deploystackio
diff --git a/‎services/backend/SECURITY.md‎
Lines changed: 17 additions & 0 deletions b/‎services/backend/SECURITY.md‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎services/backend/api-spec.json‎
Lines changed: 240 additions & 0 deletions b/‎services/backend/api-spec.json‎
Lines changed: 240 additions & 0 deletions
@@ -36,10 +36,27 @@ User sessions are managed using `lucia-auth` v3.
 All incoming data from clients (e.g., API request bodies, URL parameters) is rigorously validated using `zod` schemas on the server-side before being processed. This helps prevent common vulnerabilities such as injection attacks and unexpected data handling errors.
 
 - Registration endpoint validates: username, email, password, first_name, last_name
+- **Email verification endpoint validates: verification token format and expiration**
 - Email addresses are normalized to lowercase before storage
 - Duplicate username and email checks are performed before user creation
+- **Email verification status is checked during login when verification is enabled**
 - All database operations use parameterized queries via Drizzle ORM to prevent SQL injection
 
+## Email Verification
+
+Email verification is implemented to ensure account ownership and prevent unauthorized account creation.
+
+- **Verification Tokens:** Cryptographically secure tokens generated using `generateId(32)` (256-bit entropy)
+- **Token Expiration:** Verification tokens expire after 24 hours to limit exposure window
+- **Token Storage:** Tokens are stored hashed in the database using the same argon2 parameters as passwords
+- **Secure Links:** Verification links use HTTPS in production and include the full token in query parameters
+- **Token Validation:** Constant-time comparison used for token verification to prevent timing attacks
+- **Single Use:** Tokens are invalidated immediately after successful verification
+- **Account Security:** Unverified accounts cannot log in when email verification is enabled via `global.send_mail` setting
+- **Global Administrator Exception:** The first registered user (global administrator) is automatically verified for system access
+- **Database Schema Security:** `email_verified` boolean field with secure default (false)
+- **Cleanup Mechanism:** Expired tokens are automatically cleaned up to prevent database bloat
+
 ## Global Settings Encryption
 
 Sensitive global application settings (SMTP credentials, API keys, etc.) are encrypted at rest using industry-standard encryption.
 
@@ -6437,6 +6437,246 @@
         }
       }
     },
+    "/api/auth/email/verify": {
+      "get": {
+        "summary": "Verify email address",
+        "tags": [
+          "Authentication"
+        ],
+        "description": "Verifies a user's email address using a verification token sent via email. This endpoint is public and does not require authentication. Once verified, the user's email_verified status is set to true.",
+        "parameters": [
+          {
+            "schema": {
+              "type": "string",
+              "minLength": 1
+            },
+            "in": "query",
+            "name": "token",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Email verified successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the verification was successful"
+                    },
+                    "message": {
+                      "type": "string",
+                      "description": "Success message"
+                    },
+                    "userId": {
+                      "type": "string",
+                      "description": "ID of the verified user"
+                    }
+                  },
+                  "required": [
+                    "success",
+                    "message",
+                    "userId"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Email verified successfully"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid or expired token",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Bad Request - Invalid or expired token"
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal Server Error - Verification failed",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Internal Server Error - Verification failed"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/auth/email/resend-verification": {
+      "post": {
+        "summary": "Resend email verification",
+        "tags": [
+          "Authentication"
+        ],
+        "description": "Resends a verification email to the specified email address. This endpoint is public and does not require authentication. Only works if the email address exists and is not already verified.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "email": {
+                    "type": "string",
+                    "format": "email"
+                  }
+                },
+                "required": [
+                  "email"
+                ],
+                "additionalProperties": false
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Verification email sent successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the resend was successful"
+                    },
+                    "message": {
+                      "type": "string",
+                      "description": "Success message"
+                    }
+                  },
+                  "required": [
+                    "success",
+                    "message"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Verification email sent successfully"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Email not found or already verified",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Bad Request - Email not found or already verified"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "Forbidden - Email sending is disabled",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Forbidden - Email sending is disabled"
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal Server Error - Failed to send email",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Internal Server Error - Failed to send email"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/api/auth/profile/update": {
       "put": {
         "summary": "Update user profile",