Add email magic link login#26
Open
2chanhaeng wants to merge 4 commits into
Open
Conversation
Assisted-by: Claude Code:claude-opus-4-8 Assisted-by: Claude Code:claude-fable-5 Assisted-by: Codex:gpt-5-6-sol
Assisted-by: Claude Code:claude-opus-4-8 Assisted-by: Claude Code:claude-fable-5 Assisted-by: Codex:gpt-5-6-sol
Assisted-by: Claude Code:claude-opus-4-8 Assisted-by: Claude Code:claude-fable-5 Assisted-by: Codex:gpt-5-6-sol
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #23. A user requests a login link by email.
Model
login_tokens:accountId,tokenHash(unique, lookup key),codeHash,created,expires(default 15 minutes),consumed.sessions:accountId,tokenHash(unique),created,expires(default 1 month).GraphQL API
loginByEmail(email: Email!, verifyUrl: String): SendMail— emails a login token/code;verifyUrl. Always returnstokento prevent account enumeration — deviates from the proposedLoginSuccess | AccountNotFoundErrorunion for the same reason.completeLoginChallenge(token: UUID!, code: String!): Session—nullon a bad/expired/consumed token or wrong code;accessTokenexposed only here.revokeSession(session: UUID!): LogoutSuccess— alwaysrevoke: true.viewer: Account— the authenticated account, ornull.Implementation
login_tokensandsessionswith migrationemail_auth; secrets stored as SHA-256 digests only, constant-time code comparison.@upyo/core/smtp/mock); falls back toMockTransportwith a warning when no mailer is configured.--smtp-url/-sand--seedoptions.auth.test.tscovers the full flow end to end against PGlite.Out of scope (per issue): frontend/BFF, sign-up, PassKey, rate limiting, UI.
AI Disclosure
Developed with AI agents from Claude Code (claude-opus-4-8, claude-fable-5) and Codex (gpt-5-6-sol), per
AI_POLICY.md; commits carryAssisted-by:trailers. All AI-assisted code was manually reviewed and verified locally. I requested questions, reviews, translations, etc. from the AI agent, and prohibited it from directly writing or modifying source code. Code modifications were made directly by a human.