DocHub
DocHub/MaxShipping/Customer Tracking Portal/Admin Password Reset
Admin feature to reset a client's password by deleting their Firebase Auth record, allowing JIT re-provisioning on next login

Admin Password Reset

Overview

Admins can reset any client’s password from the customer tracking portal. This works by deleting the client’s Firebase Auth record — when the client next logs in with their default password (max + referenceId), JIT provisioning automatically recreates their account.

User Flow

  1. Admin signs in and searches for a customer by ID
  2. Customer search results show three action buttons:
    • Track Single Package — existing
    • View All Packages — existing
    • Reset Password — new (red button)
  3. Clicking “Reset Password” opens a confirmation modal showing the default password (e.g. max2294)
  4. On confirmation, the frontend calls the deleteAuthUser Cloud Function
  5. A success modal displays the client’s login credentials:
    • Email address
    • Default password
  6. A Copy Details button copies both fields to clipboard for easy sharing with the client

Technical Implementation

Frontend (customer_tracking_page/index.html)

Modals:

  • #reset-password-confirm-modal — Confirmation with cancel/confirm
  • #reset-password-success-modal — Success with email, password, and copy button

Functions:

  • openResetPasswordModal() — Populates default password preview, shows confirm modal
  • confirmResetPassword() — Resolves auth email (handles duplicate email format), calls Cloud Function, shows success
  • closeResetPasswordModal() / closeResetSuccessModal() — Close modals
  • copyResetDetails() — Copies email + password to clipboard

Duplicate email handling: The system checks if multiple clients share the same email. If so, it uses the email+refId@domain alias format (e.g. tim+7218@kroha.co) when calling the Cloud Function, ensuring only the correct client’s auth record is deleted.

Local cleanup: On successful reset, the following localStorage keys are cleared for that client:

  • passwordChanged_{email} — so JIT provisioning forces a new password change
  • authEmail_{email} — removes stored auth email mapping

Cloud Function (deleteAuthUser)

Endpoint: POST https://us-central1-max-inventory-scanner-b0b53.cloudfunctions.net/deleteAuthUser

Request:

{ "email": "client@example.com" }

Response:

{ "success": true, "message": "Auth record deleted" }

Behavior:

  • Uses Firebase Admin SDK: admin.auth().getUserByEmail(email)admin.auth().deleteUser(uid)
  • Returns success even if no auth record exists (idempotent)
  • CORS enabled for cross-origin requests

Source: maxshipping-web-and-cloudfunctions/functions/index.js

Why Delete Instead of Update?

The Firebase client SDK cannot modify another user’s password — only the currently signed-in user can change their own. The Admin SDK can update passwords, but deleting the auth record is simpler and leverages the existing JIT provisioning system: the account is automatically recreated with the default password on next login, and the forced password change flow kicks in as usual.

Date Added

2026-03-31 — Branch: feature/activity-logging-and-setup