openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security: never send API keys via email, add browser-based recovery UI, adjust rate limits

Browse source 
Investor Directive 1: Key recovery now shows key in browser after email verification code.
- Removed sendRecoveryEmail function entirely
- Recovery endpoint returns apiKey in JSON response (shown once in browser)
- Added full recovery modal UI (email → code → key displayed)
- Added "Lost your API key?" links throughout signup flow

Investor Directive 3: Rate limits adjusted to match server capacity.
- Global rate limit: 100/min → 30/min (server handles ~28 PDFs/min)
- CORS: recover routes now restricted to docfast.dev origin
This commit is contained in:
OpenClaw 2026-02-14 19:42:53 +00:00
parent 1af1b07fb3
commit a177020186
5 changed files with 217 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/services/email.ts
View file

@ -16,7 +16,7 @@ export async function sendVerificationEmail(email: string, code: string): Promis
from: "DocFast <noreply@docfast.dev>",
to: email,
subject: "DocFast - Verify your email",
text: `Your DocFast verification code is: ${code}\n\nThis code expires in 15 minutes.\n\nIf you didn't sign up for DocFast, ignore this email.`,
text: `Your DocFast verification code is: ${code}\n\nThis code expires in 15 minutes.\n\nIf you didn't request this, ignore this email.`,
});
console.log(`📧 Verification email sent to ${email}: ${info.messageId}`);
return true;
@ -26,18 +26,5 @@ export async function sendVerificationEmail(email: string, code: string): Promis
}
}
export async function sendRecoveryEmail(email: string, apiKey: string): Promise<boolean> {
try {
const info = await transporter.sendMail({
from: "DocFast <noreply@docfast.dev>",
to: email,
subject: "DocFast - Your API Key Recovery",
text: `Here is your DocFast API key:\n\n${apiKey}\n\nKeep this key safe. Do not share it with anyone.\n\nIf you didn't request this recovery, please ignore this email — your key has not been changed.`,
});
console.log(`📧 Recovery email sent to ${email}: ${info.messageId}`);
return true;
} catch (err) {
console.error(`📧 Failed to send recovery email to ${email}:`, err);
return false;
}
}
// NOTE: sendRecoveryEmail removed — API keys must NEVER be sent via email.
// Key recovery now shows the key in the browser after code verification.