assessment-model

junte/assessment-model

Fork 0

mirror of https://github.com/Hestia-Homes/assessment-model.git synced 2026-06-08 11:37:25 +00:00

Commit graph

Author	SHA1	Message	Date
Khalim Conn-Kowlessar	47efd1bd5a	Drop useEffect from VerifyCodeForm; replace tick-based countdown The per-second countdown was the only thing pulling useEffect into this component, in violation of the project rule (CLAUDE.md: avoid useEffect, prefer event handlers). The hook was driving a tick purely so we could show "Resend in 28s" / "27s" / ... — none of which is load-bearing. Replace it with a single setTimeout fired from the resend event handler that flips resendStatus from "cooldown" back to "idle" after 30 seconds. The button stays disabled with "Code sent — wait a moment" instead of showing a live countdown. Same blocking signal, no hook needed. While here, split the single status enum into verifyStatus + resendStatus so the verify button no longer wrongly disables during a resend cooldown (latent bug from the previous shape). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 14:50:05 +00:00
Khalim Conn-Kowlessar	ee506425fd	Drop link from email body; fix paste + stale-resend-notice UX bugs Email body now contains the 6-digit code only. The /verify/[token] route and the EmailProvider link callback are intentionally left wired (just not advertised in the email) so reverting to a link-bearing template is a content-only change if the all-code variant doesn't improve deliverability for the Atkins-style blocked recipients. Hypothesis being tested: corporate gateway URL scanners are part of why some emails got silently quarantined, and a short transactional body without an auth-token URL clears more filters. Two small UX bugs surfaced in preview testing also fixed here: - Paste of "482 911" (with the visual space from the email's formatted code) was dropping a digit. Root cause: maxLength=6 on the input truncated the 7-char paste before our \D-stripping ran. Drop the attribute and let the existing .slice(0, 6) after stripping handle the bound. Pasting the formatted code now works. - After requesting a resend and then typing into the code field, the green "we've sent a new code" notice would re-appear as soon as the previous error message cleared. handleChange now clears the resend notice on the next keystroke, alongside the error clear it already did. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 14:46:33 +00:00
Khalim Conn-Kowlessar	d042606955	Add 6-digit code sign-in as primary, magic link as fast-path fallback Same email now contains a 6-digit code and a magic link, both backed by a single verificationToken row. After submitting their email, the user lands on /auth/verify-code with a single-input form (inputmode=numeric, autocomplete=one-time-code, auto-submit on 6 digits or paste) and can either type the code or use the link from the email. Either path consumes the same row — single-use, replace-on-resend. This is the structural fix for the silent-quarantine pattern observed with Atkins and Sustainable Building UK: corporate gateways are happier with short transactional content than long opaque token URLs, and a code can't be broken by SafeLinks-style URL rewriting. The link path is preserved so users whose email gets through unmangled keep one-click UX. Security: - Codes are 6-digit, crypto.randomInt-generated, stored as sha256 hashed against NEXTAUTH_SECRET on the same row as the link token - 5-attempt lockout per code (attempts column); 6th attempt with the correct code still fails - Per-email send rate limit: 5/hour fixed window (authRateLimits table); 6th send returns an error - Code + link share a 10-minute window (maxAge dropped from 1h) - Resending replaces any prior token rows for the identifier so only the latest send is ever live Implementation: - verificationCode.ts holds generateCode + hashCode + the pure evaluateCodeAttempt decision tree; 9 unit tests cover every branch of the verification outcome (no-such-row, expired, locked-out, ok, wrong-with-newAttempts, locked-out-still-rejects-correct-code) - sendVerificationRequest now hashes the URL token the same way /verify/[token]/page.tsx does, applies the rate limit + records the code + replaces older rows in two transactions - CredentialsProvider (id: "email-code") calls evaluateCodeAttempt inside a transaction, handles all 5 outcomes, creates the user on first successful code (parity with the magic-link callback path) - oauthId backfill in the signIn callback is now guarded on account.type === "oauth" so the credentials flow doesn't pollute oauthProvider with "email-code" - Migration is additive: code_hash nullable, attempts default 0; new authRateLimits table is independent. In-flight tokens at deploy time keep working via the link path. Vercel preview deployment is the test surface; a Mailpit + Cypress E2E loop is intentionally deferred per the lean-setup plan in docs/wip/ auth-email-code-fallback-plan.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 14:16:47 +00:00

Author

SHA1

Message

Date

Khalim Conn-Kowlessar

47efd1bd5a

Drop useEffect from VerifyCodeForm; replace tick-based countdown

The per-second countdown was the only thing pulling useEffect into this
component, in violation of the project rule (CLAUDE.md: avoid useEffect,
prefer event handlers). The hook was driving a tick purely so we could
show "Resend in 28s" / "27s" / ... — none of which is load-bearing.

Replace it with a single setTimeout fired from the resend event handler
that flips resendStatus from "cooldown" back to "idle" after 30 seconds.
The button stays disabled with "Code sent — wait a moment" instead of
showing a live countdown. Same blocking signal, no hook needed.

While here, split the single status enum into verifyStatus + resendStatus
so the verify button no longer wrongly disables during a resend cooldown
(latent bug from the previous shape).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 14:50:05 +00:00

Khalim Conn-Kowlessar

ee506425fd

Drop link from email body; fix paste + stale-resend-notice UX bugs

Email body now contains the 6-digit code only. The /verify/[token] route
and the EmailProvider link callback are intentionally left wired (just
not advertised in the email) so reverting to a link-bearing template is
a content-only change if the all-code variant doesn't improve
deliverability for the Atkins-style blocked recipients.

Hypothesis being tested: corporate gateway URL scanners are part of why
some emails got silently quarantined, and a short transactional body
without an auth-token URL clears more filters.

Two small UX bugs surfaced in preview testing also fixed here:

- Paste of "482 911" (with the visual space from the email's formatted
  code) was dropping a digit. Root cause: maxLength=6 on the input
  truncated the 7-char paste before our \D-stripping ran. Drop the
  attribute and let the existing .slice(0, 6) after stripping handle
  the bound. Pasting the formatted code now works.

- After requesting a resend and then typing into the code field, the
  green "we've sent a new code" notice would re-appear as soon as the
  previous error message cleared. handleChange now clears the resend
  notice on the next keystroke, alongside the error clear it already
  did.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 14:46:33 +00:00

Khalim Conn-Kowlessar

d042606955

Add 6-digit code sign-in as primary, magic link as fast-path fallback

Same email now contains a 6-digit code and a magic link, both backed by a
single verificationToken row. After submitting their email, the user
lands on /auth/verify-code with a single-input form (inputmode=numeric,
autocomplete=one-time-code, auto-submit on 6 digits or paste) and can
either type the code or use the link from the email. Either path
consumes the same row — single-use, replace-on-resend.

This is the structural fix for the silent-quarantine pattern observed
with Atkins and Sustainable Building UK: corporate gateways are happier
with short transactional content than long opaque token URLs, and a
code can't be broken by SafeLinks-style URL rewriting. The link path is
preserved so users whose email gets through unmangled keep one-click UX.

Security:
  - Codes are 6-digit, crypto.randomInt-generated, stored as sha256
    hashed against NEXTAUTH_SECRET on the same row as the link token
  - 5-attempt lockout per code (attempts column); 6th attempt with the
    correct code still fails
  - Per-email send rate limit: 5/hour fixed window (authRateLimits
    table); 6th send returns an error
  - Code + link share a 10-minute window (maxAge dropped from 1h)
  - Resending replaces any prior token rows for the identifier so only
    the latest send is ever live

Implementation:
  - verificationCode.ts holds generateCode + hashCode + the pure
    evaluateCodeAttempt decision tree; 9 unit tests cover every branch
    of the verification outcome (no-such-row, expired, locked-out, ok,
    wrong-with-newAttempts, locked-out-still-rejects-correct-code)
  - sendVerificationRequest now hashes the URL token the same way
    /verify/[token]/page.tsx does, applies the rate limit + records the
    code + replaces older rows in two transactions
  - CredentialsProvider (id: "email-code") calls evaluateCodeAttempt
    inside a transaction, handles all 5 outcomes, creates the user on
    first successful code (parity with the magic-link callback path)
  - oauthId backfill in the signIn callback is now guarded on
    account.type === "oauth" so the credentials flow doesn't pollute
    oauthProvider with "email-code"
  - Migration is additive: code_hash nullable, attempts default 0; new
    authRateLimits table is independent. In-flight tokens at deploy time
    keep working via the link path.

Vercel preview deployment is the test surface; a Mailpit + Cypress E2E
loop is intentionally deferred per the lean-setup plan in docs/wip/
auth-email-code-fallback-plan.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 14:16:47 +00:00

3 commits