You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ation
- Add Google, Apple, and Facebook OAuth providers to NextAuth configuration
- Implement email verification flow for credentials-based signup
- Create email service using nodemailer with Fastmail SMTP support
- Add social login buttons component with proper branding
- Create verify-request and error pages for auth flows
- Update registration to send verification emails
- Block unverified users from logging in with credentials
- Add comprehensive OAuth setup documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Missing rate limiting on auth endpoints - resend-verification/route.ts and verify-email/route.ts have no rate limiting, allowing brute-force token guessing or email spam attacks.
Verification token enumeration - resend-verification/route.ts:39-42 reveals whether email is verified vs non-existent, leaking user registration status.
OAuth providers fail silently without env vars - auth-options.ts:20-31 uses non-null assertions (!) for OAuth secrets. If env vars are missing, the app will crash at runtime rather than gracefully disabling providers.
Code Issues
Transporter initialized at module load - email-service.ts:3-11 creates SMTP connection on module import, which will fail during build or if SMTP env vars are missing in non-email-required environments.
XSS in email template - email-service.ts:18 includes email parameter directly in HTML without escaping. While encodeURIComponent is used in the URL, the raw email could contain HTML if the email validation is bypassed.
Inconsistent error handling in registration - register/route.ts:90-108 sends verification email but if email sending fails, user is created without ability to verify (no cleanup/rollback).
Missing Tests
No tests for any auth endpoints - Critical auth flows (registration, verification, resend) have no test coverage for success cases, error handling, or edge cases like expired tokens.
Style Issues
Hardcoded colors - social-login-buttons.tsx:76-78, verify-request-content.tsx:91,96, auth-error-content.tsx:62 use hardcoded colors like #EF4444, #06B6D4 instead of design tokens per CLAUDE.md guidelines.
Inline styles - Multiple components use style prop extensively instead of CSS, violating CLAUDE.md guidelines.
Security fixes:
- Fix verification token enumeration by returning same message for all cases
- Lazy-load email transporter to avoid initialization at module load
- Add HTML escaping for email in verification templates
- Conditionally load OAuth providers only when env vars are configured
- Handle email sending failure gracefully in registration
Style fixes:
- Replace hardcoded colors with theme tokens in auth pages
- Add comment explaining brand-specific OAuth button colors
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
No rate limiting on email endpoints - /api/auth/resend-verification/route.ts and /api/auth/register/route.ts lack rate limiting, allowing attackers to spam verification emails or perform email enumeration via timing attacks.
Missing email input validation - resend-verification/route.ts:9 accepts raw email from request.json() without Zod validation (unlike register/route.ts which uses Zod).
Timing attack vulnerability - resend-verification/route.ts:30-34 returns immediately for non-existent/verified users but continues to send email for unverified users. The timing difference can leak user status despite the generic message.
Code Issues
Social buttons show even when providers not configured - social-login-buttons.tsx always renders all 3 OAuth buttons, but auth-options.ts conditionally adds providers. Users will see broken login buttons if env vars aren't set.
Hardcoded colors in email template - email-service.ts:51-70 uses hardcoded hex colors (#06B6D4, #333, etc.) instead of design tokens, violating the CLAUDE.md guideline.
Inconsistent error handling - verify-email/route.ts:57-60 updates emailVerified without checking if the user exists, silently succeeding even if the email doesn't match any user.
Missing @types/nodemailer in prod dependencies - package.json adds nodemailer to dependencies but @types/nodemailer to devDependencies. Since nodemailer is used in server code, the types should match the runtime dependency placement.
Missing Tests
No test coverage - This PR adds 4 new API endpoints and auth logic with no tests for: email verification flow, token expiration, resend functionality, OAuth signIn callback, or the createUser event.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
New Files
packages/web/app/lib/email/email-service.ts- Nodemailer SMTP email servicepackages/web/app/api/auth/verify-email/route.ts- Email verification endpointpackages/web/app/api/auth/resend-verification/route.ts- Resend verification endpointpackages/web/app/components/auth/social-login-buttons.tsx- OAuth buttons componentpackages/web/app/auth/verify-request/- Verification request pagepackages/web/app/auth/error/- Auth error pagedocs/oauth-setup.md- Setup documentationModified Files
packages/web/app/lib/auth/auth-options.ts- Added Apple/Facebook providers and verification callbackspackages/web/app/api/auth/register/route.ts- Added email verification on registrationpackages/web/app/auth/login/auth-page-content.tsx- Replaced disabled Google button with social buttonspackages/web/app/components/auth/auth-modal.tsx- Same social buttons updateTest plan
🤖 Generated with Claude Code