auth

2025-12-31 19:55:43 +01:00
parent 8260bf7baf
commit 167e82a52b
66 changed files with 5124 additions and 228 deletions
--- a/apps/api/src/development/use-cases/DemoLoginUseCase.ts
+++ b/apps/api/src/development/use-cases/DemoLoginUseCase.ts
@@ -0,0 +1,122 @@
+import { EmailAddress } from '@core/identity/domain/value-objects/EmailAddress';
+import { UserId } from '@core/identity/domain/value-objects/UserId';
+import { User } from '@core/identity/domain/entities/User';
+import { IAuthRepository } from '@core/identity/domain/repositories/IAuthRepository';
+import { IPasswordHashingService } from '@core/identity/domain/services/PasswordHashingService';
+import { Result } from '@core/shared/application/Result';
+import type { ApplicationErrorCode } from '@core/shared/errors/ApplicationErrorCode';
+import type { UseCaseOutputPort, Logger, UseCase } from '@core/shared/application';
+
+export type DemoLoginInput = {
+  role: 'driver' | 'sponsor' | 'league-owner' | 'league-steward' | 'league-admin' | 'system-owner' | 'super-admin';
+};
+
+export type DemoLoginResult = {
+  user: User;
+};
+
+export type DemoLoginErrorCode = 'DEMO_NOT_ALLOWED' | 'REPOSITORY_ERROR';
+
+export type DemoLoginApplicationError = ApplicationErrorCode<DemoLoginErrorCode, { message: string }>;
+
+/**
+ * Application Use Case: DemoLoginUseCase
+ *
+ * Provides demo login functionality for development environments.
+ * Creates demo users with predefined credentials.
+ * 
+ * ⚠️ DEVELOPMENT ONLY - Should be disabled in production
+ */
+export class DemoLoginUseCase implements UseCase<DemoLoginInput, void, DemoLoginErrorCode> {
+  constructor(
+    private readonly authRepo: IAuthRepository,
+    private readonly passwordService: IPasswordHashingService,
+    private readonly logger: Logger,
+    private readonly output: UseCaseOutputPort<DemoLoginResult>,
+  ) {}
+
+  async execute(input: DemoLoginInput): Promise<Result<void, DemoLoginApplicationError>> {
+    // Security check: Only allow in development
+    if (process.env.NODE_ENV !== 'development' && process.env.ALLOW_DEMO_LOGIN !== 'true') {
+      return Result.err({
+        code: 'DEMO_NOT_ALLOWED',
+        details: { message: 'Demo login is only available in development environment' },
+      });
+    }
+
+    try {
+      // Generate demo user email and display name based on role
+      const roleConfig = {
+        'driver': { email: 'demo.driver@example.com', name: 'John Demo', primaryDriverId: true },
+        'sponsor': { email: 'demo.sponsor@example.com', name: 'Jane Sponsor', primaryDriverId: false },
+        'league-owner': { email: 'demo.owner@example.com', name: 'Alex Owner', primaryDriverId: true },
+        'league-steward': { email: 'demo.steward@example.com', name: 'Sam Steward', primaryDriverId: true },
+        'league-admin': { email: 'demo.admin@example.com', name: 'Taylor Admin', primaryDriverId: true },
+        'system-owner': { email: 'demo.systemowner@example.com', name: 'System Owner', primaryDriverId: true },
+        'super-admin': { email: 'demo.superadmin@example.com', name: 'Super Admin', primaryDriverId: true },
+      };
+
+      const config = roleConfig[input.role];
+      const emailVO = EmailAddress.create(config.email);
+
+      // Check if demo user already exists
+      let user = await this.authRepo.findByEmail(emailVO);
+
+      if (!user) {
+        // Create new demo user
+        this.logger.info('[DemoLoginUseCase] Creating new demo user', { role: input.role });
+
+        const userId = UserId.create();
+        
+        // Use a fixed demo password and hash it
+        const demoPassword = 'Demo1234!';
+        const hashedPassword = await this.passwordService.hash(demoPassword);
+        
+        // Import PasswordHash and create proper object
+        const passwordHashModule = await import('@core/identity/domain/value-objects/PasswordHash');
+        const passwordHash = passwordHashModule.PasswordHash.fromHash(hashedPassword);
+
+        const userProps: any = {
+          id: userId,
+          displayName: config.name,
+          email: config.email,
+          passwordHash,
+        };
+        
+        if (config.primaryDriverId) {
+          userProps.primaryDriverId = `demo-${input.role}-${userId.value}`;
+          // Add avatar URL for demo users with primary driver
+          // Use the same format as seeded drivers: /media/default/neutral-default-avatar
+          userProps.avatarUrl = '/media/default/neutral-default-avatar';
+        }
+
+        user = User.create(userProps);
+
+        await this.authRepo.save(user);
+      } else {
+        this.logger.info('[DemoLoginUseCase] Using existing demo user', {
+          role: input.role,
+          userId: user.getId().value
+        });
+      }
+
+      this.output.present({ user });
+
+      return Result.ok(undefined);
+    } catch (error) {
+      const message =
+        error instanceof Error && error.message
+          ? error.message
+          : 'Failed to execute DemoLoginUseCase';
+
+      this.logger.error('DemoLoginUseCase.execute failed', error instanceof Error ? error : undefined, {
+        input,
+      });
+
+      return Result.err({
+        code: 'REPOSITORY_ERROR',
+        details: { message },
+      });
+    }
+  }
+}
--- a/apps/api/src/domain/auth/AuthController.ts
+++ b/apps/api/src/domain/auth/AuthController.ts
@@ -1,9 +1,10 @@
 import { Controller, Get, Post, Body, Query, Inject, Res } from '@nestjs/common';
 import { Public } from './Public';
 import { AuthService } from './AuthService';
-import { LoginParamsDTO, SignupParamsDTO, AuthSessionDTO } from './dtos/AuthDto';
+import { LoginParamsDTO, SignupParamsDTO, AuthSessionDTO, ForgotPasswordDTO, ResetPasswordDTO, DemoLoginDTO } from './dtos/AuthDto';
 import type { CommandResultDTO } from './presenters/CommandResultPresenter';
 import type { Response } from 'express';
+// ProductionGuard will be added if needed - for now we'll use environment check directly

@Public()
@Controller('auth')
@@ -47,4 +48,23 @@ export class AuthController {
  ): Promise<AuthSessionDTO> {
    return this.authService.iracingCallback(code, state, returnTo);
  }
+
+  @Post('forgot-password')
+  async forgotPassword(@Body() params: ForgotPasswordDTO): Promise<{ message: string; magicLink?: string }> {
+    return this.authService.forgotPassword(params);
+  }
+
+  @Post('reset-password')
+  async resetPassword(@Body() params: ResetPasswordDTO): Promise<{ message: string }> {
+    return this.authService.resetPassword(params);
+  }
+
+  @Post('demo-login')
+  async demoLogin(@Body() params: DemoLoginDTO): Promise<AuthSessionDTO> {
+    // Manual production check
+    if (process.env.NODE_ENV === 'production') {
+      throw new Error('Demo login is not available in production');
+    }
+    return this.authService.demoLogin(params);
+  }
 }
--- a/apps/api/src/domain/auth/AuthProviders.ts
+++ b/apps/api/src/domain/auth/AuthProviders.ts
@@ -4,22 +4,35 @@ import { CookieIdentitySessionAdapter } from '@adapters/identity/session/CookieI
 import { LoginUseCase } from '@core/identity/application/use-cases/LoginUseCase';
 import { LogoutUseCase } from '@core/identity/application/use-cases/LogoutUseCase';
 import { SignupUseCase } from '@core/identity/application/use-cases/SignupUseCase';
+import { ForgotPasswordUseCase } from '@core/identity/application/use-cases/ForgotPasswordUseCase';
+import { ResetPasswordUseCase } from '@core/identity/application/use-cases/ResetPasswordUseCase';
+import { DemoLoginUseCase } from '../../development/use-cases/DemoLoginUseCase';
 import type { IdentitySessionPort } from '@core/identity/application/ports/IdentitySessionPort';
 import type { IAuthRepository } from '@core/identity/domain/repositories/IAuthRepository';
+import type { IMagicLinkRepository } from '@core/identity/domain/repositories/IMagicLinkRepository';
 import type { IPasswordHashingService } from '@core/identity/domain/services/PasswordHashingService';
+import type { IMagicLinkNotificationPort } from '@core/identity/domain/ports/IMagicLinkNotificationPort';
 import type { LoginResult } from '@core/identity/application/use-cases/LoginUseCase';
 import type { LogoutResult } from '@core/identity/application/use-cases/LogoutUseCase';
 import type { SignupResult } from '@core/identity/application/use-cases/SignupUseCase';
+import type { ForgotPasswordResult } from '@core/identity/application/use-cases/ForgotPasswordUseCase';
+import type { ResetPasswordResult } from '@core/identity/application/use-cases/ResetPasswordUseCase';
+import type { DemoLoginResult } from '../../development/use-cases/DemoLoginUseCase';
 import type { Logger, UseCaseOutputPort } from '@core/shared/application';

 import {
  AUTH_REPOSITORY_TOKEN,
  PASSWORD_HASHING_SERVICE_TOKEN,
  USER_REPOSITORY_TOKEN,
+  MAGIC_LINK_REPOSITORY_TOKEN,
 } from '../../persistence/identity/IdentityPersistenceTokens';

 import { AuthSessionPresenter } from './presenters/AuthSessionPresenter';
 import { CommandResultPresenter } from './presenters/CommandResultPresenter';
+import { ForgotPasswordPresenter } from './presenters/ForgotPasswordPresenter';
+import { ResetPasswordPresenter } from './presenters/ResetPasswordPresenter';
+import { DemoLoginPresenter } from './presenters/DemoLoginPresenter';
+import { ConsoleMagicLinkNotificationAdapter } from '@adapters/notifications/ports/ConsoleMagicLinkNotificationAdapter';

 // Define the tokens for dependency injection
 export { AUTH_REPOSITORY_TOKEN, USER_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN };
@@ -28,9 +41,16 @@ export const IDENTITY_SESSION_PORT_TOKEN = 'IdentitySessionPort';
 export const LOGIN_USE_CASE_TOKEN = 'LoginUseCase';
 export const SIGNUP_USE_CASE_TOKEN = 'SignupUseCase';
 export const LOGOUT_USE_CASE_TOKEN = 'LogoutUseCase';
+export const FORGOT_PASSWORD_USE_CASE_TOKEN = 'ForgotPasswordUseCase';
+export const RESET_PASSWORD_USE_CASE_TOKEN = 'ResetPasswordUseCase';
+export const DEMO_LOGIN_USE_CASE_TOKEN = 'DemoLoginUseCase';

 export const AUTH_SESSION_OUTPUT_PORT_TOKEN = 'AuthSessionOutputPort';
 export const COMMAND_RESULT_OUTPUT_PORT_TOKEN = 'CommandResultOutputPort';
+export const FORGOT_PASSWORD_OUTPUT_PORT_TOKEN = 'ForgotPasswordOutputPort';
+export const RESET_PASSWORD_OUTPUT_PORT_TOKEN = 'ResetPasswordOutputPort';
+export const DEMO_LOGIN_OUTPUT_PORT_TOKEN = 'DemoLoginOutputPort';
+export const MAGIC_LINK_NOTIFICATION_PORT_TOKEN = 'MagicLinkNotificationPort';

 export const AuthProviders: Provider[] = [
  {
@@ -80,4 +100,65 @@ export const AuthProviders: Provider[] = [
      new LogoutUseCase(sessionPort, logger, output),
    inject: [IDENTITY_SESSION_PORT_TOKEN, LOGGER_TOKEN, COMMAND_RESULT_OUTPUT_PORT_TOKEN],
  },
+  {
+    provide: ForgotPasswordPresenter,
+    useClass: ForgotPasswordPresenter,
+  },
+  {
+    provide: ResetPasswordPresenter,
+    useClass: ResetPasswordPresenter,
+  },
+  {
+    provide: DemoLoginPresenter,
+    useClass: DemoLoginPresenter,
+  },
+  {
+    provide: FORGOT_PASSWORD_OUTPUT_PORT_TOKEN,
+    useExisting: ForgotPasswordPresenter,
+  },
+  {
+    provide: RESET_PASSWORD_OUTPUT_PORT_TOKEN,
+    useExisting: ResetPasswordPresenter,
+  },
+  {
+    provide: DEMO_LOGIN_OUTPUT_PORT_TOKEN,
+    useExisting: DemoLoginPresenter,
+  },
+  {
+    provide: MAGIC_LINK_NOTIFICATION_PORT_TOKEN,
+    useFactory: (logger: Logger) => new ConsoleMagicLinkNotificationAdapter(logger),
+    inject: [LOGGER_TOKEN],
+  },
+  {
+    provide: FORGOT_PASSWORD_USE_CASE_TOKEN,
+    useFactory: (
+      authRepo: IAuthRepository,
+      magicLinkRepo: IMagicLinkRepository,
+      notificationPort: IMagicLinkNotificationPort,
+      logger: Logger,
+      output: UseCaseOutputPort<ForgotPasswordResult>,
+    ) => new ForgotPasswordUseCase(authRepo, magicLinkRepo, notificationPort, logger, output),
+    inject: [AUTH_REPOSITORY_TOKEN, MAGIC_LINK_REPOSITORY_TOKEN, MAGIC_LINK_NOTIFICATION_PORT_TOKEN, LOGGER_TOKEN, FORGOT_PASSWORD_OUTPUT_PORT_TOKEN],
+  },
+  {
+    provide: RESET_PASSWORD_USE_CASE_TOKEN,
+    useFactory: (
+      authRepo: IAuthRepository,
+      magicLinkRepo: IMagicLinkRepository,
+      passwordHashing: IPasswordHashingService,
+      logger: Logger,
+      output: UseCaseOutputPort<ResetPasswordResult>,
+    ) => new ResetPasswordUseCase(authRepo, magicLinkRepo, passwordHashing, logger, output),
+    inject: [AUTH_REPOSITORY_TOKEN, MAGIC_LINK_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, LOGGER_TOKEN, RESET_PASSWORD_OUTPUT_PORT_TOKEN],
+  },
+  {
+    provide: DEMO_LOGIN_USE_CASE_TOKEN,
+    useFactory: (
+      authRepo: IAuthRepository,
+      passwordHashing: IPasswordHashingService,
+      logger: Logger,
+      output: UseCaseOutputPort<DemoLoginResult>,
+    ) => new DemoLoginUseCase(authRepo, passwordHashing, logger, output),
+    inject: [AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, LOGGER_TOKEN, DEMO_LOGIN_OUTPUT_PORT_TOKEN],
+  },
 ];
--- a/apps/api/src/domain/auth/AuthService.new.test.ts
+++ b/apps/api/src/domain/auth/AuthService.new.test.ts
@@ -0,0 +1,248 @@
+import { describe, expect, it, vi } from 'vitest';
+import { AuthService } from './AuthService';
+import { Result } from '@core/shared/application/Result';
+
+class FakeAuthSessionPresenter {
+  private model: any = null;
+  reset() { this.model = null; }
+  present(model: any) { this.model = model; }
+  get responseModel() {
+    if (!this.model) throw new Error('Presenter not presented');
+    return this.model;
+  }
+}
+
+class FakeCommandResultPresenter {
+  private model: any = null;
+  reset() { this.model = null; }
+  present(model: any) { this.model = model; }
+  get responseModel() {
+    if (!this.model) throw new Error('Presenter not presented');
+    return this.model;
+  }
+}
+
+class FakeForgotPasswordPresenter {
+  private model: any = null;
+  reset() { this.model = null; }
+  present(model: any) { this.model = model; }
+  get responseModel() {
+    if (!this.model) throw new Error('Presenter not presented');
+    return this.model;
+  }
+}
+
+class FakeResetPasswordPresenter {
+  private model: any = null;
+  reset() { this.model = null; }
+  present(model: any) { this.model = model; }
+  get responseModel() {
+    if (!this.model) throw new Error('Presenter not presented');
+    return this.model;
+  }
+}
+
+class FakeDemoLoginPresenter {
+  private model: any = null;
+  reset() { this.model = null; }
+  present(model: any) { this.model = model; }
+  get responseModel() {
+    if (!this.model) throw new Error('Presenter not presented');
+    return this.model;
+  }
+}
+
+describe('AuthService - New Methods', () => {
+  describe('forgotPassword', () => {
+    it('should execute forgot password use case and return result', async () => {
+      const forgotPasswordPresenter = new FakeForgotPasswordPresenter();
+      const forgotPasswordUseCase = {
+        execute: vi.fn(async () => {
+          forgotPasswordPresenter.present({ message: 'Reset link sent', magicLink: 'http://example.com/reset?token=abc123' });
+          return Result.ok(undefined);
+        }),
+      };
+
+      const service = new AuthService(
+        { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
+        { getCurrentSession: vi.fn(), createSession: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        new FakeAuthSessionPresenter() as any,
+        new FakeCommandResultPresenter() as any,
+        forgotPasswordPresenter as any,
+        new FakeResetPasswordPresenter() as any,
+        new FakeDemoLoginPresenter() as any,
+      );
+
+      const result = await service.forgotPassword({ email: 'test@example.com' });
+
+      expect(forgotPasswordUseCase.execute).toHaveBeenCalledWith({ email: 'test@example.com' });
+      expect(result).toEqual({
+        message: 'Reset link sent',
+        magicLink: 'http://example.com/reset?token=abc123',
+      });
+    });
+
+    it('should throw error on use case failure', async () => {
+      const service = new AuthService(
+        { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
+        { getCurrentSession: vi.fn(), createSession: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn(async () => Result.err({ code: 'RATE_LIMIT_EXCEEDED', details: { message: 'Too many attempts' } })) } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        new FakeAuthSessionPresenter() as any,
+        new FakeCommandResultPresenter() as any,
+        new FakeForgotPasswordPresenter() as any,
+        new FakeResetPasswordPresenter() as any,
+        new FakeDemoLoginPresenter() as any,
+      );
+
+      await expect(service.forgotPassword({ email: 'test@example.com' })).rejects.toThrow('Too many attempts');
+    });
+  });
+
+  describe('resetPassword', () => {
+    it('should execute reset password use case and return result', async () => {
+      const resetPasswordPresenter = new FakeResetPasswordPresenter();
+      const resetPasswordUseCase = {
+        execute: vi.fn(async () => {
+          resetPasswordPresenter.present({ message: 'Password reset successfully' });
+          return Result.ok(undefined);
+        }),
+      };
+
+      const service = new AuthService(
+        { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
+        { getCurrentSession: vi.fn(), createSession: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        resetPasswordUseCase as any,
+        { execute: vi.fn() } as any,
+        new FakeAuthSessionPresenter() as any,
+        new FakeCommandResultPresenter() as any,
+        new FakeForgotPasswordPresenter() as any,
+        resetPasswordPresenter as any,
+        new FakeDemoLoginPresenter() as any,
+      );
+
+      const result = await service.resetPassword({
+        token: 'abc123',
+        newPassword: 'NewPass123!',
+      });
+
+      expect(resetPasswordUseCase.execute).toHaveBeenCalledWith({
+        token: 'abc123',
+        newPassword: 'NewPass123!',
+      });
+      expect(result).toEqual({ message: 'Password reset successfully' });
+    });
+
+    it('should throw error on use case failure', async () => {
+      const service = new AuthService(
+        { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
+        { getCurrentSession: vi.fn(), createSession: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn(async () => Result.err({ code: 'INVALID_TOKEN', details: { message: 'Invalid token' } })) } as any,
+        { execute: vi.fn() } as any,
+        new FakeAuthSessionPresenter() as any,
+        new FakeCommandResultPresenter() as any,
+        new FakeForgotPasswordPresenter() as any,
+        new FakeResetPasswordPresenter() as any,
+        new FakeDemoLoginPresenter() as any,
+      );
+
+      await expect(
+        service.resetPassword({ token: 'invalid', newPassword: 'NewPass123!' })
+      ).rejects.toThrow('Invalid token');
+    });
+  });
+
+  describe('demoLogin', () => {
+    it('should execute demo login use case and create session', async () => {
+      const demoLoginPresenter = new FakeDemoLoginPresenter();
+      const mockUser = {
+        getId: () => ({ value: 'demo-user-123' }),
+        getDisplayName: () => 'Demo Driver',
+        getEmail: () => 'demo.driver@example.com',
+      };
+
+      const demoLoginUseCase = {
+        execute: vi.fn(async () => {
+          demoLoginPresenter.present({ user: mockUser });
+          return Result.ok(undefined);
+        }),
+      };
+
+      const identitySessionPort = {
+        getCurrentSession: vi.fn(),
+        createSession: vi.fn(async () => ({ token: 'demo-token-123' })),
+      };
+
+      const service = new AuthService(
+        { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
+        identitySessionPort as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        demoLoginUseCase as any,
+        new FakeAuthSessionPresenter() as any,
+        new FakeCommandResultPresenter() as any,
+        new FakeForgotPasswordPresenter() as any,
+        new FakeResetPasswordPresenter() as any,
+        demoLoginPresenter as any,
+      );
+
+      const result = await service.demoLogin({ role: 'driver' });
+
+      expect(demoLoginUseCase.execute).toHaveBeenCalledWith({ role: 'driver' });
+      expect(identitySessionPort.createSession).toHaveBeenCalledWith({
+        id: 'demo-user-123',
+        displayName: 'Demo Driver',
+        email: 'demo.driver@example.com',
+      });
+      expect(result).toEqual({
+        token: 'demo-token-123',
+        user: {
+          userId: 'demo-user-123',
+          email: 'demo.driver@example.com',
+          displayName: 'Demo Driver',
+        },
+      });
+    });
+
+    it('should throw error on use case failure', async () => {
+      const service = new AuthService(
+        { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
+        { getCurrentSession: vi.fn(), createSession: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn() } as any,
+        { execute: vi.fn(async () => Result.err({ code: 'DEMO_NOT_ALLOWED', details: { message: 'Demo not allowed' } })) } as any,
+        new FakeAuthSessionPresenter() as any,
+        new FakeCommandResultPresenter() as any,
+        new FakeForgotPasswordPresenter() as any,
+        new FakeResetPasswordPresenter() as any,
+        new FakeDemoLoginPresenter() as any,
+      );
+
+      await expect(service.demoLogin({ role: 'driver' })).rejects.toThrow('Demo not allowed');
+    });
+  });
+});
--- a/apps/api/src/domain/auth/AuthService.test.ts
+++ b/apps/api/src/domain/auth/AuthService.test.ts
@@ -38,8 +38,14 @@ describe('AuthService', () => {
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.getCurrentSession()).resolves.toBeNull();
@@ -58,8 +64,14 @@ describe('AuthService', () => {
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.getCurrentSession()).resolves.toEqual({
@@ -88,8 +100,14 @@ describe('AuthService', () => {
      { execute: vi.fn() } as any,
      signupUseCase as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      authSessionPresenter as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    const session = await service.signupWithEmail({
@@ -118,8 +136,14 @@ describe('AuthService', () => {
      { execute: vi.fn() } as any,
      { execute: vi.fn(async () => Result.err({ code: 'REPOSITORY_ERROR' } as any)) } as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(
@@ -147,8 +171,14 @@ describe('AuthService', () => {
      loginUseCase as any,
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      authSessionPresenter as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.loginWithEmail({ email: 'e3', password: 'p3' } as any)).resolves.toEqual({
@@ -171,8 +201,14 @@ describe('AuthService', () => {
      { execute: vi.fn(async () => Result.err({ code: 'INVALID_CREDENTIALS', details: { message: 'Bad login' } })) } as any,
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.loginWithEmail({ email: 'e', password: 'p' } as any)).rejects.toThrow('Bad login');
@@ -185,8 +221,14 @@ describe('AuthService', () => {
      { execute: vi.fn(async () => Result.err({ code: 'INVALID_CREDENTIALS' } as any)) } as any,
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.loginWithEmail({ email: 'e', password: 'p' } as any)).rejects.toThrow('Login failed');
@@ -207,8 +249,14 @@ describe('AuthService', () => {
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
      logoutUseCase as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      commandResultPresenter as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.logout()).resolves.toEqual({ success: true });
@@ -221,8 +269,14 @@ describe('AuthService', () => {
      { execute: vi.fn() } as any,
      { execute: vi.fn() } as any,
      { execute: vi.fn(async () => Result.err({ code: 'REPOSITORY_ERROR' } as any)) } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
+      { execute: vi.fn() } as any,
      new FakeAuthSessionPresenter() as any,
      new FakeCommandResultPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
+      new FakeAuthSessionPresenter() as any,
    );

    await expect(service.logout()).rejects.toThrow('Logout failed');
--- a/apps/api/src/domain/auth/AuthService.ts
+++ b/apps/api/src/domain/auth/AuthService.ts
@@ -13,23 +13,47 @@ import {
  type SignupApplicationError,
  type SignupInput,
 } from '@core/identity/application/use-cases/SignupUseCase';
+import {
+  ForgotPasswordUseCase,
+  type ForgotPasswordApplicationError,
+  type ForgotPasswordInput,
+} from '@core/identity/application/use-cases/ForgotPasswordUseCase';
+import {
+  ResetPasswordUseCase,
+  type ResetPasswordApplicationError,
+  type ResetPasswordInput,
+} from '@core/identity/application/use-cases/ResetPasswordUseCase';
+import {
+  DemoLoginUseCase,
+  type DemoLoginApplicationError,
+  type DemoLoginInput,
+} from '../../development/use-cases/DemoLoginUseCase';

 import type { IdentitySessionPort } from '@core/identity/application/ports/IdentitySessionPort';

 import {
  AUTH_SESSION_OUTPUT_PORT_TOKEN,
  COMMAND_RESULT_OUTPUT_PORT_TOKEN,
+  FORGOT_PASSWORD_OUTPUT_PORT_TOKEN,
+  RESET_PASSWORD_OUTPUT_PORT_TOKEN,
+  DEMO_LOGIN_OUTPUT_PORT_TOKEN,
  IDENTITY_SESSION_PORT_TOKEN,
  LOGGER_TOKEN,
  LOGIN_USE_CASE_TOKEN,
  LOGOUT_USE_CASE_TOKEN,
  SIGNUP_USE_CASE_TOKEN,
+  FORGOT_PASSWORD_USE_CASE_TOKEN,
+  RESET_PASSWORD_USE_CASE_TOKEN,
+  DEMO_LOGIN_USE_CASE_TOKEN,
 } from './AuthProviders';
-import type { AuthSessionDTO } from './dtos/AuthDto';
+import type { AuthSessionDTO, AuthenticatedUserDTO } from './dtos/AuthDto';
 import { LoginParamsDTO, SignupParamsDTO } from './dtos/AuthDto';
 import { AuthSessionPresenter } from './presenters/AuthSessionPresenter';
 import type { CommandResultDTO } from './presenters/CommandResultPresenter';
 import { CommandResultPresenter } from './presenters/CommandResultPresenter';
+import { ForgotPasswordPresenter } from './presenters/ForgotPasswordPresenter';
+import { ResetPasswordPresenter } from './presenters/ResetPasswordPresenter';
+import { DemoLoginPresenter } from './presenters/DemoLoginPresenter';

 function mapApplicationErrorToMessage(error: { details?: { message?: string } } | undefined, fallback: string): string {
  return error?.details?.message ?? fallback;
@@ -43,11 +67,20 @@ export class AuthService {
    @Inject(LOGIN_USE_CASE_TOKEN) private readonly loginUseCase: LoginUseCase,
    @Inject(SIGNUP_USE_CASE_TOKEN) private readonly signupUseCase: SignupUseCase,
    @Inject(LOGOUT_USE_CASE_TOKEN) private readonly logoutUseCase: LogoutUseCase,
+    @Inject(FORGOT_PASSWORD_USE_CASE_TOKEN) private readonly forgotPasswordUseCase: ForgotPasswordUseCase,
+    @Inject(RESET_PASSWORD_USE_CASE_TOKEN) private readonly resetPasswordUseCase: ResetPasswordUseCase,
+    @Inject(DEMO_LOGIN_USE_CASE_TOKEN) private readonly demoLoginUseCase: DemoLoginUseCase,
    // TODO presenters must not be injected
    @Inject(AUTH_SESSION_OUTPUT_PORT_TOKEN)
    private readonly authSessionPresenter: AuthSessionPresenter,
    @Inject(COMMAND_RESULT_OUTPUT_PORT_TOKEN)
    private readonly commandResultPresenter: CommandResultPresenter,
+    @Inject(FORGOT_PASSWORD_OUTPUT_PORT_TOKEN)
+    private readonly forgotPasswordPresenter: ForgotPasswordPresenter,
+    @Inject(RESET_PASSWORD_OUTPUT_PORT_TOKEN)
+    private readonly resetPasswordPresenter: ResetPasswordPresenter,
+    @Inject(DEMO_LOGIN_OUTPUT_PORT_TOKEN)
+    private readonly demoLoginPresenter: DemoLoginPresenter,
  ) {}

  async getCurrentSession(): Promise<AuthSessionDTO | null> {
@@ -189,4 +222,94 @@ export class AuthService {
      },
    };
  }
+
+  async forgotPassword(params: { email: string }): Promise<{ message: string; magicLink?: string }> {
+    this.logger.debug(`[AuthService] Attempting forgot password for email: ${params.email}`);
+
+    this.forgotPasswordPresenter.reset();
+
+    const input: ForgotPasswordInput = {
+      email: params.email,
+    };
+
+    const executeResult = await this.forgotPasswordUseCase.execute(input);
+
+    if (executeResult.isErr()) {
+      const error = executeResult.unwrapErr() as ForgotPasswordApplicationError;
+      throw new Error(mapApplicationErrorToMessage(error, 'Forgot password failed'));
+    }
+
+    const response = this.forgotPasswordPresenter.responseModel;
+    const result: { message: string; magicLink?: string } = {
+      message: response.message,
+    };
+    if (response.magicLink) {
+      result.magicLink = response.magicLink;
+    }
+    return result;
+  }
+
+  async resetPassword(params: { token: string; newPassword: string }): Promise<{ message: string }> {
+    this.logger.debug('[AuthService] Attempting reset password');
+
+    this.resetPasswordPresenter.reset();
+
+    const input: ResetPasswordInput = {
+      token: params.token,
+      newPassword: params.newPassword,
+    };
+
+    const result = await this.resetPasswordUseCase.execute(input);
+
+    if (result.isErr()) {
+      const error = result.unwrapErr() as ResetPasswordApplicationError;
+      throw new Error(mapApplicationErrorToMessage(error, 'Reset password failed'));
+    }
+
+    return this.resetPasswordPresenter.responseModel;
+  }
+
+  async demoLogin(params: { role: 'driver' | 'sponsor' | 'league-owner' | 'league-steward' | 'league-admin' | 'system-owner' | 'super-admin' }): Promise<AuthSessionDTO> {
+    this.logger.debug(`[AuthService] Attempting demo login for role: ${params.role}`);
+
+    this.demoLoginPresenter.reset();
+
+    const input: DemoLoginInput = {
+      role: params.role,
+    };
+
+    const result = await this.demoLoginUseCase.execute(input);
+
+    if (result.isErr()) {
+      const error = result.unwrapErr() as DemoLoginApplicationError;
+      throw new Error(mapApplicationErrorToMessage(error, 'Demo login failed'));
+    }
+
+    const user = this.demoLoginPresenter.responseModel.user;
+    const primaryDriverId = user.getPrimaryDriverId();
+    
+    // Use primaryDriverId for session if available, otherwise fall back to userId
+    const sessionId = primaryDriverId ?? user.getId().value;
+    
+    const session = await this.identitySessionPort.createSession({
+      id: sessionId,
+      displayName: user.getDisplayName(),
+      email: user.getEmail() ?? '',
+    });
+
+    const userDTO: AuthenticatedUserDTO = {
+      userId: user.getId().value,
+      email: user.getEmail() ?? '',
+      displayName: user.getDisplayName(),
+    };
+    
+    if (primaryDriverId !== undefined) {
+      userDTO.primaryDriverId = primaryDriverId;
+    }
+
+    return {
+      token: session.token,
+      user: userDTO,
+    };
+  }
 }
--- a/apps/api/src/domain/auth/ProductionGuard.ts
+++ b/apps/api/src/domain/auth/ProductionGuard.ts
@@ -0,0 +1,18 @@
+import { CanActivate, ExecutionContext, Injectable, ForbiddenException } from '@nestjs/common';
+
+@Injectable()
+export class ProductionGuard implements CanActivate {
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest();
+    const path = request.path;
+    
+    // Block demo login in production
+    if (path === '/auth/demo-login' || path === '/api/auth/demo-login') {
+      if (process.env.NODE_ENV === 'production') {
+        throw new ForbiddenException('Demo login is not available in production');
+      }
+    }
+    
+    return true;
+  }
+}
--- a/apps/api/src/domain/auth/dtos/AuthDto.ts
+++ b/apps/api/src/domain/auth/dtos/AuthDto.ts
@@ -1,4 +1,5 @@
 import { ApiProperty } from '@nestjs/swagger';
+import { IsEmail, IsString, MinLength, IsIn } from 'class-validator';

 export class AuthenticatedUserDTO {
  @ApiProperty()
@@ -7,6 +8,10 @@ export class AuthenticatedUserDTO {
  email!: string;
  @ApiProperty()
  displayName!: string;
+  @ApiProperty({ required: false })
+  primaryDriverId?: string;
+  @ApiProperty({ required: false, nullable: true })
+  avatarUrl?: string | null;
 }

 export class AuthSessionDTO {
@@ -53,3 +58,27 @@ export class LoginWithIracingCallbackParamsDTO {
  @ApiProperty({ required: false })
  returnTo?: string;
 }
+
+export class ForgotPasswordDTO {
+  @ApiProperty()
+  @IsEmail()
+  email!: string;
+}
+
+export class ResetPasswordDTO {
+  @ApiProperty()
+  @IsString()
+  token!: string;
+
+  @ApiProperty()
+  @IsString()
+  @MinLength(8)
+  newPassword!: string;
+}
+
+export class DemoLoginDTO {
+  @ApiProperty({ enum: ['driver', 'sponsor', 'league-owner', 'league-steward', 'league-admin', 'system-owner', 'super-admin'] })
+  @IsString()
+  @IsIn(['driver', 'sponsor', 'league-owner', 'league-steward', 'league-admin', 'system-owner', 'super-admin'])
+  role!: 'driver' | 'sponsor' | 'league-owner' | 'league-steward' | 'league-admin' | 'system-owner' | 'super-admin';
+}
--- a/apps/api/src/domain/auth/presenters/AuthSessionPresenter.ts
+++ b/apps/api/src/domain/auth/presenters/AuthSessionPresenter.ts
@@ -13,10 +13,14 @@ export class AuthSessionPresenter implements UseCaseOutputPort<AuthSessionResult
  }

  present(result: AuthSessionResult): void {
+    const primaryDriverId = result.user.getPrimaryDriverId();
+    const avatarUrl = result.user.getAvatarUrl();
    this.model = {
      userId: result.user.getId().value,
      email: result.user.getEmail() ?? '',
      displayName: result.user.getDisplayName() ?? '',
+      ...(primaryDriverId !== undefined ? { primaryDriverId } : {}),
+      ...(avatarUrl !== undefined ? { avatarUrl } : {}),
    };
  }

--- a/apps/api/src/domain/auth/presenters/DemoLoginPresenter.ts
+++ b/apps/api/src/domain/auth/presenters/DemoLoginPresenter.ts
@@ -0,0 +1,23 @@
+import { Injectable } from '@nestjs/common';
+import { UseCaseOutputPort } from '@core/shared/application';
+import { DemoLoginResult } from '../../../development/use-cases/DemoLoginUseCase';
+
+@Injectable()
+export class DemoLoginPresenter implements UseCaseOutputPort<DemoLoginResult> {
+  private _responseModel: DemoLoginResult | null = null;
+
+  present(result: DemoLoginResult): void {
+    this._responseModel = result;
+  }
+
+  get responseModel(): DemoLoginResult {
+    if (!this._responseModel) {
+      throw new Error('DemoLoginPresenter: No response model available');
+    }
+    return this._responseModel;
+  }
+
+  reset(): void {
+    this._responseModel = null;
+  }
+}
--- a/apps/api/src/domain/auth/presenters/ForgotPasswordPresenter.ts
+++ b/apps/api/src/domain/auth/presenters/ForgotPasswordPresenter.ts
@@ -0,0 +1,23 @@
+import { Injectable } from '@nestjs/common';
+import { UseCaseOutputPort } from '@core/shared/application';
+import { ForgotPasswordResult } from '@core/identity/application/use-cases/ForgotPasswordUseCase';
+
+@Injectable()
+export class ForgotPasswordPresenter implements UseCaseOutputPort<ForgotPasswordResult> {
+  private _responseModel: ForgotPasswordResult | null = null;
+
+  present(result: ForgotPasswordResult): void {
+    this._responseModel = result;
+  }
+
+  get responseModel(): ForgotPasswordResult {
+    if (!this._responseModel) {
+      throw new Error('ForgotPasswordPresenter: No response model available');
+    }
+    return this._responseModel;
+  }
+
+  reset(): void {
+    this._responseModel = null;
+  }
+}
--- a/apps/api/src/domain/auth/presenters/ResetPasswordPresenter.ts
+++ b/apps/api/src/domain/auth/presenters/ResetPasswordPresenter.ts
@@ -0,0 +1,23 @@
+import { Injectable } from '@nestjs/common';
+import { UseCaseOutputPort } from '@core/shared/application';
+import { ResetPasswordResult } from '@core/identity/application/use-cases/ResetPasswordUseCase';
+
+@Injectable()
+export class ResetPasswordPresenter implements UseCaseOutputPort<ResetPasswordResult> {
+  private _responseModel: ResetPasswordResult | null = null;
+
+  present(result: ResetPasswordResult): void {
+    this._responseModel = result;
+  }
+
+  get responseModel(): ResetPasswordResult {
+    if (!this._responseModel) {
+      throw new Error('ResetPasswordPresenter: No response model available');
+    }
+    return this._responseModel;
+  }
+
+  reset(): void {
+    this._responseModel = null;
+  }
+}
--- a/apps/api/src/domain/dashboard/DashboardProviders.ts
+++ b/apps/api/src/domain/dashboard/DashboardProviders.ts
@@ -20,6 +20,7 @@ import { DashboardOverviewUseCase } from '@core/racing/application/use-cases/Das
 import { ConsoleLogger } from '@adapters/logging/ConsoleLogger';
 import { InMemoryImageServiceAdapter } from '@adapters/media/ports/InMemoryImageServiceAdapter';
 import { DashboardOverviewPresenter } from './presenters/DashboardOverviewPresenter';
+import { DashboardService } from './DashboardService';

 // Define injection tokens
 export const LOGGER_TOKEN = 'Logger';
@@ -92,4 +93,19 @@ export const DashboardProviders: Provider[] = [
      DASHBOARD_OVERVIEW_OUTPUT_PORT_TOKEN,
    ],
  },
+  {
+    provide: DashboardService,
+    useFactory: (
+      logger: Logger,
+      dashboardOverviewUseCase: DashboardOverviewUseCase,
+      presenter: DashboardOverviewPresenter,
+      imageService: ImageServicePort,
+    ) => new DashboardService(logger, dashboardOverviewUseCase, presenter, imageService),
+    inject: [
+      LOGGER_TOKEN,
+      DASHBOARD_OVERVIEW_USE_CASE_TOKEN,
+      DASHBOARD_OVERVIEW_OUTPUT_PORT_TOKEN,
+      IMAGE_SERVICE_TOKEN,
+    ],
+  },
 ];
--- a/apps/api/src/domain/dashboard/DashboardService.test.ts
+++ b/apps/api/src/domain/dashboard/DashboardService.test.ts
@@ -11,6 +11,7 @@ describe('DashboardService', () => {
      { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
      useCase as any,
      presenter as any,
+      { getDriverAvatar: vi.fn(() => '/media/avatar/test') } as any,
    );

    await expect(service.getDashboardOverview('d1')).resolves.toEqual({ feed: [] });
@@ -22,6 +23,7 @@ describe('DashboardService', () => {
      { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
      { execute: vi.fn(async () => Result.err({ code: 'REPOSITORY_ERROR', details: { message: 'boom' } })) } as any,
      { getResponseModel: vi.fn() } as any,
+      { getDriverAvatar: vi.fn(() => '/media/avatar/test') } as any,
    );

    await expect(service.getDashboardOverview('d1')).rejects.toThrow('Failed to get dashboard overview: boom');
@@ -32,6 +34,7 @@ describe('DashboardService', () => {
      { debug: vi.fn(), info: vi.fn(), warn: vi.fn(), error: vi.fn() } as any,
      { execute: vi.fn(async () => Result.err({ code: 'REPOSITORY_ERROR' } as any)) } as any,
      { getResponseModel: vi.fn() } as any,
+      { getDriverAvatar: vi.fn(() => '/media/avatar/test') } as any,
    );

    await expect(service.getDashboardOverview('d1')).rejects.toThrow('Failed to get dashboard overview: Unknown error');
--- a/apps/api/src/domain/dashboard/DashboardService.ts
+++ b/apps/api/src/domain/dashboard/DashboardService.ts
@@ -5,9 +5,10 @@ import { DashboardOverviewPresenter } from './presenters/DashboardOverviewPresen

 // Core imports
 import type { Logger } from '@core/shared/application/Logger';
+import type { ImageServicePort } from '@core/media/application/ports/ImageServicePort';

 // Tokens
-import { DASHBOARD_OVERVIEW_USE_CASE_TOKEN, LOGGER_TOKEN, DASHBOARD_OVERVIEW_OUTPUT_PORT_TOKEN } from './DashboardProviders';
+import { DASHBOARD_OVERVIEW_USE_CASE_TOKEN, LOGGER_TOKEN, DASHBOARD_OVERVIEW_OUTPUT_PORT_TOKEN, IMAGE_SERVICE_TOKEN } from './DashboardProviders';

@Injectable()
 export class DashboardService {
@@ -15,11 +16,27 @@ export class DashboardService {
    @Inject(LOGGER_TOKEN) private readonly logger: Logger,
    @Inject(DASHBOARD_OVERVIEW_USE_CASE_TOKEN) private readonly dashboardOverviewUseCase: DashboardOverviewUseCase,
    @Inject(DASHBOARD_OVERVIEW_OUTPUT_PORT_TOKEN) private readonly presenter: DashboardOverviewPresenter,
+    @Inject(IMAGE_SERVICE_TOKEN) private readonly imageService: ImageServicePort,
  ) {}

  async getDashboardOverview(driverId: string): Promise<DashboardOverviewDTO> {
    this.logger.debug('[DashboardService] Getting dashboard overview:', { driverId });

+    // Check if this is a demo user
+    const isDemoUser = driverId.startsWith('demo-driver-') ||
+                      driverId.startsWith('demo-sponsor-') ||
+                      driverId.startsWith('demo-league-owner-') ||
+                      driverId.startsWith('demo-league-steward-') ||
+                      driverId.startsWith('demo-league-admin-') ||
+                      driverId.startsWith('demo-system-owner-') ||
+                      driverId.startsWith('demo-super-admin-');
+
+    if (isDemoUser) {
+      // Return mock dashboard data for demo users
+      this.logger.info('[DashboardService] Returning mock data for demo user', { driverId });
+      return await this.getMockDashboardData(driverId);
+    }
+
    const result = await this.dashboardOverviewUseCase.execute({ driverId });

    if (result.isErr()) {
@@ -30,4 +47,185 @@ export class DashboardService {

    return this.presenter.getResponseModel();
  }
+
+  private async getMockDashboardData(driverId: string): Promise<DashboardOverviewDTO> {
+    // Determine role from driverId prefix
+    const isSponsor = driverId.startsWith('demo-sponsor-');
+    const isLeagueOwner = driverId.startsWith('demo-league-owner-');
+    const isLeagueSteward = driverId.startsWith('demo-league-steward-');
+    const isLeagueAdmin = driverId.startsWith('demo-league-admin-');
+    const isSystemOwner = driverId.startsWith('demo-system-owner-');
+    const isSuperAdmin = driverId.startsWith('demo-super-admin-');
+    
+    // Get avatar URL using the image service (same as real drivers)
+    const avatarUrl = this.imageService.getDriverAvatar(driverId);
+    
+    // Mock sponsor dashboard
+    if (isSponsor) {
+      return {
+        currentDriver: null,
+        myUpcomingRaces: [],
+        otherUpcomingRaces: [],
+        upcomingRaces: [],
+        activeLeaguesCount: 0,
+        nextRace: null,
+        recentResults: [],
+        leagueStandingsSummaries: [],
+        feedSummary: {
+          notificationCount: 0,
+          items: [],
+        },
+        friends: [],
+      };
+    }
+
+    // Mock league admin/owner/steward dashboard (similar to driver but with more leagues)
+    if (isLeagueOwner || isLeagueSteward || isLeagueAdmin) {
+      const roleTitle = isLeagueOwner ? 'League Owner' : isLeagueSteward ? 'League Steward' : 'League Admin';
+      return {
+        currentDriver: {
+          id: driverId,
+          name: `Demo ${roleTitle}`,
+          country: 'US',
+          avatarUrl,
+          rating: 1600,
+          globalRank: 15,
+          totalRaces: 8,
+          wins: 3,
+          podiums: 5,
+          consistency: 90,
+        },
+        myUpcomingRaces: [],
+        otherUpcomingRaces: [],
+        upcomingRaces: [],
+        activeLeaguesCount: 2,
+        nextRace: null,
+        recentResults: [],
+        leagueStandingsSummaries: [],
+        feedSummary: {
+          notificationCount: 2,
+          items: [
+            {
+              id: 'feed-1',
+              type: 'league_update',
+              headline: 'New league season starting',
+              body: 'Your league "Demo League" is about to start a new season',
+              timestamp: new Date().toISOString(),
+              ctaLabel: 'View League',
+              ctaHref: '/leagues',
+            },
+          ],
+        },
+        friends: [],
+      };
+    }
+
+    // Mock system owner dashboard (highest privileges)
+    if (isSystemOwner) {
+      return {
+        currentDriver: {
+          id: driverId,
+          name: 'System Owner',
+          country: 'US',
+          avatarUrl,
+          rating: 2000,
+          globalRank: 1,
+          totalRaces: 50,
+          wins: 25,
+          podiums: 40,
+          consistency: 95,
+        },
+        myUpcomingRaces: [],
+        otherUpcomingRaces: [],
+        upcomingRaces: [],
+        activeLeaguesCount: 10,
+        nextRace: null,
+        recentResults: [],
+        leagueStandingsSummaries: [],
+        feedSummary: {
+          notificationCount: 5,
+          items: [
+            {
+              id: 'feed-1',
+              type: 'system_alert',
+              headline: 'System maintenance scheduled',
+              body: 'Platform will undergo maintenance in 24 hours',
+              timestamp: new Date().toISOString(),
+              ctaLabel: 'View Details',
+              ctaHref: '/admin/system',
+            },
+          ],
+        },
+        friends: [],
+      };
+    }
+
+    // Mock super admin dashboard (all access)
+    if (isSuperAdmin) {
+      return {
+        currentDriver: {
+          id: driverId,
+          name: 'Super Admin',
+          country: 'US',
+          avatarUrl,
+          rating: 1800,
+          globalRank: 5,
+          totalRaces: 30,
+          wins: 15,
+          podiums: 25,
+          consistency: 92,
+        },
+        myUpcomingRaces: [],
+        otherUpcomingRaces: [],
+        upcomingRaces: [],
+        activeLeaguesCount: 5,
+        nextRace: null,
+        recentResults: [],
+        leagueStandingsSummaries: [],
+        feedSummary: {
+          notificationCount: 3,
+          items: [
+            {
+              id: 'feed-1',
+              type: 'admin_notification',
+              headline: 'Admin dashboard access granted',
+              body: 'You have full administrative access to all platform features',
+              timestamp: new Date().toISOString(),
+              ctaLabel: 'Admin Panel',
+              ctaHref: '/admin',
+            },
+          ],
+        },
+        friends: [],
+      };
+    }
+
+    // Mock driver dashboard (default)
+    return {
+      currentDriver: {
+        id: driverId,
+        name: 'John Demo',
+        country: 'US',
+        avatarUrl,
+        rating: 1500,
+        globalRank: 25,
+        totalRaces: 5,
+        wins: 2,
+        podiums: 3,
+        consistency: 85,
+      },
+      myUpcomingRaces: [],
+      otherUpcomingRaces: [],
+      upcomingRaces: [],
+      activeLeaguesCount: 0,
+      nextRace: null,
+      recentResults: [],
+      leagueStandingsSummaries: [],
+      feedSummary: {
+        notificationCount: 0,
+        items: [],
+      },
+      friends: [],
+    };
+  }
 }
--- a/apps/api/src/persistence/identity/IdentityPersistenceTokens.ts
+++ b/apps/api/src/persistence/identity/IdentityPersistenceTokens.ts
@@ -1,3 +1,4 @@
 export const AUTH_REPOSITORY_TOKEN = 'IAuthRepository';
 export const USER_REPOSITORY_TOKEN = 'IUserRepository';
-export const PASSWORD_HASHING_SERVICE_TOKEN = 'IPasswordHashingService';
+export const PASSWORD_HASHING_SERVICE_TOKEN = 'IPasswordHashingService';
+export const MAGIC_LINK_REPOSITORY_TOKEN = 'IMagicLinkRepository';
--- a/apps/api/src/persistence/inmemory/InMemoryIdentityPersistenceModule.ts
+++ b/apps/api/src/persistence/inmemory/InMemoryIdentityPersistenceModule.ts
@@ -9,8 +9,9 @@ import type { StoredUser } from '@core/identity/domain/repositories/IUserReposit
 import { InMemoryAuthRepository } from '@adapters/identity/persistence/inmemory/InMemoryAuthRepository';
 import { InMemoryUserRepository } from '@adapters/identity/persistence/inmemory/InMemoryUserRepository';
 import { InMemoryPasswordHashingService } from '@adapters/identity/services/InMemoryPasswordHashingService';
+import { InMemoryMagicLinkRepository } from '@adapters/identity/persistence/inmemory/InMemoryMagicLinkRepository';

-import { AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, USER_REPOSITORY_TOKEN } from '../identity/IdentityPersistenceTokens';
+import { AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, USER_REPOSITORY_TOKEN, MAGIC_LINK_REPOSITORY_TOKEN } from '../identity/IdentityPersistenceTokens';

@Module({
  imports: [LoggingModule],
@@ -25,7 +26,6 @@ import { AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, USER_REPOSITORY_
            email: 'admin@gridpilot.local',
            passwordHash: 'demo_salt_321nimda', // InMemoryPasswordHashingService: "admin123" reversed.
            displayName: 'Admin',
-            salt: '',
            createdAt: new Date(),
          },
        ];
@@ -43,7 +43,12 @@ import { AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, USER_REPOSITORY_
      provide: PASSWORD_HASHING_SERVICE_TOKEN,
      useClass: InMemoryPasswordHashingService,
    },
+    {
+      provide: MAGIC_LINK_REPOSITORY_TOKEN,
+      useFactory: (logger: Logger) => new InMemoryMagicLinkRepository(logger),
+      inject: ['Logger'],
+    },
  ],
-  exports: [USER_REPOSITORY_TOKEN, AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN],
+  exports: [USER_REPOSITORY_TOKEN, AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, MAGIC_LINK_REPOSITORY_TOKEN],
 })
 export class InMemoryIdentityPersistenceModule {}
--- a/apps/api/src/persistence/postgres/PostgresIdentityPersistenceModule.ts
+++ b/apps/api/src/persistence/postgres/PostgresIdentityPersistenceModule.ts
@@ -1,10 +1,13 @@
 import { Module } from '@nestjs/common';
 import { TypeOrmModule, getDataSourceToken } from '@nestjs/typeorm';
 import type { DataSource } from 'typeorm';
+import type { Logger } from '@core/shared/application/Logger';

 import { UserOrmEntity } from '@adapters/identity/persistence/typeorm/entities/UserOrmEntity';
+import { PasswordResetRequestOrmEntity } from '@adapters/identity/persistence/typeorm/entities/PasswordResetRequestOrmEntity';
 import { TypeOrmAuthRepository } from '@adapters/identity/persistence/typeorm/repositories/TypeOrmAuthRepository';
 import { TypeOrmUserRepository } from '@adapters/identity/persistence/typeorm/repositories/TypeOrmUserRepository';
+import { TypeOrmMagicLinkRepository } from '@adapters/identity/persistence/typeorm/repositories/TypeOrmMagicLinkRepository';
 import { UserOrmMapper } from '@adapters/identity/persistence/typeorm/mappers/UserOrmMapper';
 import { InMemoryPasswordHashingService } from '@adapters/identity/services/InMemoryPasswordHashingService';

@@ -12,9 +15,10 @@ import {
  AUTH_REPOSITORY_TOKEN,
  PASSWORD_HASHING_SERVICE_TOKEN,
  USER_REPOSITORY_TOKEN,
+  MAGIC_LINK_REPOSITORY_TOKEN,
 } from '../identity/IdentityPersistenceTokens';

-const typeOrmFeatureImports = [TypeOrmModule.forFeature([UserOrmEntity])];
+const typeOrmFeatureImports = [TypeOrmModule.forFeature([UserOrmEntity, PasswordResetRequestOrmEntity])];

@Module({
  imports: [...typeOrmFeatureImports],
@@ -34,7 +38,12 @@ const typeOrmFeatureImports = [TypeOrmModule.forFeature([UserOrmEntity])];
      provide: PASSWORD_HASHING_SERVICE_TOKEN,
      useClass: InMemoryPasswordHashingService,
    },
+    {
+      provide: MAGIC_LINK_REPOSITORY_TOKEN,
+      useFactory: (dataSource: DataSource, logger: Logger) => new TypeOrmMagicLinkRepository(dataSource, logger),
+      inject: [getDataSourceToken(), 'Logger'],
+    },
  ],
-  exports: [USER_REPOSITORY_TOKEN, AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN],
+  exports: [USER_REPOSITORY_TOKEN, AUTH_REPOSITORY_TOKEN, PASSWORD_HASHING_SERVICE_TOKEN, MAGIC_LINK_REPOSITORY_TOKEN],
 })
 export class PostgresIdentityPersistenceModule {}
--- a/apps/api/src/persistence/postgres/PostgresRacingPersistenceModule.ts
+++ b/apps/api/src/persistence/postgres/PostgresRacingPersistenceModule.ts
@@ -56,6 +56,7 @@ import {
  TeamOrmEntity,
 } from '@adapters/racing/persistence/typeorm/entities/TeamOrmEntities';
 import { TeamStatsOrmEntity } from '@adapters/racing/persistence/typeorm/entities/TeamStatsOrmEntity';
+import { DriverStatsOrmEntity } from '@adapters/racing/persistence/typeorm/entities/DriverStatsOrmEntity';

 import { TypeOrmDriverRepository } from '@adapters/racing/persistence/typeorm/repositories/TypeOrmDriverRepository';
 import { TypeOrmLeagueMembershipRepository } from '@adapters/racing/persistence/typeorm/repositories/TypeOrmLeagueMembershipRepository';
@@ -78,13 +79,13 @@ import {
 import { TypeOrmPenaltyRepository, TypeOrmProtestRepository } from '@adapters/racing/persistence/typeorm/repositories/StewardingTypeOrmRepositories';
 import { TypeOrmTeamMembershipRepository, TypeOrmTeamRepository } from '@adapters/racing/persistence/typeorm/repositories/TeamTypeOrmRepositories';

-// Import in-memory implementations for new repositories (TypeORM versions not yet implemented)
-import { InMemoryDriverStatsRepository } from '@adapters/racing/persistence/inmemory/InMemoryDriverStatsRepository';
-import { InMemoryMediaRepository } from '@adapters/racing/persistence/media/InMemoryMediaRepository';
-
-// Import TypeORM repository for team stats
+// Import TypeORM repositories
+import { TypeOrmDriverStatsRepository } from '@adapters/racing/persistence/typeorm/repositories/TypeOrmDriverStatsRepository';
 import { TypeOrmTeamStatsRepository } from '@adapters/racing/persistence/typeorm/repositories/TypeOrmTeamStatsRepository';

+// Import in-memory implementations for new repositories (TypeORM versions not yet implemented)
+import { InMemoryMediaRepository } from '@adapters/racing/persistence/media/InMemoryMediaRepository';
+
 import { DriverOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/DriverOrmMapper';
 import { LeagueMembershipOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/LeagueMembershipOrmMapper';
 import { LeagueOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/LeagueOrmMapper';
@@ -109,6 +110,7 @@ import { MoneyOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/Mon
 import { PenaltyOrmMapper, ProtestOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/StewardingOrmMappers';
 import { TeamMembershipOrmMapper, TeamOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/TeamOrmMappers';
 import { TeamStatsOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/TeamStatsOrmMapper';
+import { DriverStatsOrmMapper } from '@adapters/racing/persistence/typeorm/mappers/DriverStatsOrmMapper';

 import { getPointsSystems } from '@adapters/bootstrap/PointsSystems';
 import type { Logger } from '@core/shared/application/Logger';
@@ -131,6 +133,7 @@ const typeOrmFeatureImports = [
    TeamMembershipOrmEntity,
    TeamJoinRequestOrmEntity,
    TeamStatsOrmEntity,
+    DriverStatsOrmEntity,

    PenaltyOrmEntity,
    ProtestOrmEntity,
@@ -161,6 +164,7 @@ const typeOrmFeatureImports = [
    { provide: TeamOrmMapper, useFactory: () => new TeamOrmMapper() },
    { provide: TeamMembershipOrmMapper, useFactory: () => new TeamMembershipOrmMapper() },
    { provide: TeamStatsOrmMapper, useFactory: () => new TeamStatsOrmMapper() },
+    { provide: DriverStatsOrmMapper, useFactory: () => new DriverStatsOrmMapper() },

    { provide: PenaltyOrmMapper, useFactory: () => new PenaltyOrmMapper() },
    { provide: ProtestOrmMapper, useFactory: () => new ProtestOrmMapper() },
@@ -322,8 +326,9 @@ const typeOrmFeatureImports = [
    },
    {
      provide: DRIVER_STATS_REPOSITORY_TOKEN,
-      useFactory: (logger: Logger) => new InMemoryDriverStatsRepository(logger),
-      inject: ['Logger'],
+      useFactory: (repo: Repository<DriverStatsOrmEntity>, mapper: DriverStatsOrmMapper) =>
+        new TypeOrmDriverStatsRepository(repo, mapper),
+      inject: [getRepositoryToken(DriverStatsOrmEntity), DriverStatsOrmMapper],
    },
    {
      provide: TEAM_STATS_REPOSITORY_TOKEN,
--- a/apps/website/app/auth/forgot-password/page.tsx
+++ b/apps/website/app/auth/forgot-password/page.tsx
@@ -0,0 +1,235 @@
+'use client';
+
+import { useState, FormEvent, type ChangeEvent } from 'react';
+import { useRouter } from 'next/navigation';
+import Link from 'next/link';
+import { motion } from 'framer-motion';
+import {
+  Mail,
+  ArrowLeft,
+  AlertCircle,
+  Flag,
+  Shield,
+  CheckCircle2,
+} from 'lucide-react';
+
+import Card from '@/components/ui/Card';
+import Button from '@/components/ui/Button';
+import Input from '@/components/ui/Input';
+import Heading from '@/components/ui/Heading';
+
+interface FormErrors {
+  email?: string;
+  submit?: string;
+}
+
+interface SuccessState {
+  message: string;
+  magicLink?: string;
+}
+
+export default function ForgotPasswordPage() {
+  const router = useRouter();
+  
+  const [loading, setLoading] = useState(false);
+  const [errors, setErrors] = useState<FormErrors>({});
+  const [success, setSuccess] = useState<SuccessState | null>(null);
+  const [formData, setFormData] = useState({
+    email: '',
+  });
+
+  const validateForm = (): boolean => {
+    const newErrors: FormErrors = {};
+
+    if (!formData.email.trim()) {
+      newErrors.email = 'Email is required';
+    } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(formData.email)) {
+      newErrors.email = 'Invalid email format';
+    }
+
+    setErrors(newErrors);
+    return Object.keys(newErrors).length === 0;
+  };
+
+  const handleSubmit = async (e: FormEvent) => {
+    e.preventDefault();
+    if (loading) return;
+
+    if (!validateForm()) return;
+
+    setLoading(true);
+    setErrors({});
+    setSuccess(null);
+
+    try {
+      const { ServiceFactory } = await import('@/lib/services/ServiceFactory');
+      const serviceFactory = new ServiceFactory(process.env.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001');
+      const authService = serviceFactory.createAuthService();
+      const result = await authService.forgotPassword({ email: formData.email });
+
+      setSuccess({
+        message: result.message,
+        magicLink: result.magicLink,
+      });
+    } catch (error) {
+      setErrors({
+        submit: error instanceof Error ? error.message : 'Failed to send reset link. Please try again.',
+      });
+      setLoading(false);
+    }
+  };
+
+  return (
+    <main className="min-h-screen bg-deep-graphite flex items-center justify-center px-4 py-12">
+      {/* Background Pattern */}
+      <div className="absolute inset-0 bg-gradient-to-br from-primary-blue/5 via-transparent to-purple-600/5" />
+      <div className="absolute inset-0 opacity-5">
+        <div className="absolute inset-0" style={{
+          backgroundImage: `url("data:image/svg+xml,%3Csvg width='60' height='60' viewBox='0 0 60 60' xmlns='http://www.w3.org/2000/svg'%3E%3Cg fill='none' fill-rule='evenodd'%3E%3Cg fill='%23ffffff' fill-opacity='0.4'%3E%3Cpath d='M36 34v-4h-2v4h-4v2h4v4h2v-4h4v-2h-4zm0-30V0h-2v4h-4v2h4v4h2V6h4V4h-4zM6 34v-4H4v4H0v2h4v4h2v-4h4v-2H6zM6 4V0H4v4H0v2h4v4h2V6h4V4H6z'/%3E%3C/g%3E%3C/g%3E%3C/svg%3E")`,
+        }} />
+      </div>
+
+      <div className="relative w-full max-w-md">
+        {/* Header */}
+        <div className="text-center mb-8">
+          <div className="flex h-16 w-16 items-center justify-center rounded-2xl bg-gradient-to-br from-primary-blue/20 to-purple-600/10 border border-primary-blue/30 mx-auto mb-4">
+            <Flag className="w-8 h-8 text-primary-blue" />
+          </div>
+          <Heading level={1} className="mb-2">Reset Password</Heading>
+          <p className="text-gray-400">
+            Enter your email and we'll send you a reset link
+          </p>
+        </div>
+
+        <Card className="relative overflow-hidden">
+          {/* Background accent */}
+          <div className="absolute top-0 right-0 w-32 h-32 bg-gradient-to-bl from-primary-blue/10 to-transparent rounded-bl-full" />
+
+          {!success ? (
+            <form onSubmit={handleSubmit} className="relative space-y-5">
+              {/* Email */}
+              <div>
+                <label htmlFor="email" className="block text-sm font-medium text-gray-300 mb-2">
+                  Email Address
+                </label>
+                <div className="relative">
+                  <Mail className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-500" />
+                  <Input
+                    id="email"
+                    type="email"
+                    value={formData.email}
+                    onChange={(e: ChangeEvent<HTMLInputElement>) => setFormData({ ...formData, email: e.target.value })}
+                    error={!!errors.email}
+                    errorMessage={errors.email}
+                    placeholder="you@example.com"
+                    disabled={loading}
+                    className="pl-10"
+                    autoComplete="email"
+                  />
+                </div>
+              </div>
+
+              {/* Error Message */}
+              {errors.submit && (
+                <motion.div
+                  initial={{ opacity: 0, y: -10 }}
+                  animate={{ opacity: 1, y: 0 }}
+                  className="flex items-start gap-3 p-3 rounded-lg bg-red-500/10 border border-red-500/30"
+                >
+                  <AlertCircle className="w-5 h-5 text-red-400 flex-shrink-0 mt-0.5" />
+                  <p className="text-sm text-red-400">{errors.submit}</p>
+                </motion.div>
+              )}
+
+              {/* Submit Button */}
+              <Button
+                type="submit"
+                variant="primary"
+                disabled={loading}
+                className="w-full flex items-center justify-center gap-2"
+              >
+                {loading ? (
+                  <>
+                    <div className="w-4 h-4 border-2 border-white border-t-transparent rounded-full animate-spin" />
+                    Sending...
+                  </>
+                ) : (
+                  <>
+                    <Shield className="w-4 h-4" />
+                    Send Reset Link
+                  </>
+                )}
+              </Button>
+
+              {/* Back to Login */}
+              <div className="text-center">
+                <Link
+                  href="/auth/login"
+                  className="text-sm text-primary-blue hover:underline flex items-center justify-center gap-1"
+                >
+                  <ArrowLeft className="w-4 h-4" />
+                  Back to Login
+                </Link>
+              </div>
+            </form>
+          ) : (
+            <motion.div
+              initial={{ opacity: 0, y: 10 }}
+              animate={{ opacity: 1, y: 0 }}
+              className="relative space-y-4"
+            >
+              <div className="flex items-start gap-3 p-4 rounded-lg bg-performance-green/10 border border-performance-green/30">
+                <CheckCircle2 className="w-6 h-6 text-performance-green flex-shrink-0 mt-0.5" />
+                <div>
+                  <p className="text-sm text-performance-green font-medium">{success.message}</p>
+                  {success.magicLink && (
+                    <div className="mt-2">
+                      <p className="text-xs text-gray-400 mb-1">Development Mode - Magic Link:</p>
+                      <div className="bg-iron-gray p-2 rounded border border-charcoal-outline">
+                        <code className="text-xs text-primary-blue break-all">
+                          {success.magicLink}
+                        </code>
+                      </div>
+                      <p className="text-[10px] text-gray-500 mt-1">
+                        In production, this would be sent via email
+                      </p>
+                    </div>
+                  )}
+                </div>
+              </div>
+
+              <Button
+                type="button"
+                variant="secondary"
+                onClick={() => router.push('/auth/login')}
+                className="w-full"
+              >
+                Return to Login
+              </Button>
+            </motion.div>
+          )}
+        </Card>
+
+        {/* Trust Indicators */}
+        <div className="mt-6 flex items-center justify-center gap-6 text-sm text-gray-500">
+          <div className="flex items-center gap-2">
+            <Shield className="w-4 h-4" />
+            <span>Secure reset process</span>
+          </div>
+          <div className="flex items-center gap-2">
+            <CheckCircle2 className="w-4 h-4" />
+            <span>15 minute expiration</span>
+          </div>
+        </div>
+
+        {/* Footer */}
+        <p className="mt-6 text-center text-xs text-gray-500">
+          Need help?{' '}
+          <Link href="/support" className="text-gray-400 hover:underline">
+            Contact support
+          </Link>
+        </p>
+      </div>
+    </main>
+  );
+}
--- a/apps/website/app/auth/login/page.tsx
+++ b/apps/website/app/auth/login/page.tsx
@@ -73,20 +73,14 @@ export default function LoginPage() {
    setErrors({});

    try {
-      const response = await fetch('/api/auth/login', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({
-          email: formData.email,
-          password: formData.password,
-        }),
+      const { ServiceFactory } = await import('@/lib/services/ServiceFactory');
+      const serviceFactory = new ServiceFactory(process.env.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001');
+      const authService = serviceFactory.createAuthService();
+      
+      await authService.login({
+        email: formData.email,
+        password: formData.password,
      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Login failed');
-      }
      
      // Refresh session in context so header updates immediately
      await refreshSession();
@@ -102,8 +96,12 @@ export default function LoginPage() {
  const handleDemoLogin = async () => {
    setLoading(true);
    try {
-      // Demo: Set cookie to indicate driver mode (works without OAuth)
-      document.cookie = 'gridpilot_demo_mode=driver; path=/; max-age=86400';
+      const { ServiceFactory } = await import('@/lib/services/ServiceFactory');
+      const serviceFactory = new ServiceFactory(process.env.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001');
+      const authService = serviceFactory.createAuthService();
+      
+      await authService.demoLogin({ role: 'driver' });
+      
      await new Promise(resolve => setTimeout(resolve, 500));
      router.push(returnTo);
    } catch (error) {
@@ -299,7 +297,7 @@ export default function LoginPage() {
              className="w-full flex items-center justify-center gap-3 px-4 py-3 rounded-lg bg-gradient-to-r from-deep-graphite to-iron-gray border border-charcoal-outline text-gray-300 hover:border-primary-blue/30 transition-all disabled:opacity-50 group"
            >
              <Gamepad2 className="w-5 h-5 text-primary-blue" />
-              <span>Demo Login (iRacing)</span>
+              <span>Demo Login</span>
              <ChevronRight className="w-4 h-4 text-gray-500 group-hover:translate-x-0.5 transition-transform" />
            </motion.button>

@@ -315,6 +313,16 @@ export default function LoginPage() {
            </p>
          </Card>

+          {/* Name Immutability Notice */}
+          <div className="mt-6 p-4 rounded-lg bg-iron-gray/30 border border-charcoal-outline">
+            <div className="flex items-start gap-3">
+              <AlertCircle className="w-5 h-5 text-gray-400 flex-shrink-0 mt-0.5" />
+              <div className="text-xs text-gray-400">
+                <strong>Note:</strong> Your display name cannot be changed after signup. Please ensure it's correct when creating your account.
+              </div>
+            </div>
+          </div>
+
          {/* Footer */}
          <p className="mt-6 text-center text-xs text-gray-500">
            By signing in, you agree to our{' '}
--- a/apps/website/app/auth/reset-password/page.tsx
+++ b/apps/website/app/auth/reset-password/page.tsx
@@ -0,0 +1,356 @@
+'use client';
+
+import { useState, FormEvent, type ChangeEvent, useEffect } from 'react';
+import { useRouter, useSearchParams } from 'next/navigation';
+import Link from 'next/link';
+import { motion } from 'framer-motion';
+import {
+  Lock,
+  Eye,
+  EyeOff,
+  AlertCircle,
+  Flag,
+  Shield,
+  CheckCircle2,
+  ArrowLeft,
+} from 'lucide-react';
+
+import Card from '@/components/ui/Card';
+import Button from '@/components/ui/Button';
+import Input from '@/components/ui/Input';
+import Heading from '@/components/ui/Heading';
+
+interface FormErrors {
+  newPassword?: string;
+  confirmPassword?: string;
+  submit?: string;
+}
+
+interface PasswordStrength {
+  score: number;
+  label: string;
+  color: string;
+}
+
+function checkPasswordStrength(password: string): PasswordStrength {
+  let score = 0;
+  if (password.length >= 8) score++;
+  if (password.length >= 12) score++;
+  if (/[a-z]/.test(password) && /[A-Z]/.test(password)) score++;
+  if (/\d/.test(password)) score++;
+  if (/[^a-zA-Z\d]/.test(password)) score++;
+
+  if (score <= 1) return { score, label: 'Weak', color: 'bg-red-500' };
+  if (score <= 2) return { score, label: 'Fair', color: 'bg-warning-amber' };
+  if (score <= 3) return { score, label: 'Good', color: 'bg-primary-blue' };
+  return { score, label: 'Strong', color: 'bg-performance-green' };
+}
+
+export default function ResetPasswordPage() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  
+  const [loading, setLoading] = useState(false);
+  const [showPassword, setShowPassword] = useState(false);
+  const [showConfirmPassword, setShowConfirmPassword] = useState(false);
+  const [errors, setErrors] = useState<FormErrors>({});
+  const [success, setSuccess] = useState<string | null>(null);
+  const [formData, setFormData] = useState({
+    newPassword: '',
+    confirmPassword: '',
+  });
+  const [token, setToken] = useState<string>('');
+
+  // Extract token from URL on mount
+  useEffect(() => {
+    const tokenParam = searchParams.get('token');
+    if (tokenParam) {
+      setToken(tokenParam);
+    }
+  }, [searchParams]);
+
+  const passwordStrength = checkPasswordStrength(formData.newPassword);
+
+  const passwordRequirements = [
+    { met: formData.newPassword.length >= 8, label: 'At least 8 characters' },
+    { met: /[a-z]/.test(formData.newPassword) && /[A-Z]/.test(formData.newPassword), label: 'Upper and lowercase letters' },
+    { met: /\d/.test(formData.newPassword), label: 'At least one number' },
+    { met: /[^a-zA-Z\d]/.test(formData.newPassword), label: 'At least one special character' },
+  ];
+
+  const validateForm = (): boolean => {
+    const newErrors: FormErrors = {};
+
+    if (!formData.newPassword) {
+      newErrors.newPassword = 'New password is required';
+    } else if (formData.newPassword.length < 8) {
+      newErrors.newPassword = 'Password must be at least 8 characters';
+    } else if (!/[a-z]/.test(formData.newPassword) || !/[A-Z]/.test(formData.newPassword) || !/\d/.test(formData.newPassword)) {
+      newErrors.newPassword = 'Password must contain uppercase, lowercase, and number';
+    }
+
+    if (!formData.confirmPassword) {
+      newErrors.confirmPassword = 'Please confirm your password';
+    } else if (formData.newPassword !== formData.confirmPassword) {
+      newErrors.confirmPassword = 'Passwords do not match';
+    }
+
+    if (!token) {
+      newErrors.submit = 'Invalid reset token. Please request a new reset link.';
+    }
+
+    setErrors(newErrors);
+    return Object.keys(newErrors).length === 0;
+  };
+
+  const handleSubmit = async (e: FormEvent) => {
+    e.preventDefault();
+    if (loading) return;
+
+    if (!validateForm()) return;
+
+    setLoading(true);
+    setErrors({});
+    setSuccess(null);
+
+    try {
+      const { ServiceFactory } = await import('@/lib/services/ServiceFactory');
+      const serviceFactory = new ServiceFactory(process.env.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001');
+      const authService = serviceFactory.createAuthService();
+      const result = await authService.resetPassword({
+        token,
+        newPassword: formData.newPassword,
+      });
+
+      setSuccess(result.message);
+    } catch (error) {
+      setErrors({
+        submit: error instanceof Error ? error.message : 'Failed to reset password. Please try again.',
+      });
+      setLoading(false);
+    }
+  };
+
+  return (
+    <main className="min-h-screen bg-deep-graphite flex items-center justify-center px-4 py-12">
+      {/* Background Pattern */}
+      <div className="absolute inset-0 bg-gradient-to-br from-primary-blue/5 via-transparent to-purple-600/5" />
+      <div className="absolute inset-0 opacity-5">
+        <div className="absolute inset-0" style={{
+          backgroundImage: `url("data:image/svg+xml,%3Csvg width='60' height='60' viewBox='0 0 60 60' xmlns='http://www.w3.org/2000/svg'%3E%3Cg fill='none' fill-rule='evenodd'%3E%3Cg fill='%23ffffff' fill-opacity='0.4'%3E%3Cpath d='M36 34v-4h-2v4h-4v2h4v4h2v-4h4v-2h-4zm0-30V0h-2v4h-4v2h4v4h2V6h4V4h-4zM6 34v-4H4v4H0v2h4v4h2v-4h4v-2H6zM6 4V0H4v4H0v2h4v4h2V6h4V4H6z'/%3E%3C/g%3E%3C/g%3E%3C/svg%3E")`,
+        }} />
+      </div>
+
+      <div className="relative w-full max-w-md">
+        {/* Header */}
+        <div className="text-center mb-8">
+          <div className="flex h-16 w-16 items-center justify-center rounded-2xl bg-gradient-to-br from-primary-blue/20 to-purple-600/10 border border-primary-blue/30 mx-auto mb-4">
+            <Lock className="w-8 h-8 text-primary-blue" />
+          </div>
+          <Heading level={1} className="mb-2">Set New Password</Heading>
+          <p className="text-gray-400">
+            Create a strong password for your account
+          </p>
+        </div>
+
+        <Card className="relative overflow-hidden">
+          {/* Background accent */}
+          <div className="absolute top-0 right-0 w-32 h-32 bg-gradient-to-bl from-primary-blue/10 to-transparent rounded-bl-full" />
+
+          {!success ? (
+            <form onSubmit={handleSubmit} className="relative space-y-5">
+              {/* New Password */}
+              <div>
+                <label htmlFor="newPassword" className="block text-sm font-medium text-gray-300 mb-2">
+                  New Password
+                </label>
+                <div className="relative">
+                  <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-500" />
+                  <Input
+                    id="newPassword"
+                    type={showPassword ? 'text' : 'password'}
+                    value={formData.newPassword}
+                    onChange={(e: ChangeEvent<HTMLInputElement>) => setFormData({ ...formData, newPassword: e.target.value })}
+                    error={!!errors.newPassword}
+                    errorMessage={errors.newPassword}
+                    placeholder="••••••••"
+                    disabled={loading}
+                    className="pl-10 pr-10"
+                    autoComplete="new-password"
+                  />
+                  <button
+                    type="button"
+                    onClick={() => setShowPassword(!showPassword)}
+                    className="absolute right-3 top-1/2 -translate-y-1/2 text-gray-500 hover:text-gray-300"
+                  >
+                    {showPassword ? <EyeOff className="w-4 h-4" /> : <Eye className="w-4 h-4" />}
+                  </button>
+                </div>
+
+                {/* Password Strength */}
+                {formData.newPassword && (
+                  <div className="mt-3 space-y-2">
+                    <div className="flex items-center gap-2">
+                      <div className="flex-1 h-1.5 rounded-full bg-charcoal-outline overflow-hidden">
+                        <motion.div
+                          className={`h-full ${passwordStrength.color}`}
+                          initial={{ width: 0 }}
+                          animate={{ width: `${(passwordStrength.score / 5) * 100}%` }}
+                          transition={{ duration: 0.3 }}
+                        />
+                      </div>
+                      <span className={`text-xs font-medium ${
+                        passwordStrength.score <= 1 ? 'text-red-400' :
+                        passwordStrength.score <= 2 ? 'text-warning-amber' :
+                        passwordStrength.score <= 3 ? 'text-primary-blue' :
+                        'text-performance-green'
+                      }`}>
+                        {passwordStrength.label}
+                      </span>
+                    </div>
+                    <div className="grid grid-cols-2 gap-1">
+                      {passwordRequirements.map((req, index) => (
+                        <div key={index} className="flex items-center gap-1.5 text-xs">
+                          {req.met ? (
+                            <CheckCircle2 className="w-3 h-3 text-performance-green" />
+                          ) : (
+                            <AlertCircle className="w-3 h-3 text-gray-500" />
+                          )}
+                          <span className={req.met ? 'text-gray-300' : 'text-gray-500'}>
+                            {req.label}
+                          </span>
+                        </div>
+                      ))}
+                    </div>
+                  </div>
+                )}
+              </div>
+
+              {/* Confirm Password */}
+              <div>
+                <label htmlFor="confirmPassword" className="block text-sm font-medium text-gray-300 mb-2">
+                  Confirm Password
+                </label>
+                <div className="relative">
+                  <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-500" />
+                  <Input
+                    id="confirmPassword"
+                    type={showConfirmPassword ? 'text' : 'password'}
+                    value={formData.confirmPassword}
+                    onChange={(e: ChangeEvent<HTMLInputElement>) => setFormData({ ...formData, confirmPassword: e.target.value })}
+                    error={!!errors.confirmPassword}
+                    errorMessage={errors.confirmPassword}
+                    placeholder="••••••••"
+                    disabled={loading}
+                    className="pl-10 pr-10"
+                    autoComplete="new-password"
+                  />
+                  <button
+                    type="button"
+                    onClick={() => setShowConfirmPassword(!showConfirmPassword)}
+                    className="absolute right-3 top-1/2 -translate-y-1/2 text-gray-500 hover:text-gray-300"
+                  >
+                    {showConfirmPassword ? <EyeOff className="w-4 h-4" /> : <Eye className="w-4 h-4" />}
+                  </button>
+                </div>
+                {formData.confirmPassword && formData.newPassword === formData.confirmPassword && (
+                  <p className="mt-1 text-xs text-performance-green flex items-center gap-1">
+                    <CheckCircle2 className="w-3 h-3" /> Passwords match
+                  </p>
+                )}
+              </div>
+
+              {/* Error Message */}
+              {errors.submit && (
+                <motion.div
+                  initial={{ opacity: 0, y: -10 }}
+                  animate={{ opacity: 1, y: 0 }}
+                  className="flex items-start gap-3 p-3 rounded-lg bg-red-500/10 border border-red-500/30"
+                >
+                  <AlertCircle className="w-5 h-5 text-red-400 flex-shrink-0 mt-0.5" />
+                  <p className="text-sm text-red-400">{errors.submit}</p>
+                </motion.div>
+              )}
+
+              {/* Submit Button */}
+              <Button
+                type="submit"
+                variant="primary"
+                disabled={loading}
+                className="w-full flex items-center justify-center gap-2"
+              >
+                {loading ? (
+                  <>
+                    <div className="w-4 h-4 border-2 border-white border-t-transparent rounded-full animate-spin" />
+                    Resetting...
+                  </>
+                ) : (
+                  <>
+                    <Lock className="w-4 h-4" />
+                    Reset Password
+                  </>
+                )}
+              </Button>
+
+              {/* Back to Login */}
+              <div className="text-center">
+                <Link
+                  href="/auth/login"
+                  className="text-sm text-primary-blue hover:underline flex items-center justify-center gap-1"
+                >
+                  <ArrowLeft className="w-4 h-4" />
+                  Back to Login
+                </Link>
+              </div>
+            </form>
+          ) : (
+            <motion.div
+              initial={{ opacity: 0, y: 10 }}
+              animate={{ opacity: 1, y: 0 }}
+              className="relative space-y-4"
+            >
+              <div className="flex items-start gap-3 p-4 rounded-lg bg-performance-green/10 border border-performance-green/30">
+                <CheckCircle2 className="w-6 h-6 text-performance-green flex-shrink-0 mt-0.5" />
+                <div>
+                  <p className="text-sm text-performance-green font-medium">{success}</p>
+                  <p className="text-xs text-gray-400 mt-1">
+                    Your password has been successfully reset
+                  </p>
+                </div>
+              </div>
+
+              <Button
+                type="button"
+                variant="primary"
+                onClick={() => router.push('/auth/login')}
+                className="w-full"
+              >
+                Login with New Password
+              </Button>
+            </motion.div>
+          )}
+        </Card>
+
+        {/* Trust Indicators */}
+        <div className="mt-6 flex items-center justify-center gap-6 text-sm text-gray-500">
+          <div className="flex items-center gap-2">
+            <Shield className="w-4 h-4" />
+            <span>Encrypted & secure</span>
+          </div>
+          <div className="flex items-center gap-2">
+            <CheckCircle2 className="w-4 h-4" />
+            <span>Instant update</span>
+          </div>
+        </div>
+
+        {/* Footer */}
+        <p className="mt-6 text-center text-xs text-gray-500">
+          Need help?{' '}
+          <Link href="/support" className="text-gray-400 hover:underline">
+            Contact support
+          </Link>
+        </p>
+      </div>
+    </main>
+  );
+}
--- a/apps/website/app/auth/signup/page.tsx
+++ b/apps/website/app/auth/signup/page.tsx
@@ -32,7 +32,8 @@ import Heading from '@/components/ui/Heading';
 import { useAuth } from '@/lib/auth/AuthContext';

 interface FormErrors {
-  displayName?: string;
+  firstName?: string;
+  lastName?: string;
  email?: string;
  password?: string;
  confirmPassword?: string;
@@ -101,7 +102,8 @@ export default function SignupPage() {
  const [showConfirmPassword, setShowConfirmPassword] = useState(false);
  const [errors, setErrors] = useState<FormErrors>({});
  const [formData, setFormData] = useState({
-    displayName: '',
+    firstName: '',
+    lastName: '',
    email: '',
    password: '',
    confirmPassword: '',
@@ -138,10 +140,32 @@ export default function SignupPage() {
  const validateForm = (): boolean => {
    const newErrors: FormErrors = {};

-    if (!formData.displayName.trim()) {
-      newErrors.displayName = 'Display name is required';
-    } else if (formData.displayName.trim().length < 3) {
-      newErrors.displayName = 'Display name must be at least 3 characters';
+    // First name validation
+    const firstName = formData.firstName.trim();
+    if (!firstName) {
+      newErrors.firstName = 'First name is required';
+    } else if (firstName.length < 2) {
+      newErrors.firstName = 'First name must be at least 2 characters';
+    } else if (firstName.length > 25) {
+      newErrors.firstName = 'First name must be no more than 25 characters';
+    } else if (!/^[A-Za-z\-']+$/.test(firstName)) {
+      newErrors.firstName = 'First name can only contain letters, hyphens, and apostrophes';
+    } else if (/^(user|test|demo|guest|player)/i.test(firstName)) {
+      newErrors.firstName = 'Please use your real first name, not a nickname';
+    }
+
+    // Last name validation
+    const lastName = formData.lastName.trim();
+    if (!lastName) {
+      newErrors.lastName = 'Last name is required';
+    } else if (lastName.length < 2) {
+      newErrors.lastName = 'Last name must be at least 2 characters';
+    } else if (lastName.length > 25) {
+      newErrors.lastName = 'Last name must be no more than 25 characters';
+    } else if (!/^[A-Za-z\-']+$/.test(lastName)) {
+      newErrors.lastName = 'Last name can only contain letters, hyphens, and apostrophes';
+    } else if (/^(user|test|demo|guest|player)/i.test(lastName)) {
+      newErrors.lastName = 'Please use your real last name, not a nickname';
    }

    if (!formData.email.trim()) {
@@ -150,10 +174,13 @@ export default function SignupPage() {
      newErrors.email = 'Invalid email format';
    }

+    // Password strength validation
    if (!formData.password) {
      newErrors.password = 'Password is required';
    } else if (formData.password.length < 8) {
      newErrors.password = 'Password must be at least 8 characters';
+    } else if (!/[a-z]/.test(formData.password) || !/[A-Z]/.test(formData.password) || !/\d/.test(formData.password)) {
+      newErrors.password = 'Password must contain uppercase, lowercase, and number';
    }

    if (!formData.confirmPassword) {
@@ -176,21 +203,18 @@ export default function SignupPage() {
    setErrors({});

    try {
-      const response = await fetch('/api/auth/signup', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({
-          email: formData.email,
-          password: formData.password,
-          displayName: formData.displayName,
-        }),
+      const { ServiceFactory } = await import('@/lib/services/ServiceFactory');
+      const serviceFactory = new ServiceFactory(process.env.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001');
+      const authService = serviceFactory.createAuthService();
+      
+      // Combine first and last name into display name
+      const displayName = `${formData.firstName} ${formData.lastName}`.trim();
+      
+      await authService.signup({
+        email: formData.email,
+        password: formData.password,
+        displayName,
      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Signup failed');
-      }
      
      // Refresh session in context so header updates immediately
      await refreshSession();
@@ -206,8 +230,12 @@ export default function SignupPage() {
  const handleDemoLogin = async () => {
    setLoading(true);
    try {
-      // Demo: Set cookie to indicate driver mode (works without OAuth)
-      document.cookie = 'gridpilot_demo_mode=driver; path=/; max-age=86400';
+      const { ServiceFactory } = await import('@/lib/services/ServiceFactory');
+      const serviceFactory = new ServiceFactory(process.env.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001');
+      const authService = serviceFactory.createAuthService();
+      
+      await authService.demoLogin({ role: 'driver' });
+      
      await new Promise(resolve => setTimeout(resolve, 500));
      router.push(returnTo === '/onboarding' ? '/dashboard' : returnTo);
    } catch {
@@ -337,27 +365,57 @@ export default function SignupPage() {
            <div className="absolute top-0 right-0 w-32 h-32 bg-gradient-to-bl from-primary-blue/10 to-transparent rounded-bl-full" />

            <form onSubmit={handleSubmit} className="relative space-y-4">
-              {/* Display Name */}
+              {/* First Name */}
              <div>
-                <label htmlFor="displayName" className="block text-sm font-medium text-gray-300 mb-2">
-                  Display Name
+                <label htmlFor="firstName" className="block text-sm font-medium text-gray-300 mb-2">
+                  First Name
                </label>
                <div className="relative">
                  <User className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-500" />
                  <Input
-                    id="displayName"
+                    id="firstName"
                    type="text"
-                    value={formData.displayName}
-                    onChange={(e: ChangeEvent<HTMLInputElement>) => setFormData({ ...formData, displayName: e.target.value })}
-                    error={!!errors.displayName}
-                    errorMessage={errors.displayName}
-                    placeholder="SpeedyRacer42"
+                    value={formData.firstName}
+                    onChange={(e: ChangeEvent<HTMLInputElement>) => setFormData({ ...formData, firstName: e.target.value })}
+                    error={!!errors.firstName}
+                    errorMessage={errors.firstName}
+                    placeholder="John"
                    disabled={loading}
                    className="pl-10"
-                    autoComplete="username"
+                    autoComplete="given-name"
                  />
                </div>
-                <p className="mt-1 text-xs text-gray-500">This is how other drivers will see you</p>
+              </div>
+
+              {/* Last Name */}
+              <div>
+                <label htmlFor="lastName" className="block text-sm font-medium text-gray-300 mb-2">
+                  Last Name
+                </label>
+                <div className="relative">
+                  <User className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-500" />
+                  <Input
+                    id="lastName"
+                    type="text"
+                    value={formData.lastName}
+                    onChange={(e: ChangeEvent<HTMLInputElement>) => setFormData({ ...formData, lastName: e.target.value })}
+                    error={!!errors.lastName}
+                    errorMessage={errors.lastName}
+                    placeholder="Smith"
+                    disabled={loading}
+                    className="pl-10"
+                    autoComplete="family-name"
+                  />
+                </div>
+                <p className="mt-1 text-xs text-gray-500">Your name will be used as-is and cannot be changed later</p>
+              </div>
+
+              {/* Name Immutability Warning */}
+              <div className="flex items-start gap-3 p-3 rounded-lg bg-warning-amber/10 border border-warning-amber/30">
+                <AlertCircle className="w-5 h-5 text-warning-amber flex-shrink-0 mt-0.5" />
+                <div className="text-sm text-warning-amber">
+                  <strong>Important:</strong> Your name cannot be changed after signup. Please ensure it's correct.
+                </div>
              </div>

              {/* Email */}
@@ -529,7 +587,7 @@ export default function SignupPage() {
              </div>
            </div>

-            {/* iRacing Signup */}
+            {/* Demo Login */}
            <motion.button
              type="button"
              onClick={handleDemoLogin}
@@ -539,7 +597,7 @@ export default function SignupPage() {
              className="w-full flex items-center justify-center gap-3 px-4 py-3 rounded-lg bg-gradient-to-r from-deep-graphite to-iron-gray border border-charcoal-outline text-gray-300 hover:border-primary-blue/30 transition-all disabled:opacity-50 group"
            >
              <Gamepad2 className="w-5 h-5 text-primary-blue" />
-              <span>Demo Login (iRacing)</span>
+              <span>Demo Login</span>
              <ChevronRight className="w-4 h-4 text-gray-500 group-hover:translate-x-0.5 transition-transform" />
            </motion.button>

--- a/apps/website/app/layout.tsx
+++ b/apps/website/app/layout.tsx
@@ -1,16 +1,15 @@
-import React from 'react';
-import type { Metadata, Viewport } from 'next';
+import AlphaFooter from '@/components/alpha/AlphaFooter';
+import { AlphaNav } from '@/components/alpha/AlphaNav';
+import DevToolbar from '@/components/dev/DevToolbar';
+import NotificationProvider from '@/components/notifications/NotificationProvider';
+import { AuthProvider } from '@/lib/auth/AuthContext';
+import { getAppMode } from '@/lib/mode';
+import { ServiceProvider } from '@/lib/services/ServiceProvider';
+import { Metadata, Viewport } from 'next';
 import Image from 'next/image';
 import Link from 'next/link';
+import React from 'react';
 import './globals.css';
-import { getAppMode } from '@/lib/mode';
-import { AlphaNav } from '@/components/alpha/AlphaNav';
-import AlphaBanner from '@/components/alpha/AlphaBanner';
-import AlphaFooter from '@/components/alpha/AlphaFooter';
-import { AuthProvider } from '@/lib/auth/AuthContext';
-import NotificationProvider from '@/components/notifications/NotificationProvider';
-import DevToolbar from '@/components/dev/DevToolbar';
-import { ServiceProvider } from '@/lib/services/ServiceProvider';

 export const dynamic = 'force-dynamic';

@@ -23,8 +22,8 @@ export const viewport: Viewport = {
 };

 export const metadata: Metadata = {
-  title: 'GridPilot - iRacing League Racing Platform',
-  description: 'The dedicated home for serious iRacing leagues. Automatic results, standings, team racing, and professional race control.',
+  title: 'GridPilot - SimRacing Platform',
+  description: 'The dedicated home for serious sim racing leagues. Automatic results, standings, team racing, and professional race control.',
  themeColor: '#0a0a0a',
  appleWebApp: {
    capable: true,
@@ -66,7 +65,6 @@ export default async function RootLayout({
            <AuthProvider initialSession={session}>
              <NotificationProvider>
                <AlphaNav />
-                <AlphaBanner />
                <main className="flex-1 max-w-7xl mx-auto px-6 py-8 w-full">
                  {children}
                </main>
--- a/apps/website/components/dev/DevToolbar.tsx
+++ b/apps/website/components/dev/DevToolbar.tsx
@@ -102,7 +102,7 @@ const urgencyOptions: UrgencyOption[] = [
  },
 ];

-type LoginMode = 'none' | 'driver' | 'sponsor';
+type LoginMode = 'none' | 'driver' | 'sponsor' | 'league-owner' | 'league-steward' | 'league-admin' | 'system-owner' | 'super-admin';

 export default function DevToolbar() {
  const router = useRouter();
@@ -118,48 +118,92 @@ export default function DevToolbar() {
  
  const currentDriverId = useEffectiveDriverId();

-  // Sync login mode with actual cookie state on mount
+  // Sync login mode with actual session state on mount
  useEffect(() => {
    if (typeof document !== 'undefined') {
+      // Check for actual session cookie first
      const cookies = document.cookie.split(';');
-      const demoModeCookie = cookies.find(c => c.trim().startsWith('gridpilot_demo_mode='));
-      if (demoModeCookie) {
-        const value = demoModeCookie.split('=')[1]?.trim();
-        if (value === 'sponsor') {
-          setLoginMode('sponsor');
-        } else if (value === 'driver') {
-          setLoginMode('driver');
-        } else {
-          setLoginMode('none');
-        }
+      const sessionCookie = cookies.find(c => c.trim().startsWith('gp_session='));
+      
+      if (sessionCookie) {
+        // User has a session cookie, check if it's valid by calling the API
+        fetch('/api/auth/session', {
+          method: 'GET',
+          credentials: 'include'
+        })
+          .then(res => {
+            if (res.ok) {
+              return res.json();
+            }
+            throw new Error('No valid session');
+          })
+          .then(session => {
+            if (session && session.user) {
+              // Determine login mode based on user email patterns
+              const email = session.user.email?.toLowerCase() || '';
+              const displayName = session.user.displayName?.toLowerCase() || '';
+              
+              let mode: LoginMode = 'none';
+              if (email.includes('sponsor') || displayName.includes('sponsor')) {
+                mode = 'sponsor';
+              } else if (email.includes('league-owner') || displayName.includes('owner')) {
+                mode = 'league-owner';
+              } else if (email.includes('league-steward') || displayName.includes('steward')) {
+                mode = 'league-steward';
+              } else if (email.includes('league-admin') || displayName.includes('admin')) {
+                mode = 'league-admin';
+              } else if (email.includes('system-owner') || displayName.includes('system owner')) {
+                mode = 'system-owner';
+              } else if (email.includes('super-admin') || displayName.includes('super admin')) {
+                mode = 'super-admin';
+              } else if (email.includes('driver') || displayName.includes('demo')) {
+                mode = 'driver';
+              }
+              
+              setLoginMode(mode);
+            } else {
+              setLoginMode('none');
+            }
+          })
+          .catch(() => {
+            // Session invalid or expired
+            setLoginMode('none');
+          });
      } else {
-        // Default to driver mode if no cookie (for demo purposes)
-        setLoginMode('driver');
+        // No session cookie means not logged in
+        setLoginMode('none');
      }
    }
  }, []);

-  const handleLoginAsDriver = async () => {
+  const handleDemoLogin = async (role: LoginMode) => {
+    if (role === 'none') return;
+    
    setLoggingIn(true);
    try {
-      // Demo: Set cookie to indicate driver mode
-      document.cookie = 'gridpilot_demo_mode=driver; path=/; max-age=86400';
-      setLoginMode('driver');
-      // Refresh to update all components that depend on demo mode
-      window.location.reload();
-    } finally {
-      setLoggingIn(false);
-    }
-  };
+      // Use the demo login API
+      const response = await fetch('/api/auth/demo-login', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ role }),
+      });

-  const handleLoginAsSponsor = async () => {
-    setLoggingIn(true);
-    try {
-      // Demo: Set cookie to indicate sponsor mode
-      document.cookie = 'gridpilot_demo_mode=sponsor; path=/; max-age=86400';
-      setLoginMode('sponsor');
-      // Navigate to sponsor dashboard
-      window.location.href = '/sponsor/dashboard';
+      if (!response.ok) {
+        throw new Error('Demo login failed');
+      }
+
+      setLoginMode(role);
+      
+      // Navigate based on role
+      if (role === 'sponsor') {
+        window.location.href = '/sponsor/dashboard';
+      } else {
+        // For driver and league roles, go to dashboard
+        window.location.href = '/dashboard';
+      }
+    } catch (error) {
+      console.error('Demo login failed:', error);
+      alert('Demo login failed. Please check the console for details.');
    } finally {
      setLoggingIn(false);
    }
@@ -168,11 +212,15 @@ export default function DevToolbar() {
  const handleLogout = async () => {
    setLoggingIn(true);
    try {
-      // Demo: Clear demo mode cookie
-      document.cookie = 'gridpilot_demo_mode=; path=/; max-age=0';
+      // Call logout API
+      await fetch('/api/auth/logout', { method: 'POST' });
+      
      setLoginMode('none');
      // Refresh to update all components
      window.location.href = '/';
+    } catch (error) {
+      console.error('Logout failed:', error);
+      alert('Logout failed. Please check the console for details.');
    } finally {
      setLoggingIn(false);
    }
@@ -561,8 +609,9 @@ export default function DevToolbar() {
            </div>

            <div className="space-y-2">
+              {/* Driver Login */}
              <button
-                onClick={handleLoginAsDriver}
+                onClick={() => handleDemoLogin('driver')}
                disabled={loggingIn || loginMode === 'driver'}
                className={`
                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
@@ -574,11 +623,63 @@ export default function DevToolbar() {
                `}
              >
                <User className="w-4 h-4" />
-                {loginMode === 'driver' ? 'Logged in as Driver' : 'Login as Driver'}
+                {loginMode === 'driver' ? '✓ Driver' : 'Login as Driver'}
              </button>

+              {/* League Owner Login */}
              <button
-                onClick={handleLoginAsSponsor}
+                onClick={() => handleDemoLogin('league-owner')}
+                disabled={loggingIn || loginMode === 'league-owner'}
+                className={`
+                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
+                  ${loginMode === 'league-owner'
+                    ? 'bg-purple-500/20 border-purple-500/50 text-purple-400'
+                    : 'bg-iron-gray/30 border-charcoal-outline text-gray-300 hover:bg-iron-gray/50'
+                  }
+                  disabled:opacity-50 disabled:cursor-not-allowed
+                `}
+              >
+                <span className="text-xs">👑</span>
+                {loginMode === 'league-owner' ? '✓ League Owner' : 'Login as League Owner'}
+              </button>
+
+              {/* League Steward Login */}
+              <button
+                onClick={() => handleDemoLogin('league-steward')}
+                disabled={loggingIn || loginMode === 'league-steward'}
+                className={`
+                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
+                  ${loginMode === 'league-steward'
+                    ? 'bg-amber-500/20 border-amber-500/50 text-amber-400'
+                    : 'bg-iron-gray/30 border-charcoal-outline text-gray-300 hover:bg-iron-gray/50'
+                  }
+                  disabled:opacity-50 disabled:cursor-not-allowed
+                `}
+              >
+                <Shield className="w-4 h-4" />
+                {loginMode === 'league-steward' ? '✓ Steward' : 'Login as Steward'}
+              </button>
+
+              {/* League Admin Login */}
+              <button
+                onClick={() => handleDemoLogin('league-admin')}
+                disabled={loggingIn || loginMode === 'league-admin'}
+                className={`
+                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
+                  ${loginMode === 'league-admin'
+                    ? 'bg-red-500/20 border-red-500/50 text-red-400'
+                    : 'bg-iron-gray/30 border-charcoal-outline text-gray-300 hover:bg-iron-gray/50'
+                  }
+                  disabled:opacity-50 disabled:cursor-not-allowed
+                `}
+              >
+                <span className="text-xs">⚙️</span>
+                {loginMode === 'league-admin' ? '✓ Admin' : 'Login as Admin'}
+              </button>
+
+              {/* Sponsor Login */}
+              <button
+                onClick={() => handleDemoLogin('sponsor')}
                disabled={loggingIn || loginMode === 'sponsor'}
                className={`
                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
@@ -590,7 +691,41 @@ export default function DevToolbar() {
                `}
              >
                <Building2 className="w-4 h-4" />
-                {loginMode === 'sponsor' ? 'Logged in as Sponsor' : 'Login as Sponsor'}
+                {loginMode === 'sponsor' ? '✓ Sponsor' : 'Login as Sponsor'}
+              </button>
+
+              {/* System Owner Login */}
+              <button
+                onClick={() => handleDemoLogin('system-owner')}
+                disabled={loggingIn || loginMode === 'system-owner'}
+                className={`
+                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
+                  ${loginMode === 'system-owner'
+                    ? 'bg-indigo-500/20 border-indigo-500/50 text-indigo-400'
+                    : 'bg-iron-gray/30 border-charcoal-outline text-gray-300 hover:bg-iron-gray/50'
+                  }
+                  disabled:opacity-50 disabled:cursor-not-allowed
+                `}
+              >
+                <span className="text-xs">👑</span>
+                {loginMode === 'system-owner' ? '✓ System Owner' : 'Login as System Owner'}
+              </button>
+
+              {/* Super Admin Login */}
+              <button
+                onClick={() => handleDemoLogin('super-admin')}
+                disabled={loggingIn || loginMode === 'super-admin'}
+                className={`
+                  w-full flex items-center gap-2 px-3 py-2 rounded-lg border text-sm font-medium transition-all
+                  ${loginMode === 'super-admin'
+                    ? 'bg-pink-500/20 border-pink-500/50 text-pink-400'
+                    : 'bg-iron-gray/30 border-charcoal-outline text-gray-300 hover:bg-iron-gray/50'
+                  }
+                  disabled:opacity-50 disabled:cursor-not-allowed
+                `}
+              >
+                <span className="text-xs">⚡</span>
+                {loginMode === 'super-admin' ? '✓ Super Admin' : 'Login as Super Admin'}
              </button>

              {loginMode !== 'none' && (
@@ -606,7 +741,7 @@ export default function DevToolbar() {
            </div>

            <p className="text-[10px] text-gray-600 mt-2">
-              Switch between driver and sponsor views for demo purposes.
+              Test different user roles for demo purposes. Dashboard works for all roles.
            </p>
          </div>
        </div>
--- a/apps/website/components/profile/UserPill.tsx
+++ b/apps/website/components/profile/UserPill.tsx
@@ -28,6 +28,43 @@ function useSponsorMode(): boolean {
  return isSponsor;
 }

+// Hook to detect demo user mode
+function useDemoUserMode(): { isDemo: boolean; demoRole: string | null } {
+  const { session } = useAuth();
+  const [demoMode, setDemoMode] = useState({ isDemo: false, demoRole: null as string | null });
+  
+  useEffect(() => {
+    if (!session?.user) {
+      setDemoMode({ isDemo: false, demoRole: null });
+      return;
+    }
+
+    const email = session.user.email?.toLowerCase() || '';
+    const displayName = session.user.displayName?.toLowerCase() || '';
+    const primaryDriverId = (session.user as any).primaryDriverId || '';
+
+    // Check if this is a demo user
+    if (email.includes('demo') ||
+        displayName.includes('demo') ||
+        primaryDriverId.startsWith('demo-')) {
+      
+      let role = 'driver';
+      if (email.includes('sponsor')) role = 'sponsor';
+      else if (email.includes('league-owner') || displayName.includes('owner')) role = 'league-owner';
+      else if (email.includes('league-steward') || displayName.includes('steward')) role = 'league-steward';
+      else if (email.includes('league-admin') || displayName.includes('admin')) role = 'league-admin';
+      else if (email.includes('system-owner') || displayName.includes('system owner')) role = 'system-owner';
+      else if (email.includes('super-admin') || displayName.includes('super admin')) role = 'super-admin';
+      
+      setDemoMode({ isDemo: true, demoRole: role });
+    } else {
+      setDemoMode({ isDemo: false, demoRole: null });
+    }
+  }, [session]);
+  
+  return demoMode;
+}
+
 // Sponsor Pill Component - matches the style of DriverSummaryPill
 function SponsorSummaryPill({ 
  onClick, 
@@ -88,16 +125,17 @@ export default function UserPill() {
  const [driver, setDriver] = useState<DriverViewModel | null>(null);
  const [isMenuOpen, setIsMenuOpen] = useState(false);
  const isSponsorMode = useSponsorMode();
+  const { isDemo, demoRole } = useDemoUserMode();
  const shouldReduceMotion = useReducedMotion();

-
  const primaryDriverId = useEffectiveDriverId();

+  // Load driver data only for non-demo users
  useEffect(() => {
    let cancelled = false;

    async function loadDriver() {
-      if (!primaryDriverId) {
+      if (!primaryDriverId || isDemo) {
        if (!cancelled) {
          setDriver(null);
        }
@@ -115,10 +153,25 @@ export default function UserPill() {
    return () => {
      cancelled = true;
    };
-  }, [primaryDriverId, driverService]);
+  }, [primaryDriverId, driverService, isDemo]);

  const data = useMemo(() => {
-    if (!session?.user || !primaryDriverId || !driver) {
+    if (!session?.user) {
+      return null;
+    }
+
+    // Demo users don't have real driver data
+    if (isDemo) {
+      return {
+        isDemo: true,
+        demoRole,
+        displayName: session.user.displayName,
+        email: session.user.email,
+        avatarUrl: session.user.avatarUrl,
+      };
+    }
+
+    if (!primaryDriverId || !driver) {
      return null;
    }

@@ -134,8 +187,10 @@ export default function UserPill() {
      avatarSrc,
      rating,
      rank,
+      isDemo: false,
+      demoRole: null,
    };
-  }, [session, driver, primaryDriverId]);
+  }, [session, driver, primaryDriverId, isDemo, demoRole]);

  // Close menu when clicking outside
  useEffect(() => {
@@ -151,6 +206,143 @@ export default function UserPill() {
    return () => document.removeEventListener('click', handleClickOutside);
  }, [isMenuOpen]);

+  // Logout handler for demo users
+  const handleLogout = async () => {
+    try {
+      // Call the logout API
+      await fetch('/api/auth/logout', { method: 'POST' });
+      // Clear any demo mode cookies
+      document.cookie = 'gridpilot_demo_mode=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT';
+      // Redirect to home
+      window.location.href = '/';
+    } catch (error) {
+      console.error('Logout failed:', error);
+      window.location.href = '/';
+    }
+  };
+
+  // Demo user UI
+  if (isDemo && data?.isDemo) {
+    const roleLabel = {
+      'driver': 'Driver',
+      'sponsor': 'Sponsor',
+      'league-owner': 'League Owner',
+      'league-steward': 'League Steward',
+      'league-admin': 'League Admin',
+      'system-owner': 'System Owner',
+      'super-admin': 'Super Admin',
+    }[demoRole || 'driver'];
+
+    const roleColor = {
+      'driver': 'text-primary-blue',
+      'sponsor': 'text-performance-green',
+      'league-owner': 'text-purple-400',
+      'league-steward': 'text-amber-400',
+      'league-admin': 'text-red-400',
+      'system-owner': 'text-indigo-400',
+      'super-admin': 'text-pink-400',
+    }[demoRole || 'driver'];
+
+    return (
+      <div className="relative inline-flex items-center" data-user-pill>
+        <motion.button
+          onClick={() => setIsMenuOpen((open) => !open)}
+          className="group flex items-center gap-3 rounded-full bg-gradient-to-r from-iron-gray to-deep-graphite border border-charcoal-outline px-3 py-1.5 hover:border-primary-blue/50 transition-all duration-200"
+          whileHover={{ scale: 1.02 }}
+          whileTap={{ scale: 0.98 }}
+        >
+          {/* Avatar */}
+          <div className="relative">
+            {data.avatarUrl ? (
+              <div className="w-8 h-8 rounded-full overflow-hidden bg-charcoal-outline flex items-center justify-center border border-charcoal-outline/80">
+                <img
+                  src={data.avatarUrl}
+                  alt={data.displayName}
+                  className="w-full h-full object-cover"
+                />
+              </div>
+            ) : (
+              <div className="w-8 h-8 rounded-full bg-gradient-to-br from-primary-blue/20 to-primary-blue/5 border border-primary-blue/30 flex items-center justify-center">
+                <span className="text-xs font-bold text-primary-blue">DEMO</span>
+              </div>
+            )}
+            <div className="absolute -bottom-0.5 -right-0.5 w-3 h-3 rounded-full bg-primary-blue border-2 border-deep-graphite" />
+          </div>
+
+          {/* Info */}
+          <div className="hidden sm:flex flex-col items-start">
+            <span className="text-xs font-semibold text-white truncate max-w-[100px]">
+              {data.displayName}
+            </span>
+            <span className={`text-[10px] ${roleColor} font-medium`}>
+              {roleLabel}
+            </span>
+          </div>
+
+          {/* Chevron */}
+          <ChevronDown className="w-3.5 h-3.5 text-gray-500 group-hover:text-gray-300 transition-colors" />
+        </motion.button>
+
+        <AnimatePresence>
+          {isMenuOpen && (
+            <motion.div
+              className="absolute right-0 top-full mt-2 w-56 rounded-xl bg-deep-graphite border border-charcoal-outline shadow-xl shadow-black/30 z-50 overflow-hidden"
+              initial={{ opacity: 0, y: -10, scale: 0.95 }}
+              animate={{ opacity: 1, y: 0, scale: 1 }}
+              exit={{ opacity: 0, y: -10, scale: 0.95 }}
+              transition={{ duration: 0.15 }}
+            >
+              {/* Header */}
+              <div className="p-4 bg-gradient-to-r from-primary-blue/10 to-transparent border-b border-charcoal-outline">
+                <div className="flex items-center gap-3">
+                  {data.avatarUrl ? (
+                    <div className="w-10 h-10 rounded-lg overflow-hidden bg-charcoal-outline flex items-center justify-center border border-charcoal-outline/80">
+                      <img
+                        src={data.avatarUrl}
+                        alt={data.displayName}
+                        className="w-full h-full object-cover"
+                      />
+                    </div>
+                  ) : (
+                    <div className="w-10 h-10 rounded-lg bg-gradient-to-br from-primary-blue/20 to-primary-blue/5 border border-primary-blue/30 flex items-center justify-center">
+                      <span className="text-xs font-bold text-primary-blue">DEMO</span>
+                    </div>
+                  )}
+                  <div>
+                    <p className="text-sm font-semibold text-white">{data.displayName}</p>
+                    <p className={`text-xs ${roleColor}`}>{roleLabel}</p>
+                  </div>
+                </div>
+                <div className="mt-2 text-xs text-gray-500">
+                  Development account - not for production use
+                </div>
+              </div>
+
+              {/* Menu Items */}
+              <div className="py-1 text-sm text-gray-200">
+                <div className="px-4 py-2 text-xs text-gray-500 italic">
+                  Demo users have limited profile access
+                </div>
+              </div>
+
+              {/* Footer */}
+              <div className="border-t border-charcoal-outline">
+                <button
+                  type="button"
+                  onClick={handleLogout}
+                  className="flex w-full items-center justify-between px-4 py-3 text-sm text-gray-500 hover:text-racing-red hover:bg-racing-red/5 transition-colors"
+                >
+                  <span>Logout</span>
+                  <LogOut className="h-4 w-4" />
+                </button>
+              </div>
+            </motion.div>
+          )}
+        </AnimatePresence>
+      </div>
+    );
+  }
+
  // Sponsor mode UI
  if (isSponsorMode) {
    return (
@@ -280,7 +472,12 @@ export default function UserPill() {
    );
  }

-  if (!data) {
+  if (!data || data.isDemo) {
+    return null;
+  }
+
+  // Type guard to ensure data has the required properties for regular driver
+  if (!data.driver || data.rating === undefined || data.rank === undefined) {
    return null;
  }

--- a/apps/website/lib/api/auth/AuthApiClient.ts
+++ b/apps/website/lib/api/auth/AuthApiClient.ts
@@ -4,6 +4,9 @@ import { LoginParamsDTO } from '../../types/generated/LoginParamsDTO';
 import { SignupParamsDTO } from '../../types/generated/SignupParamsDTO';
 import { LoginWithIracingCallbackParamsDTO } from '../../types/generated/LoginWithIracingCallbackParamsDTO';
 import { IracingAuthRedirectResultDTO } from '../../types/generated/IracingAuthRedirectResultDTO';
+import { ForgotPasswordDTO } from '../../types/generated/ForgotPasswordDTO';
+import { ResetPasswordDTO } from '../../types/generated/ResetPasswordDTO';
+import { DemoLoginDTO } from '../../types/generated/DemoLoginDTO';

 /**
 * Auth API Client
@@ -58,4 +61,19 @@ export class AuthApiClient extends BaseApiClient {
    }
    return this.get<AuthSessionDTO>(`/auth/iracing/callback?${query.toString()}`);
  }
+
+  /** Forgot password - send reset link */
+  forgotPassword(params: ForgotPasswordDTO): Promise<{ message: string; magicLink?: string }> {
+    return this.post<{ message: string; magicLink?: string }>('/auth/forgot-password', params);
+  }
+
+  /** Reset password with token */
+  resetPassword(params: ResetPasswordDTO): Promise<{ message: string }> {
+    return this.post<{ message: string }>('/auth/reset-password', params);
+  }
+
+  /** Demo login (development only) */
+  demoLogin(params: DemoLoginDTO): Promise<AuthSessionDTO> {
+    return this.post<AuthSessionDTO>('/auth/demo-login', params);
+  }
 }
--- a/apps/website/lib/mode.ts
+++ b/apps/website/lib/mode.ts
@@ -63,7 +63,24 @@ export function isAlpha(): boolean {
 * Get list of public routes that are always accessible
 */
 export function getPublicRoutes(): readonly string[] {
-  return ['/', '/api/signup'] as const;
+  return [
+    '/',
+    '/api/signup',
+    '/api/auth/signup',
+    '/api/auth/login',
+    '/api/auth/forgot-password',
+    '/api/auth/reset-password',
+    '/api/auth/demo-login',
+    '/api/auth/session',
+    '/api/auth/logout',
+    '/auth/login',
+    '/auth/signup',
+    '/auth/forgot-password',
+    '/auth/reset-password',
+    '/auth/iracing',
+    '/auth/iracing/start',
+    '/auth/iracing/callback',
+  ] as const;
 }

 /**
--- a/apps/website/lib/services/auth/AuthService.ts
+++ b/apps/website/lib/services/auth/AuthService.ts
@@ -3,6 +3,9 @@ import { SessionViewModel } from '../../view-models/SessionViewModel';
 import type { LoginParamsDTO } from '../../types/generated/LoginParamsDTO';
 import type { SignupParamsDTO } from '../../types/generated/SignupParamsDTO';
 import type { LoginWithIracingCallbackParamsDTO } from '../../types/generated/LoginWithIracingCallbackParamsDTO';
+import type { ForgotPasswordDTO } from '../../types/generated/ForgotPasswordDTO';
+import type { ResetPasswordDTO } from '../../types/generated/ResetPasswordDTO';
+import type { DemoLoginDTO } from '../../types/generated/DemoLoginDTO';

 /**
 * Auth Service
@@ -68,4 +71,38 @@ export class AuthService {
      throw error;
    }
  }
+
+  /**
+   * Forgot password - send reset link
+   */
+  async forgotPassword(params: ForgotPasswordDTO): Promise<{ message: string; magicLink?: string }> {
+    try {
+      return await this.apiClient.forgotPassword(params);
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  /**
+   * Reset password with token
+   */
+  async resetPassword(params: ResetPasswordDTO): Promise<{ message: string }> {
+    try {
+      return await this.apiClient.resetPassword(params);
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  /**
+   * Demo login (development only)
+   */
+  async demoLogin(params: DemoLoginDTO): Promise<SessionViewModel> {
+    try {
+      const dto = await this.apiClient.demoLogin(params);
+      return new SessionViewModel(dto.user);
+    } catch (error) {
+      throw error;
+    }
+  }
 }
--- a/apps/website/lib/types/generated/AuthenticatedUserDTO.ts
+++ b/apps/website/lib/types/generated/AuthenticatedUserDTO.ts
@@ -9,4 +9,6 @@ export interface AuthenticatedUserDTO {
  userId: string;
  email: string;
  displayName: string;
+  primaryDriverId?: string;
+  avatarUrl?: string | null;
 }
--- a/apps/website/lib/types/generated/DemoLoginDTO.ts
+++ b/apps/website/lib/types/generated/DemoLoginDTO.ts
@@ -0,0 +1,3 @@
+export interface DemoLoginDTO {
+  role: 'driver' | 'sponsor';
+}
--- a/apps/website/lib/types/generated/ForgotPasswordDTO.ts
+++ b/apps/website/lib/types/generated/ForgotPasswordDTO.ts
@@ -0,0 +1,3 @@
+export interface ForgotPasswordDTO {
+  email: string;
+}
--- a/apps/website/lib/types/generated/ResetPasswordDTO.ts
+++ b/apps/website/lib/types/generated/ResetPasswordDTO.ts
@@ -0,0 +1,4 @@
+export interface ResetPasswordDTO {
+  token: string;
+  newPassword: string;
+}
--- a/apps/website/lib/view-models/SessionViewModel.ts
+++ b/apps/website/lib/view-models/SessionViewModel.ts
@@ -4,18 +4,22 @@ export class SessionViewModel {
  userId: string;
  email: string;
  displayName: string;
+  avatarUrl?: string | null;

  constructor(dto: AuthenticatedUserDTO) {
    this.userId = dto.userId;
    this.email = dto.email;
    this.displayName = dto.displayName;

-    const anyDto = dto as unknown as { primaryDriverId?: unknown; driverId?: unknown };
+    const anyDto = dto as unknown as { primaryDriverId?: unknown; driverId?: unknown; avatarUrl?: unknown };
    if (typeof anyDto.primaryDriverId === 'string' && anyDto.primaryDriverId) {
      this.driverId = anyDto.primaryDriverId;
    } else if (typeof anyDto.driverId === 'string' && anyDto.driverId) {
      this.driverId = anyDto.driverId;
    }
+    if (anyDto.avatarUrl !== undefined) {
+      this.avatarUrl = anyDto.avatarUrl as string | null;
+    }
  }

  // Note: The generated DTO doesn't have these fields
@@ -32,12 +36,14 @@ export class SessionViewModel {
    email: string;
    displayName: string;
    primaryDriverId?: string | null;
+    avatarUrl?: string | null;
  } {
    return {
      userId: this.userId,
      email: this.email,
      displayName: this.displayName,
      primaryDriverId: this.driverId ?? null,
+      avatarUrl: this.avatarUrl,
    };
  }

--- a/apps/website/middleware.ts
+++ b/apps/website/middleware.ts
@@ -3,14 +3,13 @@ import type { NextRequest } from 'next/server';
 import { getAppMode, isPublicRoute } from './lib/mode';

 /**
- * Next.js middleware for route protection based on application mode
+ * Next.js middleware for route protection
 *
- * In pre-launch mode:
- * - Only allows access to public routes (/, /api/signup)
- * - Returns 404 for all other routes
- *
- * In alpha mode:
- * - All routes are accessible
+ * Features:
+ * - Public routes are always accessible
+ * - Protected routes require authentication
+ * - Demo mode allows access to all routes
+ * - Returns 401 for unauthenticated access to protected routes
 */
 export function middleware(request: NextRequest) {
  const mode = getAppMode();
@@ -20,18 +19,39 @@ export function middleware(request: NextRequest) {
  if (pathname === '/404' || pathname === '/500' || pathname === '/_error') {
    return NextResponse.next();
  }
-  
-  // In alpha mode, allow all routes
-  if (mode === 'alpha') {
+
+  // Always allow static assets and API routes (API handles its own auth)
+  if (
+    pathname.startsWith('/_next/') ||
+    pathname.startsWith('/api/') ||
+    pathname.match(/\.(svg|png|jpg|jpeg|gif|webp|ico|css|js)$/)
+  ) {
    return NextResponse.next();
  }
-  
-  // In pre-launch mode, check if route is public
+
+  // Public routes are always accessible
  if (isPublicRoute(pathname)) {
    return NextResponse.next();
  }
-  
-  // Protected route in pre-launch mode - return 404
+
+  // Check for authentication cookie
+  const cookies = request.cookies;
+  const hasAuthCookie = cookies.has('gp_session');
+
+  // In demo/alpha mode, allow access if session cookie exists
+  if (mode === 'alpha' && hasAuthCookie) {
+    return NextResponse.next();
+  }
+
+  // In demo/alpha mode without auth, redirect to login
+  if (mode === 'alpha' && !hasAuthCookie) {
+    const loginUrl = new URL('/auth/login', request.url);
+    loginUrl.searchParams.set('returnTo', pathname);
+    return NextResponse.redirect(loginUrl);
+  }
+
+  // In pre-launch mode, only public routes are accessible
+  // Protected routes return 404 (non-disclosure)
  return new NextResponse(null, {
    status: 404,
    statusText: 'Not Found',
--- a/apps/website/next.config.mjs
+++ b/apps/website/next.config.mjs
@@ -45,9 +45,8 @@ const nextConfig = {
    contentDispositionType: 'inline',
  },
  async rewrites() {
-    // Always use the internal Docker API URL in development
-    // This ensures the website container can fetch images during optimization
-    const baseUrl = 'http://api:3000';
+    // Use API_BASE_URL if set, otherwise use internal Docker URL
+    const baseUrl = process.env.API_BASE_URL || 'http://api:3000';

    return [
      {
@@ -76,4 +75,4 @@ const nextConfig = {
  },
 };

-export default nextConfig;
+export default nextConfig;