Add no-cache headers for auth pages and improve error messages

nickprotop · nickprotop · commit 4176b9128cf6 · 2025-12-27T10:41:56.000+02:00
- Add nginx no-cache location for auth pages (verify-email, reset-password,
  forgot-password, login, register, accept-invitation, verify-new-email)
- Improve API error messages to be more descriptive and actionable:
  - Verification: clearer expired/invalid/already-used messages
  - Password reset: better expired/invalid/social-login messages
  - Login: more helpful email verification and credentials messages
diff --git a/cloud/deploy/nginx/nginx.conf.template b/cloud/deploy/nginx/nginx.conf.template
@@ -158,6 +158,21 @@ http {
         # Blazor WASM Application (/app/*)
         # =====================================================
 
+        # Auth pages - no cache (ensure fresh content after deployments)
+        location ~ ^/app/(verify-email|reset-password|forgot-password|login|register|accept-invitation|verify-new-email) {
+            proxy_pass http://web/;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Prevent caching
+            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
+            add_header Pragma "no-cache" always;
+            expires -1;
+        }
+
         location /app/_framework/ {
             proxy_pass http://web/_framework/;
             proxy_http_version 1.1;
@@ -285,6 +300,21 @@ http {
         # Blazor WASM Application (/app/*)
         # =====================================================
 
+        # Auth pages - no cache (ensure fresh content after deployments)
+        location ~ ^/app/(verify-email|reset-password|forgot-password|login|register|accept-invitation|verify-new-email) {
+            proxy_pass http://web/;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Prevent caching
+            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
+            add_header Pragma "no-cache" always;
+            expires -1;
+        }
+
         location /app/_framework/ {
             proxy_pass http://web/_framework/;
             proxy_http_version 1.1;
diff --git a/cloud/src/LrmCloud.Api/Services/AuthService.cs b/cloud/src/LrmCloud.Api/Services/AuthService.cs
@@ -150,28 +150,28 @@ await _mailService.TrySendEmailAsync(_logger,
 
         if (user == null)
         {
-            return (false, "Invalid verification link");
+            return (false, "This verification link is invalid. Please check the link or request a new one.");
         }
 
         if (user.EmailVerified)
         {
-            return (false, "Email already verified");
+            return (false, "Your email address has already been verified. You can log in now.");
         }
 
         if (user.EmailVerificationExpiresAt == null || user.EmailVerificationExpiresAt < DateTime.UtcNow)
         {
-            return (false, "Verification link expired");
+            return (false, "This verification link has expired. Please register again to receive a new link.");
         }
 
         if (string.IsNullOrEmpty(user.EmailVerificationTokenHash))
         {
-            return (false, "Invalid verification token");
+            return (false, "This verification link is invalid or has already been used.");
         }
 
         // Verify token by hashing and comparing
         if (!BCrypt.Net.BCrypt.Verify(token, user.EmailVerificationTokenHash))
         {
-            return (false, "Invalid verification token");
+            return (false, "This verification link is invalid or has already been used.");
         }
 
         // Mark as verified
@@ -263,25 +263,25 @@ await _mailService.TrySendEmailAsync(_logger,
             .FirstOrDefaultAsync(u => u.Email == request.Email.ToLowerInvariant());
 
         if (user == null)
-            return (false, "Invalid password reset link");
+            return (false, "This password reset link is invalid. Please request a new one.");
 
         if (user.AuthType != "email")
-            return (false, "Password reset is only available for email accounts");
+            return (false, "Password reset is only available for email/password accounts. You signed up with a social login.");
 
         if (string.IsNullOrEmpty(user.PasswordResetTokenHash))
         {
-            return (false, "No password reset requested");
+            return (false, "No password reset was requested for this account. Please request a new reset link.");
         }
 
         if (user.PasswordResetExpires == null || user.PasswordResetExpires < DateTime.UtcNow)
         {
-            return (false, "Password reset link expired");
+            return (false, "This password reset link has expired. Please request a new one.");
         }
 
         // Verify token by hashing and comparing
         if (!BCrypt.Net.BCrypt.Verify(request.Token, user.PasswordResetTokenHash))
         {
-            return (false, "Invalid password reset token");
+            return (false, "This password reset link is invalid or has already been used.");
         }
 
         // Hash new password
@@ -348,7 +348,7 @@ await _mailService.TrySendEmailAsync(_logger,
         // Validate user exists and uses email auth
         if (user == null || user.AuthType != "email")
         {
-            return (false, null, "Invalid email or password");
+            return (false, null, "The email or password you entered is incorrect.");
         }
 
         // Verify password
@@ -374,13 +374,13 @@ await _mailService.TrySendEmailAsync(_logger,
             _logger.LogWarning("Failed login attempt for user: {Email} (attempt {Count}/{Max})",
                 user.Email, user.FailedLoginAttempts, _config.Auth.MaxFailedLoginAttempts);
 
-            return (false, null, "Invalid email or password");
+            return (false, null, "The email or password you entered is incorrect.");
         }
 
         // Check if email is verified
         if (!user.EmailVerified)
         {
-            return (false, null, "Please verify your email address before logging in");
+            return (false, null, "Please verify your email address before logging in. Check your inbox for the verification link.");
         }
 
         // Success - reset failed attempts and update last login

Original file line number	Diff line number	Diff line change
`@@ -150,28 +150,28 @@ await _mailService.TrySendEmailAsync(_logger,`
`150`	`150`
`151`	`151`	`if (user == null)`
`152`	`152`	`{`
`153`		`- return (false, "Invalid verification link");`
	`153`	`+ return (false, "This verification link is invalid. Please check the link or request a new one.");`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`if (user.EmailVerified)`
`157`	`157`	`{`
`158`		`- return (false, "Email already verified");`
	`158`	`+ return (false, "Your email address has already been verified. You can log in now.");`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`if (user.EmailVerificationExpiresAt == null \|\| user.EmailVerificationExpiresAt < DateTime.UtcNow)`
`162`	`162`	`{`
`163`		`- return (false, "Verification link expired");`
	`163`	`+ return (false, "This verification link has expired. Please register again to receive a new link.");`
`164`	`164`	`}`
`165`	`165`
`166`	`166`	`if (string.IsNullOrEmpty(user.EmailVerificationTokenHash))`
`167`	`167`	`{`
`168`		`- return (false, "Invalid verification token");`
	`168`	`+ return (false, "This verification link is invalid or has already been used.");`
`169`	`169`	`}`
`170`	`170`
`171`	`171`	`// Verify token by hashing and comparing`
`172`	`172`	`if (!BCrypt.Net.BCrypt.Verify(token, user.EmailVerificationTokenHash))`
`173`	`173`	`{`
`174`		`- return (false, "Invalid verification token");`
	`174`	`+ return (false, "This verification link is invalid or has already been used.");`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`// Mark as verified`
`@@ -263,25 +263,25 @@ await _mailService.TrySendEmailAsync(_logger,`
`263`	`263`	`.FirstOrDefaultAsync(u => u.Email == request.Email.ToLowerInvariant());`
`264`	`264`
`265`	`265`	`if (user == null)`
`266`		`- return (false, "Invalid password reset link");`
	`266`	`+ return (false, "This password reset link is invalid. Please request a new one.");`
`267`	`267`
`268`	`268`	`if (user.AuthType != "email")`
`269`		`- return (false, "Password reset is only available for email accounts");`
	`269`	`+ return (false, "Password reset is only available for email/password accounts. You signed up with a social login.");`
`270`	`270`
`271`	`271`	`if (string.IsNullOrEmpty(user.PasswordResetTokenHash))`
`272`	`272`	`{`
`273`		`- return (false, "No password reset requested");`
	`273`	`+ return (false, "No password reset was requested for this account. Please request a new reset link.");`
`274`	`274`	`}`
`275`	`275`
`276`	`276`	`if (user.PasswordResetExpires == null \|\| user.PasswordResetExpires < DateTime.UtcNow)`
`277`	`277`	`{`
`278`		`- return (false, "Password reset link expired");`
	`278`	`+ return (false, "This password reset link has expired. Please request a new one.");`
`279`	`279`	`}`
`280`	`280`
`281`	`281`	`// Verify token by hashing and comparing`
`282`	`282`	`if (!BCrypt.Net.BCrypt.Verify(request.Token, user.PasswordResetTokenHash))`
`283`	`283`	`{`
`284`		`- return (false, "Invalid password reset token");`
	`284`	`+ return (false, "This password reset link is invalid or has already been used.");`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`// Hash new password`
`@@ -348,7 +348,7 @@ await _mailService.TrySendEmailAsync(_logger,`
`348`	`348`	`// Validate user exists and uses email auth`
`349`	`349`	`if (user == null \|\| user.AuthType != "email")`
`350`	`350`	`{`
`351`		`- return (false, null, "Invalid email or password");`
	`351`	`+ return (false, null, "The email or password you entered is incorrect.");`
`352`	`352`	`}`
`353`	`353`
`354`	`354`	`// Verify password`
`@@ -374,13 +374,13 @@ await _mailService.TrySendEmailAsync(_logger,`
`374`	`374`	`_logger.LogWarning("Failed login attempt for user: {Email} (attempt {Count}/{Max})",`
`375`	`375`	`user.Email, user.FailedLoginAttempts, _config.Auth.MaxFailedLoginAttempts);`
`376`	`376`
`377`		`- return (false, null, "Invalid email or password");`
	`377`	`+ return (false, null, "The email or password you entered is incorrect.");`
`378`	`378`	`}`
`379`	`379`
`380`	`380`	`// Check if email is verified`
`381`	`381`	`if (!user.EmailVerified)`
`382`	`382`	`{`
`383`		`- return (false, null, "Please verify your email address before logging in");`
	`383`	`+ return (false, null, "Please verify your email address before logging in. Check your inbox for the verification link.");`
`384`	`384`	`}`
`385`	`385`
`386`	`386`	`// Success - reset failed attempts and update last login`