feat: key recovery via email verification (BUG-014)
- POST /v1/recover: request recovery code - POST /v1/recover/verify: verify code, receive key via email - Key sent via email only (not in API response) for security - Rate limited to 3 attempts per hour - Non-enumerable: same response whether email exists or not - DKIM-signed emails via postfix/opendkim
This commit is contained in:
parent
874bbc4267
commit
87a49d8e93
4 changed files with 433 additions and 0 deletions
|
|
@ -25,3 +25,19 @@ export async function sendVerificationEmail(email: string, code: string): Promis
|
|||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export async function sendRecoveryEmail(email: string, apiKey: string): Promise<boolean> {
|
||||
try {
|
||||
const info = await transporter.sendMail({
|
||||
from: "DocFast <noreply@docfast.dev>",
|
||||
to: email,
|
||||
subject: "DocFast - Your API Key Recovery",
|
||||
text: `Here is your DocFast API key:\n\n${apiKey}\n\nKeep this key safe. Do not share it with anyone.\n\nIf you didn't request this recovery, please ignore this email — your key has not been changed.`,
|
||||
});
|
||||
console.log(`📧 Recovery email sent to ${email}: ${info.messageId}`);
|
||||
return true;
|
||||
} catch (err) {
|
||||
console.error(`📧 Failed to send recovery email to ${email}:`, err);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue