Skip to content

feature(auth): safe email verification resend recovery flow#309

Draft
ben-fornefeld wants to merge 3 commits intomainfrom
feature/email-verification-link-resend
Draft

feature(auth): safe email verification resend recovery flow#309
ben-fornefeld wants to merge 3 commits intomainfrom
feature/email-verification-link-resend

Conversation

@ben-fornefeld
Copy link
Copy Markdown
Member

@ben-fornefeld ben-fornefeld commented Apr 30, 2026
edited
Loading

Summary

  • add resendSignupVerificationAction with enumeration-safe behavior
  • add KV cooldown guard for resend requests
  • refactor auth recovery states to focused recovery-only mode (hide full auth form)
  • show recovery-only resend flow for expired-link and unconfirmed-email states
  • add integration coverage for resend success/cooldown/error/validation

Screenshots (Preview build)

Recovery mode: sign-up verification state

recovery sign-up state

Recovery mode: sign-in expired-link state

recovery sign-in expired state

Recovery mode: resend success + cooldown

recovery resend cooldown success

Recovery mode: sign-in unconfirmed-email state

recovery sign-in unconfirmed state

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 30, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Ready Ready Preview, Comment Apr 30, 2026 1:41am
web-juliett Ready Ready Preview, Comment Apr 30, 2026 1:41am

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 30, 2026
edited
Loading

PR Summary

Medium Risk
Touches authentication recovery flow and introduces a new server action with rate-limiting and header-derived fingerprinting; mistakes could affect resend availability or user navigation but should not expose account existence.

Overview
Adds a new resendSignupVerificationAction that resends Supabase signup verification emails while remaining enumeration-safe, including a KV-based 60s cooldown keyed by hashed email and requester fingerprint and always returning success (logging provider/KV errors instead).

Updates the sign-in and sign-up pages to switch into a focused recovery view (new RecoveryView + ResendVerificationForm) when email confirmation is required or the verification link is expired, and adds new copy (USER_MESSAGES.signUpVerificationResend) plus integration tests covering resend success, cooldown short-circuit, provider error, and validation.

Reviewed by Cursor Bugbot for commit a5ac297. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a198dfa. Configure here.

Comment thread src/app/(auth)/sign-up/page.tsx Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ben-fornefeld