Skip to content

feat: Add OAuth providers (Google, Apple, Facebook) and email verification#513

Merged
marcodejongh merged 4 commits intomainfrom
claude/fix-auth-security-issues-KBQ5a
Jan 1, 2026
Merged

feat: Add OAuth providers (Google, Apple, Facebook) and email verification#513
marcodejongh merged 4 commits intomainfrom
claude/fix-auth-security-issues-KBQ5a

Conversation

@marcodejongh
Copy link
Owner

@marcodejongh marcodejongh commented Jan 1, 2026

  • Add Google, Apple, and Facebook OAuth providers to NextAuth configuration
  • Implement email verification flow for credentials-based signup
  • Create email service using nodemailer with Fastmail SMTP support
  • Add social login buttons component with proper branding
  • Create verify-request and error pages for auth flows
  • Update registration to send verification emails
  • Block unverified users from logging in with credentials
  • Add comprehensive OAuth setup documentation

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.5 noreply@anthropic.com

marcodejongh and others added 3 commits January 1, 2026 11:26
@marcodejongh @claude
feat: Add OAuth providers (Google, Apple, Facebook) and email verific…
6fd6262 
…ation

- Add Google, Apple, and Facebook OAuth providers to NextAuth configuration
- Implement email verification flow for credentials-based signup
- Create email service using nodemailer with Fastmail SMTP support
- Add social login buttons component with proper branding
- Create verify-request and error pages for auth flows
- Update registration to send verification emails
- Block unverified users from logging in with credentials
- Add comprehensive OAuth setup documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@marcodejongh @claude
fix: Address code review security and style issues
1101cc8 
Security fixes:
- Fix verification token enumeration by returning same message for all cases
- Lazy-load email transporter to avoid initialization at module load
- Add HTML escaping for email in verification templates
- Conditionally load OAuth providers only when env vars are configured
- Handle email sending failure gracefully in registration

Style fixes:
- Replace hardcoded colors with theme tokens in auth pages
- Add comment explaining brand-specific OAuth button colors

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@claude
fix: Address security and code review issues in auth system
d496c6a 
Security improvements:
- Add rate limiting to register and resend-verification endpoints
- Add Zod validation to resend-verification endpoint
- Fix timing attack vulnerability with consistent response delays
- Check user exists before updating emailVerified in verify-email

Code improvements:
- Only show OAuth buttons for configured providers
- Replace hardcoded colors with design tokens in email template
- Add providers-config API endpoint for dynamic OAuth button visibility
@vercel
Copy link

vercel bot commented Jan 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
boardsesh Ready Ready Preview, Comment Jan 1, 2026 11:43am

@claude
Copy link

claude bot commented Jan 1, 2026

Claude Review

⚠️ Needs attention - In-memory rate limiter won't work in serverless/multi-instance deployments; missing tests for new auth logic.

Issues

  1. In-memory rate limiter ineffective in production (packages/web/app/lib/auth/rate-limiter.ts:12): The rate limit state is stored in a module-level Map, which resets on each serverless function invocation and isn't shared across instances. For Vercel deployments, this provides no real protection. Consider using Redis (already available per CLAUDE.md) or Vercel KV.

  2. Rate limiter cleanup interval may cause issues (packages/web/app/lib/auth/rate-limiter.ts:75-84): The setInterval cleanup runs at module load time but never gets cleared. In serverless environments this is mostly harmless (function dies anyway), but in long-running dev servers this could accumulate if the module is reloaded.

  3. No tests for auth endpoints: The PR adds critical security features (email verification, rate limiting, OAuth) but no tests. At minimum, the rate limiter logic, verification token flow, and credential blocking for unverified users should have unit tests.

  4. Potential timing leak in resend-verification (packages/web/app/api/auth/resend-verification/route.ts:70): The consistentDelay for non-existent/verified users uses 500ms while actual email sending may take longer, potentially allowing timing-based enumeration if email sending is slow.

  5. Email not sanitized in verification URL (packages/web/app/lib/email/email-service.ts:53): While the URL is HTML-escaped for the template, the email parameter should also be validated/sanitized before being used in the verification URL to prevent potential injection if malformed emails reach this point.

  6. Hardcoded colors in UI components: packages/web/app/auth/verify-request/verify-request-content.tsx:61 and packages/web/app/auth/error/auth-error-content.tsx:54-55 use hardcoded #f5f5f5 and #fff instead of theme tokens, violating the project guidelines in CLAUDE.md.

@claude
fix: Address additional code review feedback
cf6b4f0 
Security improvements:
- Document in-memory rate limiter limitations for serverless
- Fix timing attack by using consistent 2.5s minimum response time
- Add email validation with Zod before using in verification URLs

Code quality:
- Replace hardcoded colors with design tokens in auth pages
- Add unit tests for rate limiter functionality
@claude
Copy link

claude bot commented Jan 1, 2026

Claude Review

Ready to merge - Minor issues noted below, but nothing blocking.

Issues

  1. In-memory rate limiter ineffective in serverless (packages/web/app/lib/auth/rate-limiter.ts:18-21) - The documentation correctly notes this limitation, but rate limiting effectively doesn't work in Vercel's serverless environment since each function invocation can have a fresh memory store. Consider adding this as a warning comment at usage sites.

  2. Missing test coverage for email service - email-service.ts has no tests. Critical paths like HTML escaping and URL construction should have unit tests.

  3. Missing test coverage for API routes - The new auth routes (register, resend-verification, verify-email) have no integration tests for error handling, edge cases, or the full verification flow.

  4. Token generation uses UUID (packages/web/app/api/auth/register/route.ts:111) - crypto.randomUUID() is acceptable but crypto.randomBytes(32).toString('hex') provides more entropy for security tokens.

  5. Potential race condition in token cleanup (packages/web/app/api/auth/verify-email/route.ts:78-92) - User verification and token deletion are not in a transaction; a failure between these operations could leave orphan data.

  6. style prop usage (packages/web/app/components/auth/social-login-buttons.tsx:105,118-126,139) - Per CLAUDE.md guidelines, avoid using the style property. Consider using CSS classes or AntD's built-in styling props.

@marcodejongh marcodejongh merged commit a23fe9d into main Jan 1, 2026
5 of 6 checks passed
@marcodejongh marcodejongh mentioned this pull request Jan 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcodejongh @claude