From 32c2ed7a30dcc91c3f946f6558f2a5dfd730c68b Mon Sep 17 00:00:00 2001
From: "Steven R. Loomis" <srl295@gmail.com>
Date: Tue, 28 May 2024 19:44:07 -0500
Subject: [PATCH 1/2] CLDR-7405 Forgotten Password flow

- remove some dead code from LoginButton
- add a new ResetPassword and CldrLogin panels
- add a new option to the KeepLoggedInManager to generate a 1-hour token for use in email

At present the flow is that if you forgot your password, you will be given an option
to send a link in the mail. For smoketest, the link shows up on the console for testing.

Currently, the link takes you to a panel where you can remain logged into the Survey Tool.
In the future we can add logic to allow changing the password from there.
---
 tools/cldr-apps/js/src/esm/cldrComponents.mjs |  2 +
 tools/cldr-apps/js/src/esm/cldrLoad.mjs       | 39 ++++++++
 tools/cldr-apps/js/src/esm/cldrStatus.mjs     | 16 ++++
 tools/cldr-apps/js/src/esm/cldrText.mjs       |  2 +
 tools/cldr-apps/js/src/esm/cldrVueMap.mjs     |  6 +-
 tools/cldr-apps/js/src/views/CldrLogin.vue    | 73 +++++++++++++++
 tools/cldr-apps/js/src/views/LoginButton.vue  | 38 ++++++--
 .../cldr-apps/js/src/views/ResetPassword.vue  | 60 ++++++++++++
 .../unicode/cldr/web/KeepLoggedInManager.java | 16 ++++
 .../org/unicode/cldr/web/UserRegistry.java    | 26 ++++++
 .../java/org/unicode/cldr/web/api/Auth.java   | 91 ++++++++++++++++++-
 .../unicode/cldr/web/api/LoginRequest.java    |  2 +
 .../unicode/cldr/web/api/LoginResponse.java   | 12 ++-
 .../unicode/cldr/web/api/ResetRequest.java    |  8 ++
 14 files changed, 373 insertions(+), 18 deletions(-)
 create mode 100644 tools/cldr-apps/js/src/views/CldrLogin.vue
 create mode 100644 tools/cldr-apps/js/src/views/ResetPassword.vue
 create mode 100644 tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/ResetRequest.java

diff --git a/tools/cldr-apps/js/src/esm/cldrComponents.mjs b/tools/cldr-apps/js/src/esm/cldrComponents.mjs
index 80dcb462ec2..8c236532436 100644
--- a/tools/cldr-apps/js/src/esm/cldrComponents.mjs
+++ b/tools/cldr-apps/js/src/esm/cldrComponents.mjs
@@ -9,6 +9,7 @@ import { App } from "vue";
 
 // local components
 import CldrError from "../views/CldrError.vue";
+import CldrUser from "../views/CldrUser.vue";
 import CldrValue from "../views/CldrValue.vue";
 import LoginButton from "../views/LoginButton.vue";
 import OverallErrors from "../views/OverallErrors.vue";
@@ -87,6 +88,7 @@ function setup(app) {
   app.component("cldr-overall-errors", OverallErrors);
   app.component("cldr-report-response", ReportResponse);
   app.component("cldr-searchbutton", SearchButton);
+  app.component("cldr-user", CldrUser);
   app.component("cldr-value", CldrValue);
 }
 
diff --git a/tools/cldr-apps/js/src/esm/cldrLoad.mjs b/tools/cldr-apps/js/src/esm/cldrLoad.mjs
index bc363df18dc..d9d14ea473e 100644
--- a/tools/cldr-apps/js/src/esm/cldrLoad.mjs
+++ b/tools/cldr-apps/js/src/esm/cldrLoad.mjs
@@ -5,6 +5,7 @@ import * as cldrAccount from "./cldrAccount.mjs";
 import * as cldrAdmin from "./cldrAdmin.mjs";
 import * as cldrAjax from "./cldrAjax.mjs";
 import * as cldrBulkClosePosts from "./cldrBulkClosePosts.mjs";
+import * as cldrClient from "./cldrClient.mjs";
 import * as cldrCoverage from "./cldrCoverage.mjs";
 import * as cldrCreateLogin from "./cldrCreateLogin.mjs";
 import * as cldrDom from "./cldrDom.mjs";
@@ -134,6 +135,8 @@ function doHashChange(event) {
 function parseHashAndUpdate(hash) {
   if (hash) {
     const pieces = hash.split("/");
+    // always set the pieces
+    cldrStatus.setCurrentPieces(pieces);
     // pieces[1] is ALWAYS assumed to be locale or empty
     if (pieces.length > 1) {
       cldrStatus.setCurrentLocale(pieces[1]); // could be null
@@ -159,6 +162,7 @@ function parseHashAndUpdate(hash) {
     cldrStatus.setCurrentId("");
     cldrStatus.setCurrentPage("");
     cldrStatus.setCurrentSection("");
+    cldrStatus.setCurrentPieces([]);
   }
   updateWindowTitle();
 
@@ -1132,6 +1136,39 @@ function linkToLocale(subLoc) {
   );
 }
 
+/**
+ * Login with emailed jwt. returns {sessionId, user}
+ * @param {String} jwt
+ */
+async function loginWithJwt(jwt) {
+  const client = await cldrClient.getClient();
+
+  const r = await client.apis.auth.login(
+    { remember: true },
+    { requestBody: { jwt } }
+  );
+  if (!r) {
+    throw Error(`Error: login() did not return a value.`);
+  }
+  const { body } = r;
+  if (!body) {
+    throw Error(`Error: body was not returned from login() API`);
+  }
+  return body;
+}
+
+/**
+ * Send a reset hash
+ * @param {String} email
+ * @param {String} session
+ */
+async function sendResetHash(email, session) {
+  const client = await cldrClient.getClient();
+
+  const r = await client.apis.auth.reset({}, { requestBody: { email } });
+  return;
+}
+
 export {
   appendLocaleLink,
   continueInitializing,
@@ -1147,10 +1184,12 @@ export {
   insertLocaleSpecialNote,
   linkToLocale,
   localeSpecialNote,
+  loginWithJwt,
   myLoad,
   parseHashAndUpdate,
   reloadV,
   replaceHash,
+  sendResetHash,
   setLoading,
   setTheLocaleMap,
   showCurrentId,
diff --git a/tools/cldr-apps/js/src/esm/cldrStatus.mjs b/tools/cldr-apps/js/src/esm/cldrStatus.mjs
index da6b0d94d29..8c453a889d3 100644
--- a/tools/cldr-apps/js/src/esm/cldrStatus.mjs
+++ b/tools/cldr-apps/js/src/esm/cldrStatus.mjs
@@ -9,6 +9,7 @@ const refs = {
   surveyUser: ref(null),
   currentId: ref(null),
   sessionId: ref(null),
+  currentPieces: ref(null),
 };
 
 /**
@@ -144,6 +145,18 @@ function setContextPath(path) {
   }
 }
 
+/** An array of additional pieces of the hashes. */
+let currentPieces = [];
+
+function setCurrentPieces(pieces) {
+  currentPieces = pieces;
+  setRef("currentPieces", pieces);
+}
+
+function getCurrentPieces() {
+  return currentPieces;
+}
+
 /**
  * A string such as '' (empty), or '821c2a2fc5c206d' (identifying an xpath),
  * or '12345' (identifying a user) or other string (identifying a forum post)
@@ -154,6 +167,7 @@ function getCurrentId() {
   return currentId;
 }
 
+/** This also calls setPieces([]) */
 function setCurrentId(id) {
   if (!id) {
     currentId = "";
@@ -472,6 +486,7 @@ export {
   getCurrentLocale,
   getCurrentLocaleName,
   getCurrentPage,
+  getCurrentPieces,
   getCurrentSection,
   getCurrentSpecial,
   getIsPhaseBeta,
@@ -498,6 +513,7 @@ export {
   setCurrentLocale,
   setCurrentLocaleName,
   setCurrentPage,
+  setCurrentPieces,
   setCurrentSection,
   setCurrentSpecial,
   setIsDisconnected,
diff --git a/tools/cldr-apps/js/src/esm/cldrText.mjs b/tools/cldr-apps/js/src/esm/cldrText.mjs
index 9e8faa7f4e3..baed7d2bedc 100644
--- a/tools/cldr-apps/js/src/esm/cldrText.mjs
+++ b/tools/cldr-apps/js/src/esm/cldrText.mjs
@@ -490,11 +490,13 @@ const strings = {
   special_list_emails: "List Email Addresses",
   special_list_users: "List Users",
   special_locales: "Locale List",
+  special_login: "Login from Email Link",
   special_lock_account: "Lock (Disable) My Account",
   special_lookup: "Look up a code or xpath",
   special_mail: "Notifications (SMOKETEST ONLY)",
   special_menu: "☰",
   special_oldvotes: "Import Old Votes",
+  special_reset: "Forgot Password",
   special_upload: "Upload (Bulk Import)",
   // The special_r_* are the names of reports, used by ReportResponse.vue and others
   special_r_compact: "Numbers",
diff --git a/tools/cldr-apps/js/src/esm/cldrVueMap.mjs b/tools/cldr-apps/js/src/esm/cldrVueMap.mjs
index 5254489a8de..172aa8f3056 100644
--- a/tools/cldr-apps/js/src/esm/cldrVueMap.mjs
+++ b/tools/cldr-apps/js/src/esm/cldrVueMap.mjs
@@ -1,12 +1,14 @@
 import AboutPanel from "../views/AboutPanel.vue";
-import AnnouncePanel from "../views/AnnouncePanel.vue";
 import AddUser from "../views/AddUser.vue";
+import AnnouncePanel from "../views/AnnouncePanel.vue";
 import AutoImport from "../views/AutoImport.vue";
+import CldrLogin from "../views/CldrLogin.vue";
 import DowngradedVotes from "../views/DowngradedVotes.vue";
 import GeneralInfo from "../views/GeneralInfo.vue";
 import LockAccount from "../views/LockAccount.vue";
 import LookUp from "../views/LookUp.vue";
 import MainMenu from "../views/MainMenu.vue";
+import ResetPassword from "../views/ResetPassword.vue";
 import TestPanel from "../views/TestPanel.vue";
 import TransferVotes from "../views/TransferVotes.vue";
 import UnknownPanel from "../views/UnknownPanel.vue";
@@ -26,8 +28,10 @@ const specialToComponentMap = {
   downgraded: DowngradedVotes,
   general: GeneralInfo,
   lock_account: LockAccount,
+  login: CldrLogin,
   lookup: LookUp,
   menu: MainMenu,
+  reset: ResetPassword,
   retry: WaitingPanel,
   retry_inplace: WaitingPanel, // Like retry, but do NOT redirect after resume.
   test_panel: TestPanel, // for testing
diff --git a/tools/cldr-apps/js/src/views/CldrLogin.vue b/tools/cldr-apps/js/src/views/CldrLogin.vue
new file mode 100644
index 00000000000..fe668466881
--- /dev/null
+++ b/tools/cldr-apps/js/src/views/CldrLogin.vue
@@ -0,0 +1,73 @@
+<template>
+  <!-- if the user closes the alert, just go back to the ST homepage-->
+  <a-alert
+    closable="true"
+    v-on:close="stay()"
+    v-show="loginMessage"
+    type="info"
+    :message="loginMessage"
+  />
+
+  <!-- show user login -->
+  <a-card hoverable v-if="jwtGood">
+    <cldr-user v-if="jwtGood && loginId" v-bind:uid="loginId" />
+    <p>You are now logged in via the email link.</p>
+    <a-button v-on:click="stay()">Keep me logged in.</a-button>
+  </a-card>
+</template>
+
+<script setup>
+/**
+ * This page is for extended login requirements, such as
+ * logging in from an emailed jwt link.
+ */
+import { ref, onMounted } from "vue";
+
+import * as cldrLoad from "../esm/cldrLoad.mjs";
+import * as cldrStatus from "../esm/cldrStatus.mjs";
+
+const { surveyUser, sessionId, currentPieces } = cldrStatus.refs;
+
+const jwtHash = ref(cldrStatus.getCurrentPieces()[3]); // get the JWT hash which was stored from cldrLoad
+
+const loginMessage = ref("");
+const jwtGood = ref(false);
+
+const loginName = ref(null);
+const loginEmail = ref(null);
+const loginId = ref(0);
+
+onMounted(async () => {
+  if (jwtHash.value) {
+    loginMessage.value = "Logging in..";
+    await doLogin();
+  } else {
+    loginMessage.value =
+      "No login hash found. Please make sure to click on the login link in email.";
+  }
+});
+
+async function doLogin() {
+  jwtGood.value = false;
+  loginMessage.value = `Logging in to ${jwtHash.value}`;
+  const { sessionId, user, name, email, id } = await cldrLoad.loginWithJwt(
+    jwtHash.value
+  );
+  // OK, we are now logged in.
+  if (!user || !sessionId) {
+    loginMessage.value = "Could not log in with that link.";
+    return;
+  }
+  jwtGood.value = true; // Give the users their next options.
+  loginName.value = name;
+  loginEmail.value = email;
+  loginId.value = id;
+  loginMessage.value = "Logged in!";
+  // do NOT set any properties here, or the page will reload.
+}
+
+function stay() {
+  // just reload at the top level
+  window.location.replace("v#");
+}
+</script>
diff --git a/tools/cldr-apps/js/src/views/LoginButton.vue b/tools/cldr-apps/js/src/views/LoginButton.vue
index d6a65226f46..abf951f9c1c 100644
--- a/tools/cldr-apps/js/src/views/LoginButton.vue
+++ b/tools/cldr-apps/js/src/views/LoginButton.vue
@@ -22,10 +22,20 @@
       <a-checkbox v-model:checked="remember">Stay Logged In</a-checkbox>
       &nbsp;
       <a-alert
-        v-if="loginErrorMessage"
+        v-if="incorrectPassword"
         type="error"
-        v-model:message="loginErrorMessage"
-      />
+        message="Username or Password Incorrect"
+        description="Please check the email address and password carefully."
+      >
+      </a-alert>
+      <a-button
+        class="cldr-nav-btn"
+        v-on:click="resetpw()"
+        v-if="incorrectPassword"
+        size="small"
+        type="ghost"
+        >Forgot Password</a-button
+      >
     </template>
     <a-tooltip placement="bottomRight">
       <template #title>
@@ -47,10 +57,10 @@ import { ref } from "vue";
 export default {
   setup() {
     const loginShown = ref(false);
-    const loginErrorMessage = ref(null);
+    const incorrectPassword = ref(false);
     return {
       loginShown,
-      loginErrorMessage,
+      incorrectPassword,
     };
   },
   created: function () {
@@ -84,6 +94,7 @@ export default {
      * Log out
      */
     async logout() {
+      this.incorrectPassword = false;
       await fetch(`api/auth/logout?session=${cldrStatus.getSessionId()}`);
       // now reload this page now that we've logged out
       await window.location.reload();
@@ -92,6 +103,7 @@ export default {
      * Log in (from header button)
      */
     async login() {
+      this.incorrectPassword = false;
       function errBox(message) {
         console.error("LoginButton.vue: " + message);
         notification.error({
@@ -100,7 +112,6 @@ export default {
         });
       }
 
-      this.loginErrorMessage = null;
       if (this.userName && this.password) {
         try {
           const response = await fetch(
@@ -119,7 +130,7 @@ export default {
           );
           if (!response.ok) {
             if (response.status == 403) {
-              return errBox("Unauthorized:\nCheck the username and password.");
+              this.incorrectPassword = true; // show the reset instructions
             } else {
               return errBox(`Login failed: HTTP ${response.status}`);
             }
@@ -153,9 +164,7 @@ export default {
     async loginout() {
       if (this.loginShown) {
         // cancel
-        this.loginShown = false;
-        this.logText = "Log In";
-        this.logTitle = null;
+        this.cancel();
       } else if (!this.loggedIn) {
         // Log In (show popup)
         this.loginShown = true;
@@ -165,6 +174,15 @@ export default {
         await this.logout();
       }
     },
+    cancel() {
+      this.loginShown = false;
+      this.logText = "Log In";
+      this.logTitle = null;
+    },
+    resetpw() {
+      this.cancel();
+      window.location.replace("v#reset");
+    },
   },
   data() {
     return {
diff --git a/tools/cldr-apps/js/src/views/ResetPassword.vue b/tools/cldr-apps/js/src/views/ResetPassword.vue
new file mode 100644
index 00000000000..3a10fe57f72
--- /dev/null
+++ b/tools/cldr-apps/js/src/views/ResetPassword.vue
@@ -0,0 +1,60 @@
+<template>
+  <template v-if="!surveyUser">
+    <a-input
+      :disabled="sent"
+      placeholder="Username"
+      type="email"
+      v-model:value="userName"
+    >
+      <template #prefix>
+        <span class="glyphicon glyphicon-user tip-log" />
+      </template>
+    </a-input>
+
+    <a-button v-on:click="send()" v-show="!sent" v-if="userName">Send</a-button>
+
+    <hr />
+    <p v-show="!sent">Enter your email address and click Send.</p>
+
+    <a-alert
+      v-show="sent"
+      type="info"
+      message="Sent"
+      description="If the address matches
+            an account on file, you will be sent a link to login.
+            Check your junk/spam mailboxes."
+    >
+    </a-alert>
+  </template>
+  <a-alert
+    v-else
+    closable="true"
+    v-on:close="stay()"
+    type="warning"
+    message="Already logged in!"
+    description="You are already logged in successfully."
+  >
+  </a-alert>
+</template>
+
+<script setup>
+import { ref } from "vue";
+
+import * as cldrStatus from "../esm/cldrStatus.mjs";
+import * as cldrLoad from "../esm/cldrLoad.mjs";
+
+const { surveyUser, sessionId } = cldrStatus.refs;
+const sent = ref(false);
+
+const userName = ref(null);
+
+async function send() {
+  cldrLoad.sendResetHash(userName.value);
+  sent.value = true;
+}
+
+function stay() {
+  // just reload at the top level
+  window.location.replace("v#");
+}
+</script>
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/KeepLoggedInManager.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/KeepLoggedInManager.java
index 79051065f97..31ea2e445c1 100644
--- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/KeepLoggedInManager.java
+++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/KeepLoggedInManager.java
@@ -125,6 +125,22 @@ public String createJwtForSubject(String subject) {
                 .compact();
     }
 
+    /**
+     * Create a JSON Web Token for the 'subject' (user ID #) specified, for resetting the password.
+     *
+     * @param subject a user id, in this case "1234"
+     * @return JWT, see <https://jwt.io> for decoder
+     */
+    public String createJwtForReset(String subject) {
+        final long now = System.currentTimeMillis();
+        return Jwts.builder()
+                .setSubject(subject)
+                .signWith(key)
+                .setIssuedAt(new Date(now))
+                .setExpiration(new Date(now + (3600 * 1000L))) // 1 hour link
+                .compact();
+    }
+
     /**
      * Testing only. Generates a JWT that already expired.
      *
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java
index d7a2f67ef45..baa7a319646 100644
--- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java
+++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/UserRegistry.java
@@ -578,6 +578,32 @@ public CLDRLocale exampleLocale() {
             }
             return null;
         }
+
+        /** Generate and send a link that will login with a link */
+        public void sendResetToken() {
+            logger.info("Sending reset for " + email + " #" + id + ", requested by " + ip);
+            // Create a 1-hour token
+            final String token = CookieSession.sm.klm.createJwtForReset(Integer.toString(id));
+            if (SurveyMain.isUnofficial()) {
+                // not official, print this out to the command line for testing
+                System.out.println("Requested Reset Token: " + token);
+            }
+
+            /* base URL */
+            final String defaultBase =
+                    CLDRConfig.getInstance().absoluteUrls().base() + "/v#login///";
+            final String url = defaultBase + token;
+            // compose the mail
+            final String subject = "CLDR Login Link for " + email;
+            final String body =
+                    String.format(
+                            "To access the CLDR Survey Tool, visit:\n"
+                                    + "<%s>\n"
+                                    + "This link will only be valid for one hour.\n",
+                            url);
+
+            MailSender.getInstance().queue(null, id, subject, body);
+        }
     }
 
     public static void printPasswordLink(WebContext ctx, String email, String password) {
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java
index a7480c98dfa..a5a847afcc3 100644
--- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java
+++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/Auth.java
@@ -4,6 +4,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
+import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -15,6 +16,7 @@
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.media.Content;
 import org.eclipse.microprofile.openapi.annotations.media.Schema;
+import org.eclipse.microprofile.openapi.annotations.parameters.RequestBody;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponses;
 import org.eclipse.microprofile.openapi.annotations.tags.Tag;
@@ -59,12 +61,17 @@ public Response login(
             @QueryParam("remember")
                     @Schema(defaultValue = "false", description = "If true, remember login")
                     boolean remember,
-            LoginRequest request) {
+            @RequestBody(required = true) LoginRequest request) {
+
+        // If there's no user/pass, try to fill one in from jwt or cookies.
+        if (request.isEmpty() || (request.jwt != null && !request.jwt.isEmpty())) {
+            // try an explicit jwt
+            String jwt = request.jwt;
 
-        // If there's no user/pass, try to fill one in from cookies.
-        if (request.isEmpty()) {
             // Also compare WebContext.setSession()
-            final String jwt = WebContext.getCookieValue(hreq, SurveyMain.COOKIE_SAVELOGIN);
+            if (jwt == null || jwt.isBlank()) {
+                jwt = WebContext.getCookieValue(hreq, SurveyMain.COOKIE_SAVELOGIN);
+            }
             if (jwt != null && !jwt.isBlank()) {
                 final String jwtId = CookieSession.sm.klm.getSubject(jwt);
                 if (jwtId != null && !jwtId.isBlank()) {
@@ -165,6 +172,15 @@ private LoginResponse createLoginResponse(CookieSession session) {
         LoginResponse resp = new LoginResponse();
         resp.sessionId = session.id;
         resp.user = (session.user != null);
+        if (session.user != null) {
+            resp.email = session.user.email;
+            resp.name = session.user.name;
+            resp.id = session.user.id;
+        } else {
+            resp.email = null;
+            resp.name = null;
+            resp.id = 0;
+        }
         return resp;
     }
 
@@ -293,6 +309,73 @@ public Response lock(
         }
     }
 
+    public final class ResetResponse {
+        public String message;
+        public String ip;
+    }
+
+    @Path("/reset")
+    @POST
+    @Produces(MediaType.APPLICATION_JSON)
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Operation(
+            summary = "Reset password",
+            description =
+                    "Reset password for an account. Note that a session, anonymous or not, is required.")
+    @APIResponses(
+            value = {
+                @APIResponse(
+                        responseCode = "200",
+                        description = "Reset OK",
+                        content =
+                                @Content(
+                                        mediaType = "application/json",
+                                        schema = @Schema(implementation = ResetResponse.class))),
+                @APIResponse(responseCode = "403", description = "Forbidden"),
+                @APIResponse(responseCode = "404", description = "Session not found"),
+                @APIResponse(responseCode = "417", description = "Invalid parameter"),
+                @APIResponse(responseCode = "500", description = "Failure"),
+            })
+    public Response reset(
+            @Context HttpServletRequest hreq,
+            @Context HttpServletResponse hresp,
+            ResetRequest request,
+            @HeaderParam(Auth.SESSION_HEADER) String session) {
+
+        if (request.email.isEmpty() || session.isEmpty()) {
+            return Response.status(417, "Missing parameter").build();
+        }
+        final CookieSession s = getSession(session);
+        if (s == null) {
+            return noSessionResponse();
+        } else if (s.user != null && !s.user.email.equals(request.email)) {
+            // don't use a logged-in session to reset password
+            return Response.status(417, "Invalid session").build();
+        } else if (request.email.equals(UserRegistry.ADMIN_EMAIL)) {
+            // nice try
+            return Response.status(403, "Forbidden").build();
+        }
+
+        // look up user. This is the real user to be reset.
+        // Note that this lookup might fail - in which case, we
+        // still tell the user we may have sent the reset.
+        // We don't want to allow 'probing' for valid emails here.
+        User user = CookieSession.sm.reg.get(request.email);
+
+        ResetResponse r = new ResetResponse();
+        r.ip = s.ip;
+
+        if (user != null) {
+            user.sendResetToken();
+        } else {
+            logger.warning(
+                    "Not sending reset for nonexistent " + request.email + " requested by " + r.ip);
+        }
+
+        // OK, send them a 1-hour link
+        return Response.ok().build();
+    }
+
     /**
      * Extract a CookieSession from a session string
      *
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginRequest.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginRequest.java
index eee92443e78..0dd5e697b30 100644
--- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginRequest.java
+++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginRequest.java
@@ -3,11 +3,13 @@
 public final class LoginRequest {
     public String email;
     public String password;
+    public String jwt;
 
     /**
      * @return true if input incomplete
      */
     protected boolean isEmpty() {
+        if (jwt != null) return false;
         return email == null || password == null || email.isEmpty() || password.isEmpty();
     }
 }
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginResponse.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginResponse.java
index 0e8cc422993..e8148ac23d5 100644
--- a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginResponse.java
+++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/LoginResponse.java
@@ -10,9 +10,15 @@ public final class LoginResponse {
     @Schema(description = "CookieSession string id")
     public String sessionId;
 
-    // TODO: need to add User data here
-    // But it stopped being serializable.
-    // For now, just a boolean
     @Schema(description = "True if there is a user")
     public boolean user;
+
+    @Schema(description = "User name")
+    public String name;
+
+    @Schema(description = "User email")
+    public String email;
+
+    @Schema(description = "User id")
+    public int id;
 }
diff --git a/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/ResetRequest.java b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/ResetRequest.java
new file mode 100644
index 00000000000..c0bcec9d4cc
--- /dev/null
+++ b/tools/cldr-apps/src/main/java/org/unicode/cldr/web/api/ResetRequest.java
@@ -0,0 +1,8 @@
+package org.unicode.cldr.web.api;
+
+/** A request to reset the password */
+public final class ResetRequest {
+    public String email = null;
+
+    public ResetRequest() {}
+}

From 97aa56ace43a6e3153422e4ab632b992a1ba448e Mon Sep 17 00:00:00 2001
From: "Steven R. Loomis" <srl295@gmail.com>
Date: Wed, 29 May 2024 19:27:16 -0500
Subject: [PATCH 2/2] CLDR-7405 login: force reload with Keep button

---
 tools/cldr-apps/js/src/views/CldrLogin.vue | 3 ++-
 tools/cldr-apps/js/src/views/CldrUser.vue  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/cldr-apps/js/src/views/CldrLogin.vue b/tools/cldr-apps/js/src/views/CldrLogin.vue
index fe668466881..dec6a888806 100644
--- a/tools/cldr-apps/js/src/views/CldrLogin.vue
+++ b/tools/cldr-apps/js/src/views/CldrLogin.vue
@@ -10,7 +10,7 @@
 
   <!-- show user login -->
   <a-card hoverable v-if="jwtGood">
-    <cldr-user v-if="jwtGood && loginId" v-bind:uid="loginId" />
+    <cldr-user v-if="jwtGood && loginId && loginName && loginEmail" v-bind:uid="loginId" />
     <p>You are now logged in via the email link.</p>
     <a-button v-on:click="stay()">Keep me logged in.</a-button>
   </a-card>
@@ -69,5 +69,6 @@ async function doLogin() {
 function stay() {
   // just reload at the top level
   window.location.replace("v#");
+  window.location.reload();
 }
 </script>
diff --git a/tools/cldr-apps/js/src/views/CldrUser.vue b/tools/cldr-apps/js/src/views/CldrUser.vue
index cd946356c9c..88d3a31cdc0 100644
--- a/tools/cldr-apps/js/src/views/CldrUser.vue
+++ b/tools/cldr-apps/js/src/views/CldrUser.vue
@@ -52,7 +52,7 @@ export default {
   },
   async created() {
     this.info = await cldrUsers.getUserInfo(this.uid);
-    const { org, name } = this.info;
+    const { org, name } = this.info ?? {};
     this.org = org || null;
     this.name = name || null;
     this.$emit("org", this.org);