Develop

[NodeByteLTD]

Summary by CodeRabbit

Release Notes

• New Features

  • Added backup email login with password protection as an account recovery option.
  • Implemented two-step email verification for changing primary email address.
  • Added backup email management in account settings.
  • Recovery codes now provide bypass access for email verification.

• Improved

  • Enhanced 2FA verification interface and styling.
  • Redesigned broadcasts compose experience with improved settings organization.
  • Consolidated account settings page for streamlined management.

• Bug Fixes

  • Fixed build error handling to enforce code quality standards.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2e0ee765-2cb7-4a17-86ea-81564b3afa8f

📥 Commits

Reviewing files that changed from the base of the PR and between 39d0bf5 and 544c2a2.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• CHANGELOG.md
• apps/web/next.config.js
• apps/web/package.json
• apps/web/prisma/migrations/20260603195140_add_backup_emails_and_two_sided_verification/migration.sql
• apps/web/prisma/schema.prisma
• apps/web/src/app/(dashboard)/broadcasts/[broadcastId]/compose/page.tsx
• apps/web/src/app/(dashboard)/settings/account/account-settings.tsx
• apps/web/src/app/api/auth/backup-email-login/route.ts
• apps/web/src/app/auth/2fa-verify/content.tsx
• apps/web/src/app/login/login-page.tsx
• apps/web/src/server/api/routers/user.ts
• apps/web/src/server/auth.ts
• apps/web/src/server/mailer.ts

---

Walkthrough

This PR introduces a comprehensive backup email authentication system with password-protected login, refactors primary email change verification into a two-step process, and improves multiple UI surfaces including account settings, login, 2FA verification, and broadcasts compose.

Changes

Backup Email Authentication & Dual-Step Email Verification

Layer / File(s)	Summary
Database Schema & Migrations apps/web/prisma/schema.prisma, apps/web/prisma/migrations/20260603195140_*	New BackupEmail and PendingBackupEmailVerification models; PendingEmailChange split into dual-code (codeOld/codeNew) and dual-state (verifiedOld/verifiedNew) tracking with indexes.
Backup Email Backend Procedures apps/web/src/server/api/routers/user.ts	Added tRPC procedures (addBackupEmail, verifyBackupEmail, getBackupEmails, deleteBackupEmail) with bcryptjs password hashing, uniqueness validation, and enforced verified-backup constraints.
Dual-Step Email Verification Flow apps/web/src/server/api/routers/user.ts	Refactored email change to generate separate verification codes for current and new email; split confirmation into confirmOldEmail then confirmNewEmail steps with independent validation and recovery-code bypass alignment.
Backup Email Login Authentication apps/web/src/app/api/auth/backup-email-login/route.ts, apps/web/src/server/auth.ts, apps/web/src/server/api/routers/user.ts	New API route and NextAuth CredentialsProvider for backup email login; validates backup email verification and password hash; blocks primary-email password login; returns 2FA status.
Email Template & Mailer Updates apps/web/src/server/mailer.ts	Updated sendEmailChangeVerificationEmail to accept optional subject parameter; changed body wording to reflect email address change flow.
Account Settings UI apps/web/src/app/(dashboard)/settings/account/account-settings.tsx	Redesigned primary email section with Step 1/Step 2 verification UI for old/new email codes; added complete Backup Email section with add/verify/delete workflows, password validation, and state management.
Login Page Backup Email Integration apps/web/src/app/login/login-page.tsx	Added optional backup email/password login form with toggle; filters provider list to exclude credentials; calls NextAuth signIn("credentials") with error handling and navigation.
2FA Verification UX Enhancement apps/web/src/app/auth/2fa-verify/content.tsx	Added mode toggle between authenticator and recovery codes; dynamic labels, descriptions, and help text; improved error handling; 12-hour device validity messaging.
Broadcasts Compose Page Redesign apps/web/src/app/(dashboard)/broadcasts/[broadcastId]/compose/page.tsx	Refactored from sidebar to accordion-based Settings strip (Subject/From/Reply-To inputs, contact-book or direct-recipient selection); added Variables strip with template placeholder display and recipient count indicator.
Configuration & Dependencies apps/web/package.json, apps/web/next.config.js, CHANGELOG.md	Added bcryptjs dependency; upgraded @trpc/server to ^11.8.0 and next to ^16.2.7; removed ESLint ignore-during-builds; documented all changes in v0.3.1 release notes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• NodeByteLTD/ByteSend#28: Both PRs modify the same email verification code paths in user.ts and enhance the 2FA verification UI in 2fa-verify/content.tsx with recovery code and authenticator mode support.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}