feat: add 6-digit code email verification to signup flow

- POST /v1/signup/free now returns verification code (temp in response) - New POST /v1/signup/verify endpoint to verify code and get API key - Codes expire after 15 minutes, max 3 attempts - Frontend updated with 2-step signup modal (email → code → key) - Legacy token verification kept for existing links
2026-02-14 18:25:55 +00:00 · 2026-02-14 18:25:55 +00:00 · f59b99203e
commit f59b99203e
parent 0a3f935af1
4 changed files with 219 additions and 59 deletions
--- a/src/routes/signup.ts
+++ b/src/routes/signup.ts
@ -1,26 +1,28 @@
 import { Router, Request, Response } from "express";
 import rateLimit from "express-rate-limit";
 import { createFreeKey } from "../services/keys.js";
-import { createVerification, verifyToken, isEmailVerified, getVerifiedApiKey } from "../services/verification.js";
+import { createVerification, createPendingVerification, verifyCode, isEmailVerified, getVerifiedApiKey } from "../services/verification.js";
 import { sendVerificationEmail } from "../services/email.js";

 const router = Router();

-// Rate limiting for signup - 5 signups per IP per hour
 const signupLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 5,
-  message: {
-    error: "Too many signup attempts. Please try again in 1 hour.",
-    retryAfter: "1 hour"
-  },
+  message: { error: "Too many signup attempts. Please try again in 1 hour.", retryAfter: "1 hour" },
  standardHeaders: true,
  legacyHeaders: false,
-  skipSuccessfulRequests: false,
-  skipFailedRequests: false,
 });

-// Self-service free API key signup — now requires email verification
+const verifyLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 15,
+  message: { error: "Too many verification attempts. Please try again later." },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+// Step 1: Request signup — generates 6-digit code
 router.post("/free", signupLimiter, async (req: Request, res: Response) => {
  const { email } = req.body || {};

@ -31,26 +33,69 @@ router.post("/free", signupLimiter, async (req: Request, res: Response) => {

  const cleanEmail = email.trim().toLowerCase();

-  // If already verified, tell them
  if (isEmailVerified(cleanEmail)) {
-    res.status(409).json({ error: "This email is already registered. Check your inbox for the original verification email, or contact support." });
+    res.status(409).json({ error: "This email is already registered. Contact support if you need help." });
    return;
  }

-  // Create the API key (but don't reveal it yet)
-  const keyInfo = createFreeKey(cleanEmail);
+  const pending = createPendingVerification(cleanEmail);

-  // Create verification record
-  const verification = createVerification(cleanEmail, keyInfo.key);
-
-  // Send verification email
-  await sendVerificationEmail(cleanEmail, verification.token);
+  // TODO: Send code via email once SMTP is configured
+  // For now, return code in response for testing
+  console.log(`📧 Verification code for ${cleanEmail}: ${pending.code}`);

  res.json({
-    message: "Check your email for a verification link to get your API key.",
+    status: "verification_required",
+    message: "Check your email for a verification code",
    email: cleanEmail,
-    verified: false,
+    code: pending.code, // TEMP: remove once email infra is live
  });
 });

+// Step 2: Verify code — creates API key
+router.post("/verify", verifyLimiter, (req: Request, res: Response) => {
+  const { email, code } = req.body || {};
+
+  if (!email || !code) {
+    res.status(400).json({ error: "Email and code are required." });
+    return;
+  }
+
+  const cleanEmail = email.trim().toLowerCase();
+  const cleanCode = String(code).trim();
+
+  if (isEmailVerified(cleanEmail)) {
+    res.status(409).json({ error: "This email is already verified." });
+    return;
+  }
+
+  const result = verifyCode(cleanEmail, cleanCode);
+
+  switch (result.status) {
+    case "ok": {
+      const keyInfo = createFreeKey(cleanEmail);
+      // Mark as verified via legacy system too
+      const verification = createVerification(cleanEmail, keyInfo.key);
+      verification.verifiedAt = new Date().toISOString();
+
+      res.json({
+        status: "verified",
+        message: "Email verified! Here's your API key.",
+        apiKey: keyInfo.key,
+        tier: keyInfo.tier,
+      });
+      break;
+    }
+    case "expired":
+      res.status(410).json({ error: "Verification code has expired. Please sign up again." });
+      break;
+    case "max_attempts":
+      res.status(429).json({ error: "Too many failed attempts. Please sign up again to get a new code." });
+      break;
+    case "invalid":
+      res.status(400).json({ error: "Invalid verification code." });
+      break;
+  }
+});
+
 export { router as signupRouter };