Security: never send API keys via email, add browser-based recovery UI, adjust rate limits

Investor Directive 1: Key recovery now shows key in browser after email verification code. - Removed sendRecoveryEmail function entirely - Recovery endpoint returns apiKey in JSON response (shown once in browser) - Added full recovery modal UI (email → code → key displayed) - Added "Lost your API key?" links throughout signup flow Investor Directive 3: Rate limits adjusted to match server capacity. - Global rate limit: 100/min → 30/min (server handles ~28 PDFs/min) - CORS: recover routes now restricted to docfast.dev origin
2026-02-14 19:42:53 +00:00 · 2026-02-14 19:42:53 +00:00 · a177020186
commit a177020186
parent 1af1b07fb3
5 changed files with 217 additions and 32 deletions
--- a/src/routes/recover.ts
+++ b/src/routes/recover.ts
@ -1,20 +1,20 @@
 import { Router, Request, Response } from "express";
 import rateLimit from "express-rate-limit";
 import { createPendingVerification, verifyCode } from "../services/verification.js";
-import { sendRecoveryEmail, sendVerificationEmail } from "../services/email.js";
+import { sendVerificationEmail } from "../services/email.js";
 import { getAllKeys } from "../services/keys.js";

 const router = Router();

 const recoverLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
-  max: 3,
+  max: 5,
  message: { error: "Too many recovery attempts. Please try again in 1 hour." },
  standardHeaders: true,
  legacyHeaders: false,
 });

-// Step 1: Request recovery — sends verification code
+// Step 1: Request recovery — sends verification code via email
 router.post("/", recoverLimiter, async (req: Request, res: Response) => {
  const { email } = req.body || {};

@ -37,6 +37,7 @@ router.post("/", recoverLimiter, async (req: Request, res: Response) => {

  const pending = createPendingVerification(cleanEmail);

+  // Send verification CODE only — NEVER send the API key via email
  sendVerificationEmail(cleanEmail, pending.code).catch(err => {
    console.error(`Failed to send recovery email to ${cleanEmail}:`, err);
  });
@ -44,7 +45,7 @@ router.post("/", recoverLimiter, async (req: Request, res: Response) => {
  res.json({ status: "recovery_sent", message: "If an account exists for this email, a verification code has been sent." });
 });

-// Step 2: Verify code — sends API key via email (NOT in response)
+// Step 2: Verify code — returns API key in response (NEVER via email)
 router.post("/verify", recoverLimiter, async (req: Request, res: Response) => {
  const { email, code } = req.body || {};

@ -64,15 +65,19 @@ router.post("/verify", recoverLimiter, async (req: Request, res: Response) => {
      const userKey = keys.find(k => k.email === cleanEmail);
      
      if (userKey) {
-        sendRecoveryEmail(cleanEmail, userKey.key).catch(err => {
-          console.error(`Failed to send recovery key to ${cleanEmail}:`, err);
+        // Return key in response — shown once in browser, never emailed
+        res.json({
+          status: "recovered",
+          apiKey: userKey.key,
+          tier: userKey.tier,
+          message: "Your API key has been recovered. Save it securely — it is shown only once.",
+        });
+      } else {
+        res.json({
+          status: "recovered",
+          message: "No API key found for this email.",
        });
      }
-
-      res.json({
-        status: "recovered",
-        message: "Your API key has been sent to your email address.",
-      });
      break;
    }
    case "expired":