dunkirk.sh / thistle
🪻 distributed transcription service thistle.dunkirk.sh
fork atom

feat: handle null createdAt case in email verification

dunkirk.sh ec5cb8d4 d206be10

verified
options
unified split
Changed files
+97 -4
src
index.ts
lib
auth.ts
+84 -2
src/index.ts 
···

       
28

       
 

       
	verifyEmailToken,


     

       
29

       
 

       
	verifyEmailCode,


     

       
30

       
 

       
	isEmailVerified,


     

       

       

       
     

       
31

       
 

       
	createPasswordResetToken,


     

       
32

       
 

       
	verifyPasswordResetToken,


     

       
33

       
 

       
	consumePasswordResetToken,


     
···

       
267

       
 

       
					const user = await createUser(email, password, name);


     

       
268

       
 

       
					


     

       
269

       
 

       
					// Send verification email - MUST succeed for registration to complete


     

       
270

       
-

       
					const { code, token } = createEmailVerificationToken(user.id);


     

       
271

       
 

       
					


     

       
272

       
 

       
					try {


     

       
273

       
 

       
						await sendEmail({


     
···

       
309

       
 

       
						{ 


     

       
310

       
 

       
							user: { id: user.id, email: user.email },


     

       
311

       
 

       
							email_verification_required: true,


     

       

       

       
     

       
312

       
 

       
						},


     

       
313

       
 

       
						{ status: 200 },


     

       
314

       
 

       
					);


     
···

       
320

       
 

       
							{ status: 400 },


     

       
321

       
 

       
						);


     

       
322

       
 

       
					}


     

       

       

       
     

       
323

       
 

       
					return Response.json(


     

       
324

       
 

       
						{ error: "Registration failed" },


     

       
325

       
 

       
						{ status: 500 },


     
···

       
370

       
 

       
					


     

       
371

       
 

       
					// Check if email is verified


     

       
372

       
 

       
					if (!isEmailVerified(user.id)) {


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
373

       
 

       
						return Response.json(


     

       
374

       
 

       
							{ 


     

       
375

       
 

       
								user: { id: user.id, email: user.email },


     

       
376

       
 

       
								email_verification_required: true,


     

       

       

       
     

       
377

       
 

       
							},


     

       
378

       
 

       
							{ status: 200 },


     

       
379

       
 

       
						);


     
···

       
389

       
 

       
							},


     

       
390

       
 

       
						},


     

       
391

       
 

       
					);


     

       
392

       
-

       
				} catch {


     

       

       

       
     

       
393

       
 

       
					return Response.json({ error: "Login failed" }, { status: 500 });


     

       
394

       
 

       
				}


     

       
395

       
 

       
			},


     
···

       
527

       
 

       
					});


     

       
528

       
 

       



     

       
529

       
 

       
					return Response.json({ message: "Verification email sent" });


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
530

       
 

       
				} catch (error) {


     

       
531

       
 

       
					return handleError(error);


     

       
532

       
 

       
				}


     
···

       
28

       
 

       
	verifyEmailToken,


     

       
29

       
 

       
	verifyEmailCode,


     

       
30

       
 

       
	isEmailVerified,


     

       
31

       
+

       
	getVerificationCodeSentAt,


     

       
32

       
 

       
	createPasswordResetToken,


     

       
33

       
 

       
	verifyPasswordResetToken,


     

       
34

       
 

       
	consumePasswordResetToken,


     
···

       
268

       
 

       
					const user = await createUser(email, password, name);


     

       
269

       
 

       
					


     

       
270

       
 

       
					// Send verification email - MUST succeed for registration to complete


     

       
271

       
+

       
					const { code, token, sentAt } = createEmailVerificationToken(user.id);


     

       
272

       
 

       
					


     

       
273

       
 

       
					try {


     

       
274

       
 

       
						await sendEmail({


     
···

       
310

       
 

       
						{ 


     

       
311

       
 

       
							user: { id: user.id, email: user.email },


     

       
312

       
 

       
							email_verification_required: true,


     

       
313

       
+

       
							verification_code_sent_at: sentAt,


     

       
314

       
 

       
						},


     

       
315

       
 

       
						{ status: 200 },


     

       
316

       
 

       
					);


     
···

       
322

       
 

       
							{ status: 400 },


     

       
323

       
 

       
						);


     

       
324

       
 

       
					}


     

       
325

       
+

       
					console.error("[Auth] Registration error:", err);


     

       
326

       
 

       
					return Response.json(


     

       
327

       
 

       
						{ error: "Registration failed" },


     

       
328

       
 

       
						{ status: 500 },


     
···

       
373

       
 

       
					


     

       
374

       
 

       
					// Check if email is verified


     

       
375

       
 

       
					if (!isEmailVerified(user.id)) {


     

       
376

       
+

       
						let codeSentAt = getVerificationCodeSentAt(user.id);


     

       
377

       
+

       
						


     

       
378

       
+

       
						// If no verification code exists, auto-send one


     

       
379

       
+

       
						if (!codeSentAt) {


     

       
380

       
+

       
							const { code, token, sentAt } = createEmailVerificationToken(user.id);


     

       
381

       
+

       
							codeSentAt = sentAt;


     

       
382

       
+

       
							


     

       
383

       
+

       
							try {


     

       
384

       
+

       
								await sendEmail({


     

       
385

       
+

       
									to: user.email,


     

       
386

       
+

       
									subject: "Verify your email - Thistle",


     

       
387

       
+

       
									html: verifyEmailTemplate({


     

       
388

       
+

       
										name: user.name,


     

       
389

       
+

       
										code,


     

       
390

       
+

       
										token,


     

       
391

       
+

       
									}),


     

       
392

       
+

       
								});


     

       
393

       
+

       
							} catch (err) {


     

       
394

       
+

       
								console.error("[Email] Failed to send verification email on login:", err);


     

       
395

       
+

       
								// Don't fail login - just return null timestamp so client can try resend


     

       
396

       
+

       
								codeSentAt = null;


     

       
397

       
+

       
							}


     

       
398

       
+

       
						}


     

       
399

       
+

       
						


     

       
400

       
 

       
						return Response.json(


     

       
401

       
 

       
							{ 


     

       
402

       
 

       
								user: { id: user.id, email: user.email },


     

       
403

       
 

       
								email_verification_required: true,


     

       
404

       
+

       
								verification_code_sent_at: codeSentAt,


     

       
405

       
 

       
							},


     

       
406

       
 

       
							{ status: 200 },


     

       
407

       
 

       
						);


     
···

       
417

       
 

       
							},


     

       
418

       
 

       
						},


     

       
419

       
 

       
					);


     

       
420

       
+

       
				} catch (error) {


     

       
421

       
+

       
					console.error("[Auth] Login error:", error);


     

       
422

       
 

       
					return Response.json({ error: "Login failed" }, { status: 500 });


     

       
423

       
 

       
				}


     

       
424

       
 

       
			},


     
···

       
556

       
 

       
					});


     

       
557

       
 

       



     

       
558

       
 

       
					return Response.json({ message: "Verification email sent" });


     

       
559

       
+

       
				} catch (error) {


     

       
560

       
+

       
					return handleError(error);


     

       
561

       
+

       
				}


     

       
562

       
+

       
			},


     

       
563

       
+

       
		},


     

       
564

       
+

       
		"/api/auth/resend-verification-code": {


     

       
565

       
+

       
			POST: async (req) => {


     

       
566

       
+

       
				try {


     

       
567

       
+

       
					const body = await req.json();


     

       
568

       
+

       
					const { email } = body;


     

       
569

       
+

       



     

       
570

       
+

       
					if (!email) {


     

       
571

       
+

       
						return Response.json({ error: "Email required" }, { status: 400 });


     

       
572

       
+

       
					}


     

       
573

       
+

       



     

       
574

       
+

       
					// Rate limiting by email


     

       
575

       
+

       
					const rateLimitError = enforceRateLimit(req, "resend-verification-code", {


     

       
576

       
+

       
						account: { max: 3, windowSeconds: 5 * 60, email },


     

       
577

       
+

       
					});


     

       
578

       
+

       
					if (rateLimitError) return rateLimitError;


     

       
579

       
+

       



     

       
580

       
+

       
					// Get user by email


     

       
581

       
+

       
					const user = getUserByEmail(email);


     

       
582

       
+

       
					if (!user) {


     

       
583

       
+

       
						// Don't reveal if user exists


     

       
584

       
+

       
						return Response.json({ message: "If an account exists with that email, a verification code has been sent" });


     

       
585

       
+

       
					}


     

       
586

       
+

       



     

       
587

       
+

       
					// Check if already verified


     

       
588

       
+

       
					if (isEmailVerified(user.id)) {


     

       
589

       
+

       
						return Response.json(


     

       
590

       
+

       
							{ error: "Email already verified" },


     

       
591

       
+

       
							{ status: 400 },


     

       
592

       
+

       
						);


     

       
593

       
+

       
					}


     

       
594

       
+

       



     

       
595

       
+

       
					// Generate new code and send email


     

       
596

       
+

       
					const { code, token, sentAt } = createEmailVerificationToken(user.id);


     

       
597

       
+

       



     

       
598

       
+

       
					await sendEmail({


     

       
599

       
+

       
						to: user.email,


     

       
600

       
+

       
						subject: "Verify your email - Thistle",


     

       
601

       
+

       
						html: verifyEmailTemplate({


     

       
602

       
+

       
							name: user.name,


     

       
603

       
+

       
							code,


     

       
604

       
+

       
							token,


     

       
605

       
+

       
						}),


     

       
606

       
+

       
					});


     

       
607

       
+

       



     

       
608

       
+

       
					return Response.json({ 


     

       
609

       
+

       
						message: "Verification code sent",


     

       
610

       
+

       
						verification_code_sent_at: sentAt,


     

       
611

       
+

       
					});


     

       
612

       
 

       
				} catch (error) {


     

       
613

       
 

       
					return handleError(error);


     

       
614

       
 

       
				}
+13 -2
src/lib/auth.ts 
···

       
257

       
 

       
 * Email verification functions


     

       
258

       
 

       
 */


     

       
259

       
 

       



     

       
260

       
-

       
export function createEmailVerificationToken(userId: number): { code: string; token: string } {


     

       
261

       
 

       
	// Generate a 6-digit code for user to enter


     

       
262

       
 

       
	const code = Math.floor(100000 + Math.random() * 900000).toString();


     

       
263

       
 

       
	const id = crypto.randomUUID();


     

       
264

       
 

       
	const token = crypto.randomUUID(); // Separate token for URL


     

       
265

       
 

       
	const expiresAt = Math.floor(Date.now() / 1000) + 24 * 60 * 60; // 24 hours


     

       

       

       
     

       
266

       
 

       



     

       
267

       
 

       
	// Delete any existing tokens for this user


     

       
268

       
 

       
	db.run("DELETE FROM email_verification_tokens WHERE user_id = ?", [userId]);


     
···

       
279

       
 

       
		[crypto.randomUUID(), userId, token, expiresAt],


     

       
280

       
 

       
	);


     

       
281

       
 

       



     

       
282

       
-

       
	return { code, token };


     

       
283

       
 

       
}


     

       
284

       
 

       



     

       
285

       
 

       
export function verifyEmailToken(


     
···

       
346

       
 

       
		.get(userId);


     

       
347

       
 

       



     

       
348

       
 

       
	return result?.email_verified === 1;


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
349

       
 

       
}


     

       
350

       
 

       



     

       
351

       
 

       
/**


     
···

       
257

       
 

       
 * Email verification functions


     

       
258

       
 

       
 */


     

       
259

       
 

       



     

       
260

       
+

       
export function createEmailVerificationToken(userId: number): { code: string; token: string; sentAt: number } {


     

       
261

       
 

       
	// Generate a 6-digit code for user to enter


     

       
262

       
 

       
	const code = Math.floor(100000 + Math.random() * 900000).toString();


     

       
263

       
 

       
	const id = crypto.randomUUID();


     

       
264

       
 

       
	const token = crypto.randomUUID(); // Separate token for URL


     

       
265

       
 

       
	const expiresAt = Math.floor(Date.now() / 1000) + 24 * 60 * 60; // 24 hours


     

       
266

       
+

       
	const sentAt = Math.floor(Date.now() / 1000); // Timestamp when code is created


     

       
267

       
 

       



     

       
268

       
 

       
	// Delete any existing tokens for this user


     

       
269

       
 

       
	db.run("DELETE FROM email_verification_tokens WHERE user_id = ?", [userId]);


     
···

       
280

       
 

       
		[crypto.randomUUID(), userId, token, expiresAt],


     

       
281

       
 

       
	);


     

       
282

       
 

       



     

       
283

       
+

       
	return { code, token, sentAt };


     

       
284

       
 

       
}


     

       
285

       
 

       



     

       
286

       
 

       
export function verifyEmailToken(


     
···

       
347

       
 

       
		.get(userId);


     

       
348

       
 

       



     

       
349

       
 

       
	return result?.email_verified === 1;


     

       
350

       
+

       
}


     

       
351

       
+

       



     

       
352

       
+

       
export function getVerificationCodeSentAt(userId: number): number | null {


     

       
353

       
+

       
	const result = db


     

       
354

       
+

       
		.query<{ created_at: number }, [number]>(


     

       
355

       
+

       
			"SELECT MAX(created_at) as created_at FROM email_verification_tokens WHERE user_id = ?",


     

       
356

       
+

       
		)


     

       
357

       
+

       
		.get(userId);


     

       
358

       
+

       



     

       
359

       
+

       
	return result?.created_at ?? null;


     

       
360

       
 

       
}


     

       
361

       
 

       



     

       
362

       
 

       
/**