CIF-1084 - Implement the password reset page

[herzog31]

Description

This PR depends on #400.

• Add new ResetPassword React component to display the reset password form.
• Add new resetpassword component to display the placeholder for the React component.
• Added unit tests.
• This feature requires setup on the Magento side, please see https://github.com/adobe/aem-core-cif-components/wiki/Configure-Reset-Password.

Please also see adobe/aem-cif-guides-venia#60.

How Has This Been Tested?

• Manually tested password reset workflow.
• Unit tests.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes and the overall coverage did not decrease.
• All unit tests pass on CircleCi.
• I ran all tests locally and they pass.

[codecov]

Codecov Report

Merging #405 into issue/CIF-1084 will decrease coverage by 0.45%.
The diff coverage is 100.00%.

@@                 Coverage Diff                  @@
##             issue/CIF-1084     #405      +/-   ##
====================================================
- Coverage             85.86%   85.40%   -0.46%     
+ Complexity              929      919      -10     
====================================================
  Files                   186      188       +2     
  Lines                  4781     4811      +30     
  Branches                670      674       +4     
====================================================
+ Hits                   4105     4109       +4     
- Misses                  538      557      +19     
- Partials                138      145       +7     

Flag	Coverage Δ	Complexity Δ
#integration	68.19% <ø> (ø)	688.00 <ø> (ø)
#jest	81.37% <100.00%> (+0.32%)	0.00 <0.00> (ø)
#karma	94.32% <ø> (ø)	0.00 <ø> (ø)
#unittests	85.65% <ø> (-0.44%)	857.00 <ø> (-40.00)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ	Complexity Δ
...rc/components/ForgotPassword/forgotPasswordForm.js	100.00% <ø> (ø)	0.00 <0.00> (ø)
...ents/src/components/ResetPassword/ResetPassword.js	100.00% <100.00%> (ø)	0.00 <0.00> (?)
...s/src/components/ResetPassword/useResetPassword.js	100.00% <100.00%> (ø)	0.00 <0.00> (?)
react-components/src/utils/hooks.js	96.00% <100.00%> (+0.34%)	0.00 <0.00> (ø)
...ommerce/core/examples/servlets/GraphqlServlet.java	75.34% <0.00%> (-17.81%)	30.00% <0.00%> (-10.00%)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 845dfdf...ddfdaf4. Read the comment docs.

[cjelger]

I think you should revalidate the email address here, and not just rely on the client-side validation which can easily be skipped, it's green-belt security ;-)

I'm also wondering if we can also use a CSRF token to make sure that nobody can just DDoS the form or do some kind of brute-force attack against Magento's reset password feature.

[herzog31]

I think you should revalidate the email address here, and not just rely on the client-side validation which can easily be skipped, it's green-belt security ;-)

Validating the email again in JS is again client-side validation and can easily be skipped. No point in doing that twice ;)

I'm also wondering if we can also use a CSRF token to make sure that nobody can just DDoS the form or do some kind of brute-force attack against Magento's reset password feature.

Good point. Currently we don't do this at all (login for example). I think this should be investigated in a separate issue.

[cjelger]

Validating the email again in JS is again client-side validation and can easily be skipped. No point in doing that twice ;)

Good point, my brain was still in client-server mode ;-)

For CSRF I agree we could do this in a separate issue.