DocFast session 25: BUG-021 fixed, postfix+DKIM installed, email verification real
This commit is contained in:
Hoid
parent
8be3dc60bf
commit
b60f06ac22
3 changed files with 43 additions and 12 deletions
|
|
@ -143,12 +143,12 @@ The critical mobile responsiveness issue needs immediate fixing. The rate limiti
|
|||
|
||||
### New Bugs
|
||||
|
||||
#### 🔴 BUG-021: Verification code returned in API response (CRITICAL SECURITY)
|
||||
- **Endpoint:** POST /v1/signup/free
|
||||
- **Response:** `{"status":"verification_required","code":"843266"}`
|
||||
- **Problem:** The verification code is returned directly in the API response. This completely defeats the purpose of email verification — any client can read the code without checking email.
|
||||
- **Expected:** Code should ONLY be sent via email, never in the API response.
|
||||
- **Impact:** Email verification is effectively a no-op. Anyone can programmatically sign up without a real email.
|
||||
#### ✅ BUG-021: FIXED (Session 25) — Verification code no longer in API response
|
||||
- Postfix + OpenDKIM installed on server
|
||||
- Nodemailer sends code via email (noreply@docfast.dev)
|
||||
- API response: `{"status":"verification_required","message":"Check your email for the verification code."}`
|
||||
- Commit: 210fb26
|
||||
- DNS records needed at INWX for deliverability (SPF/DKIM/DMARC)
|
||||
|
||||
#### 🟡 BUG-022: Already-verified email returns 429 instead of 409
|
||||
- **Endpoint:** POST /v1/signup/free with previously verified email
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue