feat: add email login option alongside GitHub OAuth

[khaliqgant]

Add email/password authentication as an alternative to GitHub OAuth:

• Database schema changes:

  • Add passwordHash, emailVerified, emailVerificationToken,
    emailVerificationExpires, displayName fields to users table
  • Make githubId and githubUsername nullable for email-only users
  • Add unique constraint and index on email

• New API endpoints in /api/auth/email:

  • POST /signup - create account with email/password
  • POST /login - authenticate with email/password
  • POST /verify - verify email with token
  • POST /resend-verification - resend verification email
  • POST /set-email - set email for GitHub users without one
  • POST /set-password - add password to existing account

• UI updates:

  • Login page: tabbed interface for GitHub/Email login
  • Signup page: tabbed interface for GitHub/Email signup
  • New complete-profile page for GitHub users without email

GitHub users without a public email are redirected to /complete-profile
to provide their email address before continuing.

---

[my-senior-dev-pr-review]

🤖 My Senior Dev — Analysis Complete

👤 For @khaliqgant

📁 Expert in src (662 edits) • ⚡ 152nd PR this month

View your contributor analytics →

---

📊 14 files reviewed • 5 high risk • 10 need attention

🚨 High Risk:

• packages/cloud/src/api/email-auth.ts — This file contains the core authentication logic and multiple critical security vulnerabilities.
• packages/cloud/src/db/drizzle.ts — Database operations responsiveness are critical for user data integrity.
• packages/dashboard/ui/app/login/page.tsx — Modifications on login page need to accommodate both authentication methods securely.
• +4 more

⚠️ Needs Attention:

• packages/cloud/src/api/billing.ts — Changes affect user subscription handling and admin checks.
• packages/dashboard/ui/app/signup/page.tsx — Sign-up alterations have implications for user data accuracy.
• +1 more concerns...

---

🚀 Open Interactive Review →

The full interface unlocks features not available in GitHub:

• 💬 AI Chat — Ask questions on any file, get context-aware answers
• 🔍 Smart Hovers — See symbol definitions and usage without leaving the diff
• 📚 Code Archeology — Understand how files evolved over time (/archeology)
• 🎯 Learning Insights — See how this PR compares to similar changes

---

💬 Chat here: @my-senior-dev explain this change — or try @chaos-monkey @security-auditor @optimizer @skeptic @junior-dev

📖 View all 12 personas & slash commands

You can interact with me by mentioning @my-senior-dev in any comment:

In PR comments or on any line of code:

• Ask questions about the code or PR
• Request explanations of specific changes
• Get suggestions for improvements

Slash commands:

• /help — Show all available commands
• /archeology — See the history and evolution of changed files
• /profile — Performance analysis and suggestions
• /expertise — Find who knows this code best
• /personas — List all available AI personas

AI Personas (mention to get their perspective):

Persona	Focus
@chaos-monkey 🐵	Edge cases & failure scenarios
@skeptic 🤨	Challenge assumptions
@optimizer ⚡	Performance & efficiency
@security-auditor 🔒	Security vulnerabilities
@accessibility-advocate ♿	Inclusive design
@junior-dev 🌱	Simple explanations
@tech-debt-collector 💳	Code quality & shortcuts
@ux-champion 🎨	User experience
@devops-engineer 🚀	Deployment & scaling
@documentation-nazi 📚	Documentation gaps
@legacy-whisperer 🏛️	Working with existing code
@test-driven-purist ✅	Testing & TDD

For the best experience, view this PR on myseniordev.com — includes AI chat, file annotations, and interactive reviews.

[devin-ai-integration]

Devin Review found 1 potential issue.

View issue and 5 additional flags in Devin Review.

[devin-ai-integration]

🔴 Complete Profile page expects wrong response structure from /api/auth/me endpoint

The complete-profile page incorrectly accesses user data from the /api/auth/me API response, causing the page to malfunction.

Click to expand

Issue

The complete-profile/page.tsx fetches from /api/auth/me and expects the response to have user data nested under a user property:

// complete-profile/page.tsx:39
if (data.user?.email) {
  window.location.href = '/app';
  return;
}
setUser(data.user);  // line 44

However, the /api/auth/me endpoint (packages/cloud/src/api/auth.ts:73-83) returns user data at the top level:

res.json({
  id: user.id,
  githubUsername: user.githubUsername,
  email: user.email,
  avatarUrl: user.avatarUrl,
  // ... no 'user' wrapper
});

Impact

1. data.user will always be undefined
2. The email check data.user?.email will always be falsy, so users with email won't be redirected to /app
3. setUser(data.user) sets user state to undefined, causing the user info section to not render properly
4. GitHub users who need to provide an email will see a broken page with no user info displayed

Expected vs Actual

• Expected: Page should access data.email and setUser(data) (or API should return { user: {...} })
• Actual: Page accesses data.user?.email and setUser(data.user) which are always undefined

Recommendation: Change line 39 to if (data.email) and line 44 to setUser(data) to match the actual response structure from /api/auth/me. Alternatively, change the page to use /api/auth/session which does return { user: {...} } structure.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

In general terms, the fix is to apply a rate-limiting middleware to the sensitive authentication routes so that repeated login attempts from the same client are limited over a time window. This prevents brute-force password attacks and reduces the impact of request floods on expensive operations like password hashing and database lookups.

The best way to fix this without changing existing functionality is to introduce a dedicated rate limiter (using a well-known library like express-rate-limit) and apply it to the /login route (and optionally other auth routes). We can define the limiter once in packages/cloud/src/api/email-auth.ts and then use it as a middleware before the async handler for the login endpoint. For example, limit each IP to a modest number of login attempts (e.g., 10) per 15 minutes, returning HTTP 429 when the limit is exceeded. Implementation steps in this file:

• Add an import for express-rate-limit.
• Define a loginRateLimiter configured for the login use case.
• Change the /login route registration from emailAuthRouter.post('/login', async (...) => { ... }) to emailAuthRouter.post('/login', loginRateLimiter, async (...) => { ... }).
  No changes are needed to the logic inside the handler itself.

In general, the fix is to add a rate-limiting middleware to sensitive routes that perform authentication/authorization or other expensive operations. In this file, the key routes are POST /signup, POST /login, POST /verify, and potentially POST /resend-verification. The best approach without changing existing behavior is to introduce a rate limiter with conservative limits tailored for auth flows (e.g., a small number of attempts per IP per unit time) and apply it specifically to these routes. This keeps the rest of the router unchanged and adds only middleware wrappers.

Concretely for packages/cloud/src/api/email-auth.ts:

• Import a well-known rate-limiting library such as express-rate-limit.
• Define one or more limiters, for example:
  • An authRateLimiter for signup and login (e.g., 10–20 requests per 15 minutes).
  • A tokenRateLimiter for verification and resend-verification routes (e.g., 30 requests per 15 minutes).
• Apply the limiters by adding them as middleware arguments to emailAuthRouter.post(...) for /signup, /login, /verify, and /resend-verification. This preserves all route logic while enforcing rate limits.
• Keep the limits moderate to avoid breaking existing users but strong enough to mitigate brute force and DoS against the auth DB operations.

All changes will stay within this file: add the express-rate-limit import, define limiter constants near the top (after router creation), and update the route declarations to include the limiter middlewares.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View issue and 8 additional flags in Devin Review.

[devin-ai-integration]

🟡 Race condition in syncFromGitHub due to non-atomic delete-then-insert

The syncFromGitHub function performs a delete followed by an insert as two separate database operations without a transaction.

Click to expand

Issue

At packages/cloud/src/db/drizzle.ts:360-382, the function:

1. Deletes all GitHub-sourced emails for the user
2. Then inserts the new emails

// Delete existing GitHub-sourced emails for this user
await db.delete(schema.userEmails).where(...);

// Insert all new emails
if (emails.length > 0) {
  await db.insert(schema.userEmails).values(...);
}

Race Condition

If a concurrent login attempt via findUserByEmail (drizzle.ts:312-334) occurs between the DELETE and INSERT operations, the lookup will fail to find the user because their emails have been deleted but not yet re-inserted.

Impact

This could cause intermittent authentication failures for GitHub users logging in while their emails are being re-synced (e.g., during a concurrent login from another device or when the Nango webhook fires).

Expected Behavior

The delete and insert should be wrapped in a database transaction to ensure atomicity.

Recommendation: Wrap the delete and insert operations in a database transaction using Drizzle's transaction API: await db.transaction(async (tx) => { await tx.delete(...); await tx.insert(...); })

---

Was this helpful? React with 👍 or 👎 to provide feedback.