fix: invalidate sessions on password change & redesign account page

[Israeltheminer]

Summary

• Session invalidation on password change: When an admin resets a member's password via setMemberPassword, all sessions for that user are deleted via deleteMany. When a user changes their own password via updateUserPassword, revokeOtherSessions: true is passed to better-auth's changePassword API.
• Account page redesign: Profile section now allows inline display name editing with a new updateUserName mutation. Email is shown as read-only. Password change/set forms are moved into FormDialog dialogs for a cleaner UX.
• Member row actions: Hide the Edit action on the current user's own row. Fix Transfer ownership text wrapping by setting contentWidth on EntityRowActions.
• New tests: Added unit tests for set_member_password (session invalidation, auth checks, credential create/update), update_user_password (session revocation, validation), and update_user_name (validation, trimming, auth).
• New mutation: updateUserName for display name changes via the better-auth adapter.
• Translation keys: Added account profile/security section keys and toast messages for profile updates.

Closes #771

Test plan

• Verify admin password reset invalidates all target user sessions (user is logged out)
• Verify user self-password change revokes other sessions
• Verify display name editing works on account page
• Verify email is displayed read-only
• Verify password change/set opens in a dialog
• Verify Edit action is hidden on own member row
• Verify Transfer ownership menu item doesn't wrap
• Run bun run --filter @tale/platform test to confirm all new tests pass

Summary by CodeRabbit

• New Features

  • Added ability to update display name in account settings with validation and inline notifications.
  • Restructured account settings UI into separate Profile and Security sections.

• Improvements

  • Password changes now invalidate other active sessions for enhanced security.
  • Updated member management to prevent self-editing.
  • Improved form dialogs for password management actions.

• Localization

  • Added profile update success and error messages.
  • Added new account settings section labels.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors the account settings form into modular ProfileSection and PasswordSection components, each managing independent form state and validation. It introduces a new updateUserName Convex mutation and corresponding React hook to handle user name updates separately from password flows. Session invalidation is added after password changes to ensure re-authentication. Comprehensive test suites cover the new mutations with validation, error handling, and flow scenarios. Member row action visibility is adjusted, and translation strings are added for profile update notifications.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(platform): add set password for OAuth users and admin member password #415: Directly addresses account settings password UI refactoring with separate "set password" vs "change password" dialog flows and related components.
• fix: enforce consistent password validation across all flows #785: Modifies account password update flows and backend password mutation logic in the same account settings module.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.88% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the two main changes: session invalidation on password changes and account page redesign, matching the primary modifications across the codebase.
Linked Issues check	✅ Passed	All coding requirements from issue #771 are implemented: admin password resets invalidate sessions via deleteMany, self-password changes pass revokeOtherSessions flag, and tests verify both flows.
Out of Scope Changes check	✅ Passed	Member list UX improvements (hiding Edit action, fixing Transfer ownership wrapping) and account page redesign (ProfileSection, dialog-based forms) are design enhancements supporting the core session invalidation work and overall user experience consistency.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/session-invalidation-account-redesign

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/platform/app/features/settings/account/components/account-form.tsx`:
- Around line 66-70: The name field must be normalized (trimmed) before
validation and when resetting the form: update the profileSchema (the useMemo
that defines profileSchema) to preprocess/transform the input string to s.trim()
before applying min(1, tSettings(...)) so whitespace-only values are rejected,
and when calling the form reset/sync after save (the code that references
user.name and the reset/update logic around lines 86-99), pass user.name?.trim()
(or the normalized value from the form result) so the form state is set to the
trimmed display name; apply the same trimming normalization to any other
client-side validation/reset paths that handle name.

In `@services/platform/convex/users/set_member_password.ts`:
- Around line 133-140: The deleteMany call using
ctx.runMutation(components.betterAuth.adapter.deleteMany, ...) only removes up
to paginationOpts.numItems (100) sessions, so loop until no sessions remain:
repeatedly call ctx.runMutation with the same input (model: 'session', where
userId == memberUserId) and paginationOpts (cursor: null, numItems: 100) and
break when the result indicates zero deleted items; alternatively, if
components.betterAuth.adapter exposes a bulk delete-all for model 'session' or
accepts no pagination, call that instead to remove all sessions in one
operation; update the code around the session invalidation block to perform the
loop or use the adapter's delete-all API for memberUserId.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ad0ad98-399b-4c90-a2a3-e2cd8b2adbcc

📥 Commits

Reviewing files that changed from the base of the PR and between 29e7aa2 and 8ceb5cd.

⛔ Files ignored due to path filters (1)

• services/platform/convex/_generated/api.d.ts is excluded by !**/_generated/**

📒 Files selected for processing (11)

• services/platform/app/features/settings/account/components/account-form.tsx
• services/platform/app/features/settings/account/hooks/mutations.ts
• services/platform/app/features/settings/organization/components/member-row-actions.tsx
• services/platform/convex/users/__tests__/set_member_password.test.ts
• services/platform/convex/users/__tests__/update_user_name.test.ts
• services/platform/convex/users/__tests__/update_user_password.test.ts
• services/platform/convex/users/mutations.ts
• services/platform/convex/users/set_member_password.ts
• services/platform/convex/users/update_user_name.ts
• services/platform/convex/users/update_user_password.ts
• services/platform/messages/en.json