src/container/ResetPassword/index.tsx

@@ -1,11 +1,10 @@
-import { useEffect, useState } from 'react';
+import { useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import { useLocation } from 'react-use';
 import { Button } from '@signozhq/ui/button';
 import { Callout } from '@signozhq/ui/callout';
 import { Form, Input as AntdInput } from 'antd';
 import { Typography } from '@signozhq/ui/typography';
-import { Logout } from 'api/utils';
 import resetPasswordApi from 'api/v1/factor_password/resetPassword';
 import AuthError from 'components/AuthError/AuthError';
 import AuthPageContainer from 'components/AuthPageContainer';
@@ -38,13 +37,6 @@ function ResetPassword({ version }: ResetPasswordProps): JSX.Element {
 	const { notifications } = useNotifications();
 
 	const [form] = Form.useForm<FormValues>();
-	useEffect(() => {
-		if (!token) {
-			Logout();
-			history.push(ROUTES.LOGIN);
-		}
-	}, [token]);
-
 	const handleFormSubmit: () => Promise<void> = async () => {
 		try {
 			setLoading(true);

frontend/src/pages/ResetPassword/__tests__/ResetPasswordPage.test.tsx

@@ -0,0 +1,123 @@
+import { Logout } from 'api/utils';
+import ROUTES from 'constants/routes';
+import history from 'lib/history';
+import { createErrorResponse, rest, server } from 'mocks-server/server';
+import { render, screen, waitFor } from 'tests/test-utils';
+
+import ResetPassword from '../index';
+
+jest.mock('lib/history', () => ({
+	__esModule: true,
+	default: {
+		push: jest.fn(),
+		location: { search: '' },
+	},
+}));
+
+jest.mock('api/utils', () => ({
+	Logout: jest.fn().mockResolvedValue(undefined),
+}));
+
+const VERIFY_TOKEN_ENDPOINT = '*/api/v2/reset_password_tokens/verify';
+const VERSION_ENDPOINT = '*/version';
+
+const mockHistoryPush = history.push as jest.MockedFunction<
+	typeof history.push
+>;
+
+const successVerifyResponse = {
+	data: { id: 'token-id', token: 'valid-token' },
+};
+
+const successVersionResponse = {
+	version: '0.0.1',
+	ee: 'Y',
+	setupCompleted: true,
+};
+
+describe('ResetPassword Page', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		server.use(
+			rest.get(VERSION_ENDPOINT, (_, res, ctx) =>
+				res(ctx.status(200), ctx.json(successVersionResponse)),
+			),
+		);
+	});
+
+	afterEach(() => {
+		server.resetHandlers();
+	});
+
+	describe('Token validation on page load', () => {
+		it('shows spinner then form when token is valid', async () => {
+			server.use(
+				rest.post(VERIFY_TOKEN_ENDPOINT, (_, res, ctx) =>
+					res(ctx.delay(50), ctx.status(200), ctx.json(successVerifyResponse)),
+				),
+			);
+
+			window.history.pushState({}, '', '/password-reset?token=valid-token');
+			render(<ResetPassword />, undefined, {
+				initialRoute: '/password-reset?token=valid-token',
+			});
+
+			// Loading state: spinner visible, form and error absent
+			expect(screen.getByRole('img', { name: /loading/i })).toBeInTheDocument();
+			expect(screen.queryByTestId('password')).not.toBeInTheDocument();
+			expect(
+				screen.queryByText(/reset password token is expired/i),
+			).not.toBeInTheDocument();
+
+			// After verification resolves: form is shown
+			await waitFor(() => {
+				expect(screen.getByTestId('password')).toBeInTheDocument();
+			});
+			expect(screen.getByTestId('confirmPassword')).toBeInTheDocument();
+		});
+
+		it('shows error state when token is expired or invalid', async () => {
+			server.use(
+				rest.post(
+					VERIFY_TOKEN_ENDPOINT,
+					createErrorResponse(
+						404,
+						'reset_password_token_not_found',
+						'reset password token does not exist',
+					),
+				),
+			);
+
+			window.history.pushState({}, '', '/password-reset?token=expired-token');
+			render(<ResetPassword />, undefined, {
+				initialRoute: '/password-reset?token=expired-token',
+			});
+
+			await waitFor(() => {
+				expect(
+					screen.getByText(/reset password token is expired/i),
+				).toBeInTheDocument();
+			});
+
+			expect(
+				screen.getByText(/password reset links are single-use/i),
+			).toBeInTheDocument();
+			expect(
+				screen.getByText(/reset password token does not exist/i),
+			).toBeInTheDocument();
+		});
+
+		it('redirects to login when no token is in the URL', async () => {
+			window.history.pushState({}, '', '/password-reset');
+			render(<ResetPassword />, undefined, {
+				initialRoute: '/password-reset',
+			});
+
+			await waitFor(() => {
+				expect(mockHistoryPush).toHaveBeenCalledWith(ROUTES.LOGIN);
+			});
+
+			expect(Logout).toHaveBeenCalled();
+		});
+	});
+});

frontend/src/pages/ResetPassword/index.tsx

@@ -1,8 +1,17 @@
-import { useEffect } from 'react';
+import { useEffect, useMemo } from 'react';
 import { useQuery } from 'react-query';
+import { useLocation } from 'react-use';
+import { AxiosError } from 'axios';
+import { convertToApiError } from 'api/ErrorResponseHandlerForGeneratedAPIs';
 import getUserVersion from 'api/v1/version/get';
+import { verifyResetPasswordToken } from 'api/generated/services/users';
+import { RenderErrorResponseDTO } from 'api/generated/services/sigNoz.schemas';
+import { Logout } from 'api/utils';
 import Spinner from 'components/Spinner';
 import ResetPasswordContainer from 'container/ResetPassword';
+import TokenError from 'container/ResetPassword/TokenError';
+import ROUTES from 'constants/routes';
+import history from 'lib/history';
 import { useAppContext } from 'providers/App/App';
 import { useErrorModal } from 'providers/ErrorModalProvider';
 import APIError from 'types/api/error';
@@ -10,24 +19,65 @@ import APIError from 'types/api/error';
 function ResetPassword(): JSX.Element {
 	const { user, isLoggedIn } = useAppContext();
 	const { showErrorModal } = useErrorModal();
+	const { search } = useLocation();
+	const params = new URLSearchParams(search || '');
+	const token = params.get('token') || '';
 
-	const { data, isLoading, error } = useQuery({
+	useEffect(() => {
+		if (!token) {
+			void Logout();
+			history.push(ROUTES.LOGIN);
+		}
+	}, [token]);
+
+	const {
+		data: versionData,
+		isLoading: isVersionLoading,
+		error: versionError,
+	} = useQuery({
 		queryFn: getUserVersion,
 		queryKey: ['getUserVersion', user?.accessJwt],
 		enabled: !isLoggedIn,
 	});
 
-	useEffect(() => {
-		if (error) {
-			showErrorModal(error as APIError);
-		}
-	}, [error, showErrorModal]);
+	const {
+		isLoading: isVerifying,
+		isError: isTokenError,
+		error: tokenError,
+	} = useQuery<
+		Awaited<ReturnType<typeof verifyResetPasswordToken>>,
+		AxiosError<RenderErrorResponseDTO>
+	>({
+		queryFn: () => verifyResetPasswordToken({ token }),
+		queryKey: ['verifyResetPasswordToken', token],
+		enabled: !!token,
+		retry: false,
+	});
 
-	if (isLoading) {
+	const tokenApiError = useMemo(
+		() => convertToApiError(tokenError),
+		[tokenError],
+	);
+
+	useEffect(() => {
+		if (versionError) {
+			showErrorModal(versionError as APIError);
+		}
+	}, [versionError, showErrorModal]);
+
+	if (!token) {
 		return <Spinner tip="Loading..." />;
 	}
 
-	return <ResetPasswordContainer version={data?.data.version || ''} />;
+	if (isVersionLoading || isVerifying) {
+		return <Spinner tip="Validating your reset password token..." />;
+	}
+
+	if (isTokenError) {
+		return <TokenError error={tokenApiError} />;
+	}
+
+	return <ResetPasswordContainer version={versionData?.data.version || ''} />;
 }
 
 export default ResetPassword;