fix: implement authentication security hardening

- Add password reset flow with PKCE token verification and email links
- Add educational disclaimer on signup page
- Clear global state on logout to prevent data leakage between sessions
- Invalidate user-specific cache entries on logout
- Add app_url configuration for password reset redirects

Security fixes:
- Prevents User B from accessing User A's portfolio data after logout
- Clears LAST_ANALYSIS_STATE, HISTORY_RECORDS, LAST_STRESS_TEST globals
- Implements proper session cleanup with cache invalidation
- Adds forgot password modal workflow with token detection

app.py

@@ -1648,6 +1648,12 @@ def create_interface() -> gr.Blocks:
                         placeholder="Enter your password",
                         type="password"
                     )
+                    forgot_password_btn = gr.Button(
+                        "Forgot password?",
+                        variant="secondary",
+                        size="sm",
+                        elem_classes="forgot-password-link"
+                    )
                     login_btn = gr.Button("Sign In", variant="primary", size="lg")
                     login_message = gr.Markdown("")
 
@@ -1672,6 +1678,10 @@ def create_interface() -> gr.Blocks:
                         placeholder="Re-enter your password",
                         type="password"
                     )
+                    gr.Markdown(
+                        "*By signing up, you agree this is for educational purposes only and not financial advice.*",
+                        elem_classes="disclaimer-text"
+                    )
                     signup_btn = gr.Button("Create Account", variant="primary", size="lg")
                     signup_message = gr.Markdown("")
 
@@ -1686,6 +1696,50 @@ def create_interface() -> gr.Blocks:
             gr.Markdown("*1 free analysis per day • No account required*", elem_classes="demo-subtitle")
             demo_message = gr.Markdown("")
 
+        # Modal 1: Request password reset (only email input)
+        with gr.Group(visible=False, elem_id="password-reset-modal") as password_reset_modal:
+            gr.Markdown("## Request Password Reset")
+            gr.Markdown("Enter your email address and we'll send you a password reset link.")
+
+            reset_email = gr.Textbox(
+                label="Email",
+                placeholder="[email protected]",
+                type="email"
+            )
+            with gr.Row():
+                reset_submit_btn = gr.Button("Send Reset Link", variant="primary", size="lg")
+                reset_cancel_btn = gr.Button("Cancel", variant="secondary", size="sm")
+            reset_message = gr.Markdown("")
+
+        # Modal 2: Set new password (only appears after clicking email link)
+        with gr.Group(visible=False, elem_id="password-update-modal") as password_update_modal:
+            gr.Markdown("## Set New Password")
+            gr.Markdown("Enter your new password below.")
+
+            # Hidden fields to store recovery token_hash and email (populated by JavaScript)
+            recovery_token_hash = gr.Textbox(visible=False, elem_id="recovery-token-hash")
+            recovery_email = gr.Textbox(
+                label="Email",
+                placeholder="[email protected]",
+                type="email",
+                info="Enter the email address you used to request the password reset"
+            )
+
+            new_password = gr.Textbox(
+                label="New Password",
+                placeholder="At least 6 characters",
+                type="password"
+            )
+            confirm_new_password = gr.Textbox(
+                label="Confirm New Password",
+                placeholder="Re-enter your new password",
+                type="password"
+            )
+            with gr.Row():
+                update_password_btn = gr.Button("Update Password", variant="primary", size="lg")
+                update_cancel_btn = gr.Button("Cancel", variant="secondary", size="sm")
+            update_password_message = gr.Markdown("")
+
         # Input Page with side-by-side layout (hidden until authenticated)
         with gr.Group(visible=False) as input_page:
             # Side-by-side input and preview (2:3 ratio for wider preview)
@@ -1750,6 +1804,33 @@ def create_interface() -> gr.Blocks:
                         scale=1
                     )
 
+            # JavaScript to detect password reset token_hash in URL and populate hidden fields
+            # This runs on page load and checks for recovery token in query parameters
+            demo.load(
+                fn=None,  # No Python processing needed - JavaScript directly sets the value
+                inputs=[],
+                outputs=[recovery_token_hash],
+                js="""
+                function() {
+                    // Check for recovery token_hash in URL query parameters (PKCE flow)
+                    const params = new URLSearchParams(window.location.search);
+                    const tokenHash = params.get('token_hash') || '';
+                    const typeParam = params.get('type') || '';
+
+                    if (tokenHash && typeParam === 'recovery') {
+                        console.log('Password reset token detected');
+
+                        // Clean up URL (remove query parameters)
+                        window.history.replaceState({}, document.title, window.location.pathname);
+
+                        return tokenHash;
+                    }
+
+                    return '';
+                }
+                """
+            )
+
             # Add click handlers for example buttons
             tech_btn.click(
                 fn=lambda: "AAPL 50 shares\nTSLA 25 shares\nNVDA 30 shares\nMETA 20 shares",
@@ -2415,31 +2496,112 @@ Please try again with different parameters.
                 return current_session, f"❌ {message}"
 
         async def handle_logout(current_session: Dict):
-            """Handle user logout."""
+            """Handle user logout and reset all UI components.
+
+            Security: Clears all global state and user-specific cache to prevent
+            data leakage between user sessions.
+            """
+            global LAST_ANALYSIS_STATE, HISTORY_RECORDS, LAST_STRESS_TEST
+
             session = UserSession.from_dict(current_session)
+
+            # Extract user ID before clearing session (for cache cleanup)
+            user_id = session.user_id if session else None
+
+            # 1. Clear backend authentication
             success, message = await auth.logout(session)
 
-            # Clear session
+            # 2. Clear global state variables (CRITICAL for data security)
+            LAST_ANALYSIS_STATE = None
+            HISTORY_RECORDS = []
+            LAST_STRESS_TEST = None
+
+            # 3. Clear user-specific cache entries
+            if user_id:
+                try:
+                    from backend.caching.factory import cache_manager
+                    # Clear user-specific data from cache
+                    cache_manager.invalidation.invalidate_by_event("user_update", user_id)
+                    logger.info(f"Cleared cache for user {user_id}")
+                except Exception as e:
+                    logger.error(f"Failed to clear user cache on logout: {e}")
+
+            # 4. Clear session and reset ALL UI components to initial state
             return (
-                {},
-                f"✅ {message}",
-                gr.update(visible=True),   # Show login form
-                gr.update(visible=False),  # Hide main content
-                gr.update(value="Not logged in")  # Clear user info
+                {},  # Clear session state
+                f"✅ {message}",  # Login message
+                gr.update(visible=True),   # Show login container
+                gr.update(visible=False),  # Hide input page
+                gr.update(value="Not logged in"),  # Clear user info
+                gr.update(visible=False),  # Hide logout button
+                gr.update(visible=False),  # Hide sidebar
+                gr.update(visible=False),  # Hide results page
+                gr.update(visible=False),  # Hide loading page
+                gr.update(visible=False),  # Hide history page
+                # Clear all analysis outputs
+                gr.update(value=""),  # analysis_output
+                gr.update(value=None),  # allocation_plot
+                gr.update(value=None),  # risk_plot
+                gr.update(value=None),  # performance_plot
+                gr.update(value=None),  # correlation_plot
+                gr.update(value=None),  # optimization_plot
+                # Clear history
+                gr.update(value=[]),  # history_table
+                # Clear password reset modals
+                gr.update(visible=False),  # password_reset_modal
+                gr.update(visible=False),  # password_update_modal
             )
 
         def sync_login(email: str, password: str, current_session: Dict):
             """Synchronous wrapper for login."""
             return asyncio.run(handle_login(email, password, current_session))
 
-        def sync_signup(email: str, password: str, confirm_password: str, username: str, current_session: Dict):
+        def sync_signup(email: str, password: str, confirm_password: str, username: str, terms_accepted: bool, current_session: Dict):
             """Synchronous wrapper for signup."""
-            return asyncio.run(handle_signup(email, password, confirm_password, username, current_session))
+            return asyncio.run(handle_signup(email, password, confirm_password, username, terms_accepted, current_session))
 
         def sync_logout(current_session: Dict):
             """Synchronous wrapper for logout."""
             return asyncio.run(handle_logout(current_session))
 
+        async def handle_password_reset(email: str):
+            """Handle password reset request."""
+            if not email:
+                return "", "❌ Please enter your email address"
+
+            success, message = await auth.request_password_reset(email)
+
+            # Simple success message
+            if success:
+                return "", f"{message}\n\nCheck your email and click the reset link to set your new password."
+
+            return "", message
+
+        def sync_password_reset(email: str):
+            """Synchronous wrapper for password reset."""
+            return asyncio.run(handle_password_reset(email))
+
+        async def handle_password_update(password: str, confirm: str, email: str, token_hash: str):
+            """Handle password update after reset with recovery token_hash."""
+            if not email:
+                return "❌ Please enter your email address"
+
+            if not password or not confirm:
+                return "❌ Please enter both password fields"
+
+            if password != confirm:
+                return "❌ Passwords do not match"
+
+            if len(password) < 6:
+                return "❌ Password must be at least 6 characters"
+
+            success, message = await auth.update_password(password, email, token_hash)
+            return message
+
+        def sync_password_update(password: str, confirm: str, email: str, token_hash: str):
+            """Synchronous wrapper for password update."""
+            return asyncio.run(handle_password_update(password, confirm, email, token_hash))
+
         # Connect authentication handlers
         login_btn.click(
             sync_login,
@@ -2456,6 +2618,53 @@ Please try again with different parameters.
             outputs=[session_state, signup_message]
         )
 
+        # Password reset handlers
+        forgot_password_btn.click(
+            lambda: (gr.update(visible=False), gr.update(visible=True)),
+            outputs=[login_container, password_reset_modal]
+        )
+
+        reset_cancel_btn.click(
+            lambda: (gr.update(visible=True), gr.update(visible=False), ""),
+            outputs=[login_container, password_reset_modal, reset_message]
+        )
+
+        update_cancel_btn.click(
+            lambda: (gr.update(visible=True), gr.update(visible=False), ""),
+            outputs=[login_container, password_update_modal, update_password_message]
+        )
+
+        reset_submit_btn.click(
+            sync_password_reset,
+            inputs=[reset_email],
+            outputs=[reset_email, reset_message]
+        )
+
+        # Show password update modal when recovery token_hash is detected
+        recovery_token_hash.change(
+            fn=lambda token: (
+                gr.update(visible=False) if token else gr.update(visible=True),
+                gr.update(visible=True) if token else gr.update(visible=False)
+            ),
+            inputs=[recovery_token_hash],
+            outputs=[login_container, password_update_modal]
+        )
+
+        # Password update handler (separate modal after email link click)
+        update_password_btn.click(
+            sync_password_update,
+            inputs=[new_password, confirm_new_password, recovery_email, recovery_token_hash],
+            outputs=[update_password_message]
+        ).then(
+            # On success, hide modal and show login form
+            lambda msg: (
+                gr.update(visible=False) if "✅" in msg else gr.update(visible=True),
+                gr.update(visible=True) if "✅" in msg else gr.update(visible=False)
+            ),
+            inputs=[update_password_message],
+            outputs=[password_update_modal, login_container]
+        )
+
         def handle_demo_mode(current_session: Dict):
             """Handle demo mode activation (anonymous with rate limiting)."""
             # Create a demo session (not authenticated)
@@ -2486,10 +2695,13 @@ Please try again with different parameters.
         logout_btn.click(
             sync_logout,
             inputs=[session_state],
-            outputs=[session_state, login_message, login_container, input_page, user_info]
-        ).then(
-            lambda: (gr.update(visible=False), gr.update(visible=False)),
-            outputs=[logout_btn, sidebar]
+            outputs=[
+                session_state, login_message, login_container, input_page, user_info,
+                logout_btn, sidebar, results_page, loading_page, history_page,
+                analysis_output, allocation_plot, risk_plot, performance_plot,
+                correlation_plot, optimization_plot, history_table,
+                password_reset_modal, password_update_modal
+            ]
         )
 
         # Navigation event handlers
@@ -2511,10 +2723,13 @@ Please try again with different parameters.
         nav_signout_btn.click(
             sync_logout,
             inputs=[session_state],
-            outputs=[session_state, login_message, login_container, input_page, user_info]
-        ).then(
-            lambda: (gr.update(visible=False), gr.update(visible=False)),
-            outputs=[logout_btn, sidebar]
+            outputs=[
+                session_state, login_message, login_container, input_page, user_info,
+                logout_btn, sidebar, results_page, loading_page, history_page,
+                analysis_output, allocation_plot, risk_plot, performance_plot,
+                correlation_plot, optimization_plot, history_table,
+                password_reset_modal, password_update_modal
+            ]
         )
 
     return demo

backend/auth.py

@@ -137,6 +137,92 @@ class SupabaseAuth:
 
         return False, "Signup failed", None
 
+    async def request_password_reset(self, email: str) -> Tuple[bool, str]:
+        """Request password reset email.
+
+        Args:
+            email: User email address
+
+        Returns:
+            Tuple of (success, message)
+        """
+        if self.demo_mode:
+            logger.warning("Password reset not available in demo mode")
+            return False, "Password reset is not available in demo mode"
+
+        try:
+            # Use Supabase auth to send reset email with redirect back to app
+            redirect_url = f"{settings.app_url}/"
+
+            self.client.auth.reset_password_for_email(
+                email,
+                options={
+                    "redirect_to": redirect_url
+                }
+            )
+
+            logger.info(f"Password reset requested for {email}, redirect to {redirect_url}")
+            return True, "Email sent!"
+
+        except Exception as e:
+            error_msg = str(e)
+            logger.error(f"Password reset failed: {error_msg}")
+
+            # Handle rate limiting
+            if "you can only request this after" in error_msg.lower():
+                return False, "❌ Please wait a minute before requesting another reset link"
+
+            return False, f"❌ Failed to send reset email: {error_msg}"
+
+    async def update_password(self, new_password: str, email: str, token_hash: str) -> Tuple[bool, str]:
+        """Update user password after reset using token_hash verification.
+
+        Args:
+            new_password: New password to set
+            email: User email address
+            token_hash: Recovery token hash from email link
+
+        Returns:
+            Tuple of (success, message)
+        """
+        if self.demo_mode:
+            logger.warning("Password update not available in demo mode")
+            return False, "Password update is not available in demo mode"
+
+        try:
+            # Verify the recovery token and establish session
+            # Note: For recovery tokens, only token_hash and type are needed (email is embedded in token)
+            verify_response = self.client.auth.verify_otp({
+                "token_hash": token_hash,
+                "type": "recovery"
+            })
+
+            if not verify_response.user:
+                logger.error("Token verification failed - no user returned")
+                return False, "❌ Invalid or expired reset link. Please request a new password reset."
+
+            logger.info(f"Token verified for user {verify_response.user.id}")
+
+            # Update password for authenticated user
+            update_response = self.client.auth.update_user({
+                "password": new_password
+            })
+
+            logger.info("Password updated successfully")
+            return True, "✅ Password updated successfully. You can now sign in with your new password."
+
+        except Exception as e:
+            error_msg = str(e)
+            logger.error(f"Password update failed: {error_msg}")
+
+            # Handle specific errors
+            if "expired" in error_msg.lower():
+                return False, "❌ Reset link has expired. Please request a new password reset."
+            elif "invalid" in error_msg.lower():
+                return False, "❌ Invalid reset link. Please request a new password reset."
+            else:
+                return False, f"❌ Failed to update password: {error_msg}"
+
     async def login(
         self,
         email: str,

backend/config.py

@@ -82,6 +82,11 @@ class Settings(BaseSettings):
         default="INFO",
         validation_alias="LOG_LEVEL"
     )
+    app_url: str = Field(
+        default="http://localhost:7860",
+        validation_alias="APP_URL",
+        description="Public URL where the application is accessible"
+    )
 
     # Rate Limiting Settings
     redis_url: Optional[str] = Field(