Security: never send API keys via email, add browser-based recovery UI, adjust rate limits

Investor Directive 1: Key recovery now shows key in browser after email verification code. - Removed sendRecoveryEmail function entirely - Recovery endpoint returns apiKey in JSON response (shown once in browser) - Added full recovery modal UI (email → code → key displayed) - Added "Lost your API key?" links throughout signup flow Investor Directive 3: Rate limits adjusted to match server capacity. - Global rate limit: 100/min → 30/min (server handles ~28 PDFs/min) - CORS: recover routes now restricted to docfast.dev origin
2026-02-14 19:42:53 +00:00 · 2026-02-14 19:42:53 +00:00 · a177020186
commit a177020186
parent 1af1b07fb3
5 changed files with 217 additions and 32 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -27,6 +27,7 @@ app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));
 // Differentiated CORS middleware
 app.use((req, res, next) => {
  const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
+                             req.path.startsWith('/v1/recover') || 
                             req.path.startsWith('/v1/billing');
  
  if (isAuthBillingRoute) {
@ -59,7 +60,7 @@ app.set("trust proxy", 1);
 // Rate limiting
 const limiter = rateLimit({
  windowMs: 60_000,
-  max: 100,
+  max: 30,
  standardHeaders: true,
  legacyHeaders: false,
 });
--- a/src/routes/recover.ts
+++ b/src/routes/recover.ts
@ -1,20 +1,20 @@
 import { Router, Request, Response } from "express";
 import rateLimit from "express-rate-limit";
 import { createPendingVerification, verifyCode } from "../services/verification.js";
-import { sendRecoveryEmail, sendVerificationEmail } from "../services/email.js";
+import { sendVerificationEmail } from "../services/email.js";
 import { getAllKeys } from "../services/keys.js";

 const router = Router();

 const recoverLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
-  max: 3,
+  max: 5,
  message: { error: "Too many recovery attempts. Please try again in 1 hour." },
  standardHeaders: true,
  legacyHeaders: false,
 });

-// Step 1: Request recovery — sends verification code
+// Step 1: Request recovery — sends verification code via email
 router.post("/", recoverLimiter, async (req: Request, res: Response) => {
  const { email } = req.body || {};

@ -37,6 +37,7 @@ router.post("/", recoverLimiter, async (req: Request, res: Response) => {

  const pending = createPendingVerification(cleanEmail);

+  // Send verification CODE only — NEVER send the API key via email
  sendVerificationEmail(cleanEmail, pending.code).catch(err => {
    console.error(`Failed to send recovery email to ${cleanEmail}:`, err);
  });
@ -44,7 +45,7 @@ router.post("/", recoverLimiter, async (req: Request, res: Response) => {
  res.json({ status: "recovery_sent", message: "If an account exists for this email, a verification code has been sent." });
 });

-// Step 2: Verify code — sends API key via email (NOT in response)
+// Step 2: Verify code — returns API key in response (NEVER via email)
 router.post("/verify", recoverLimiter, async (req: Request, res: Response) => {
  const { email, code } = req.body || {};

@ -64,15 +65,19 @@ router.post("/verify", recoverLimiter, async (req: Request, res: Response) => {
      const userKey = keys.find(k => k.email === cleanEmail);
      
      if (userKey) {
-        sendRecoveryEmail(cleanEmail, userKey.key).catch(err => {
-          console.error(`Failed to send recovery key to ${cleanEmail}:`, err);
+        // Return key in response — shown once in browser, never emailed
+        res.json({
+          status: "recovered",
+          apiKey: userKey.key,
+          tier: userKey.tier,
+          message: "Your API key has been recovered. Save it securely — it is shown only once.",
+        });
+      } else {
+        res.json({
+          status: "recovered",
+          message: "No API key found for this email.",
        });
      }
-
-      res.json({
-        status: "recovered",
-        message: "Your API key has been sent to your email address.",
-      });
      break;
    }
    case "expired":
--- a/src/services/email.ts
+++ b/src/services/email.ts
@ -16,7 +16,7 @@ export async function sendVerificationEmail(email: string, code: string): Promis
      from: "DocFast <noreply@docfast.dev>",
      to: email,
      subject: "DocFast - Verify your email",
-      text: `Your DocFast verification code is: ${code}\n\nThis code expires in 15 minutes.\n\nIf you didn't sign up for DocFast, ignore this email.`,
+      text: `Your DocFast verification code is: ${code}\n\nThis code expires in 15 minutes.\n\nIf you didn't request this, ignore this email.`,
    });
    console.log(`📧 Verification email sent to ${email}: ${info.messageId}`);
    return true;
@ -26,18 +26,5 @@ export async function sendVerificationEmail(email: string, code: string): Promis
  }
 }

-export async function sendRecoveryEmail(email: string, apiKey: string): Promise<boolean> {
-  try {
-    const info = await transporter.sendMail({
-      from: "DocFast <noreply@docfast.dev>",
-      to: email,
-      subject: "DocFast - Your API Key Recovery",
-      text: `Here is your DocFast API key:\n\n${apiKey}\n\nKeep this key safe. Do not share it with anyone.\n\nIf you didn't request this recovery, please ignore this email — your key has not been changed.`,
-    });
-    console.log(`📧 Recovery email sent to ${email}: ${info.messageId}`);
-    return true;
-  } catch (err) {
-    console.error(`📧 Failed to send recovery email to ${email}:`, err);
-    return false;
-  }
-}
+// NOTE: sendRecoveryEmail removed — API keys must NEVER be sent via email.
+// Key recovery now shows the key in the browser after code verification.