Skip to content

feat(auth): email verification, Google OAuth, and account settings#4

Merged
BODMAT merged 18 commits into
masterfrom
feat/auth-email-verification-and-account-linking
May 21, 2026
Merged

feat(auth): email verification, Google OAuth, and account settings#4
BODMAT merged 18 commits into
masterfrom
feat/auth-email-verification-and-account-linking

Conversation

@BODMAT

@BODMAT BODMAT commented May 21, 2026

Copy link
Copy Markdown
Owner

What

Adds email verification to the registration flow, Google OAuth sign-in with
automatic account linking, and a full account settings UI (profile, password,
account deletion).

Changes

Backend

  • AuthIdentity table for multi-provider support (local + google)
  • EmailToken table for hashed, single-use verification tokens (24h TTL)
  • Register now issues a verify link; login blocks unverified accounts with 403
  • Google sign-in auto-links to a verified account on email match, or creates a
    new one; unverified squats on the same email are cleared
  • Endpoints: set-password, delete-account, update-profile,
    resend-verification, verify-email
  • authController.ts split into focused modules under controllers/auth/
  • Wallet FK fixed with ON DELETE CASCADE
  • SMTP transport lazy-loaded via env vars; in-memory capture in test env

Frontend

  • Verification stage ("Check your inbox") with resend button
  • Account settings popup: profile tab (avatar, login), password tab, delete tab
  • AuthQueryParamToast surfaces ?auth= outcomes on redirect back from Google
  • Settings avatar in the header
  • auth.utils.ts with shared inputClass, secondaryButtonClass,
    extractServerError
  • AuthPopup and AccountSettingsPopup split into subfolders

Security

  • Squat protection: unverified records with the same login/email are dropped
    before a new registration
  • Google linking requires the existing account to be email-verified
  • Account deletion requires password confirmation for local users; session is
    sufficient for Google-only users
  • Integration tests cover takeover protection, verification states, Google
    linking, set-password and logout-all

Testing

22 passed, 0 failed

auth.security.int.test.ts covers:

  • email verification states (blocked login, resend, verify flow)
  • squat protection on register (login and email collision)
  • Google auto-link and squat-replace
  • set-password with old-password check
  • update-profile rename, 409 on taken login, photoUrl validation
  • account deletion for local and Google-only users
  • logout-all session revocation

BODMAT added 18 commits May 20, 2026 22:42
Split provider/providerId into AuthIdentity for multi-provider support.
Add EmailToken for verification flows. Backfill existing users as verified.
Lazy SMTP via env vars, jsonTransport fallback when credentials are missing.
In-memory capture for tests; jest.setup resets it between tests.
Register issues a hashed EmailToken and sends a verify link instead of
opening a session. Login rejects unverified accounts with 403. Adds
verify-email and resend-verification endpoints.
Google callback no longer auto-links on email match. Issues a 1h
merge_google token via email; /auth/verify-merge attaches the identity
after the user clicks the link.
set-password creates a local AuthIdentity on first use and requires old
password to change. OTP emails a random password. Account deletion requires
password for local users or an email link for google-only.
Seed creates a local AuthIdentity per user and marks them verified.
registerAndCreateWallet now flips the verified flag and re-logs in since
register no longer opens a session.
Account deletion was failing with FK violation because Wallet.user had
no onDelete rule. Migration drops and re-adds the FK with ON DELETE
CASCADE.
Drop any unverified record with the same login or email before creating
a new user. Lets the real owner recover and blocks squat attacks.
Auth button covers sign-in/sign-up, verifying stage with resend, and
logout/logout-all. Settings popup adds tabs for password, OTP and
account deletion. AuthQueryParamToast shows auth= outcomes with auto-dismiss.
- return photoUrl in safe user schema
- allow Google linking when the same user starts Google auth
- update header labels and profile copy
- normalize photo URL handling
Add auth.security.int.test.ts covering takeover protection, verification
states, Google linking, set-password, account deletion and logout-all.
Block request-delete for password accounts. Fix email template encoding.
Stabilize auth security integration tests.
… verified emails


- remove OTP, merge-confirmation and email-link deletion
- deleteAccount now relies on session for google-only users
- google sign-in auto-links to verified accounts and clears unverified squats
- photoUrl restricted to https/data: URLs; PasswordField extracted for show/hide
@BODMAT BODMAT merged commit e2fffd3 into master May 21, 2026
1 check passed
@BODMAT BODMAT deleted the feat/auth-email-verification-and-account-linking branch May 21, 2026 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant