Develop

[NodeByteLTD]

Summary by CodeRabbit

Release Notes

• New Features

  • Added two-factor authentication with TOTP and recovery codes for enhanced account security
  • Introduced email change verification flow for safer account updates
  • Added dedicated broadcast creation and compose experience with email editor
  • Reorganized settings navigation (Account and Team sections)

• Improvements

  • Enhanced Docker publish workflow for multi-platform image reliability
  • Added support for direct broadcast with custom recipient email lists
  • Strengthened security with server-enforced 2FA middleware

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ccb66d9-b664-4af1-b1ed-d75c6dc6821d

📥 Commits

Reviewing files that changed from the base of the PR and between 16ce50a and 8544bf7.

⛔ Files ignored due to path filters (3)

• apps/web/public/hero-dark.webp is excluded by !**/*.webp
• apps/web/public/hero-light.webp is excluded by !**/*.webp
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (35)

• .github/workflows/docker-publish.yml
• CHANGELOG.md
• apps/web/middleware.ts
• apps/web/package.json
• apps/web/prisma/migrations/20260603032501_email_change_reverification_and_account_2fa/migration.sql
• apps/web/prisma/migrations/20260603072201_2factor_recovery_codes/migration.sql
• apps/web/prisma/migrations/20260603072459_add_recipient_emails_to_campaign/migration.sql
• apps/web/prisma/schema.prisma
• apps/web/src/app/(dashboard)/broadcasts/[broadcastId]/compose/page.tsx
• apps/web/src/app/(dashboard)/broadcasts/create-broadcast.tsx
• apps/web/src/app/(dashboard)/broadcasts/page.tsx
• apps/web/src/app/(dashboard)/campaigns/campaign-card.tsx
• apps/web/src/app/(dashboard)/settings/account/account-settings.tsx
• apps/web/src/app/(dashboard)/settings/account/page.tsx
• apps/web/src/app/(dashboard)/settings/layout.tsx
• apps/web/src/app/(dashboard)/settings/page.tsx
• apps/web/src/app/(dashboard)/settings/team/page.tsx
• apps/web/src/app/(dashboard)/settings/team/team-general-settings.tsx
• apps/web/src/app/api/auth/2fa/route.ts
• apps/web/src/app/auth/2fa-verify/content.tsx
• apps/web/src/app/auth/2fa-verify/page.tsx
• apps/web/src/components/AppSideBar.tsx
• apps/web/src/components/marketing/SiteFooter.tsx
• apps/web/src/components/marketing/TopNav.tsx
• apps/web/src/components/marketing/TopNavClient.tsx
• apps/web/src/lib/edge-2fa-utils.ts
• apps/web/src/providers/dashboard-provider.tsx
• apps/web/src/server/api/routers/campaign.ts
• apps/web/src/server/api/routers/user.trpc.test.ts
• apps/web/src/server/api/routers/user.ts
• apps/web/src/server/api/trpc.ts
• apps/web/src/server/mailer.ts
• apps/web/src/server/security/recovery-codes.ts
• apps/web/src/server/security/two-factor.ts
• apps/web/src/server/service/campaign-service.ts

---

Walkthrough

This PR implements account-level two-factor authentication with TOTP and recovery codes, email change re-verification, enforces 2FA via middleware and signed cookies, restructures settings navigation, and adds direct broadcast recipient email support with dedicated compose UI and batch processing.

Changes

Account Security & Direct Broadcast Recipients

Layer / File(s)	Summary
Database schema and migrations for 2FA, email changes, and direct broadcast recipients apps/web/prisma/migrations/..., apps/web/prisma/schema.prisma	User model extended with twoFactorEnabled, twoFactorSecret, twoFactorTempSecret; new PendingEmailChange table tracks staged email changes with expiry and verification code; new TwoFactorRecoveryCode table stores hashed recovery codes with usage tracking; Campaign model gains recipientEmails: String[] field.
2FA security utilities and server-side validation infrastructure apps/web/src/server/security/two-factor.ts, apps/web/src/server/security/recovery-codes.ts, apps/web/src/app/api/auth/2fa/route.ts, apps/web/src/lib/edge-2fa-utils.ts, apps/web/src/server/api/trpc.ts	TOTP secret generation and async verification with otplib; recovery code generation, SHA-256 hashing, and timing-safe verification; signed HMAC-SHA256 2FA cookies with 12-hour expiry; server-side validation in createTRPCContext and Edge Runtime validator; POST /api/auth/2fa accepts TOTP or recovery code and returns signed cookie.
User account mutations and tRPC API for email changes and 2FA flows apps/web/src/server/api/routers/user.ts, apps/web/src/server/mailer.ts	New procedures: requestEmailChange, confirmEmailChange, startTwoFactorSetup, confirmTwoFactorSetup, useRecoveryCode, getRecoveryCodeCount, regenerateRecoveryCodes, disableTwoFactor, verifyTwoFactorCode; getProfile returns emailVerified, twoFactorEnabled, linked OAuth account types; email verification email sender added to mailer.
User account procedure tests apps/web/src/server/api/routers/user.trpc.test.ts	Comprehensive Vitest suite testing email change request/confirmation with expiry, 2FA setup/confirmation edge cases, recovery code usage, and TOTP validation; mocks DB, mailer, and security helpers.
Account settings UI, email change verification, and 2FA management flows apps/web/src/app/(dashboard)/settings/account/account-settings.tsx, apps/web/src/app/(dashboard)/settings/account/page.tsx, apps/web/src/app/(dashboard)/settings/layout.tsx, apps/web/src/app/(dashboard)/settings/team/team-general-settings.tsx	AccountSettings component with email re-verification flow (send code → enter code), 2FA enable/disable with QR code display, recovery code display and regeneration; settings layout updated to show Team and Account nav items instead of single General item.
Dashboard provider and middleware 2FA enforcement apps/web/middleware.ts, apps/web/src/providers/dashboard-provider.tsx	Middleware authenticates dashboard routes and validates 2FA cookie, redirects to /auth/2fa-verify on invalid/missing cookie; DashboardProvider gates team data queries until 2FA is verified, with sessionStorage-backed verification state per user; renders inline 2FA verification form with code/recovery-code toggle.
2FA verification page and content component apps/web/src/app/auth/2fa-verify/content.tsx, apps/web/src/app/auth/2fa-verify/page.tsx	Client-side 2FA verification page with form handling code/recovery-code input; validates length, POSTs to /api/auth/2fa, shows success/error toasts, redirects on success; supports mode toggle and input auto-disable.
Campaign schema and service updates for direct broadcast recipients apps/web/src/server/api/routers/campaign.ts, apps/web/src/server/service/campaign-service.ts	Campaign schema extended to track direct broadcast recipient emails; scheduleCampaign relaxes contactBookId requirement for direct broadcasts, uses recipientEmails.length for total; batch worker adds direct-broadcast branch with deduplication, suppression checking, and email queuing.
Broadcast compose page, creation dialog, and navigation apps/web/src/app/(dashboard)/broadcasts/[broadcastId]/compose/page.tsx, apps/web/src/app/(dashboard)/broadcasts/create-broadcast.tsx, apps/web/src/app/(dashboard)/broadcasts/page.tsx	New broadcast compose page fetches campaign, edits name/subject with mutations, debounces editor content updates, supports contact-book or direct-email recipient modes, image uploads, and send-now scheduling; create-broadcast dialog with form validation; broadcasts page wiring updated.
Campaign card intent-based routing for compose vs edit apps/web/src/app/(dashboard)/campaigns/campaign-card.tsx	Campaign card extended with campaign intent field; SCHEDULED state routes broadcasts to /compose and non-broadcasts to /edit; pause toggle redesigned with explicit Tooltip wrapper on desktop.
App navigation, sidebar, and external link updates apps/web/src/components/AppSideBar.tsx, apps/web/src/components/marketing/TopNav.tsx, apps/web/src/components/marketing/TopNavClient.tsx, apps/web/src/components/marketing/SiteFooter.tsx, apps/web/src/app/(dashboard)/settings/page.tsx, apps/web/src/app/(dashboard)/settings/team/page.tsx	AppSidebar adds "Account Settings" link and "Documentation" external link; TopNav/TopNavClient/SiteFooter update Discord invite URL; settings root page performs client-side redirect to /settings/team; team page directly renders TeamGeneralSettings.
Build, deployment, and release documentation updates .github/workflows/docker-publish.yml, apps/web/package.json, CHANGELOG.md	Docker publish workflow adds wait_for_remote_image checks for platform images before manifest creation; dependencies updated (next-auth bumped, otplib and qrcode.react added); CHANGELOG.md documents 0.3.0 release with all 2FA, email verification, broadcast, and settings changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• NodeByteLTD/ByteSend#18: Related campaign intent extension that this PR builds upon by adding recipientEmails support to the updateCampaign procedure for direct broadcast campaigns.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

apps/web/middleware.ts

ESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox.

apps/web/src/app/(dashboard)/broadcasts/[broadcastId]/compose/page.tsx

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

apps/web/src/app/(dashboard)/broadcasts/create-broadcast.tsx

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

• 25 others

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}