From 22c59a09a4d4342ec2e20314532cda29630c6890 Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Wed, 3 Jun 2026 16:44:11 -0600
Subject: [PATCH] fix(email): verification code delivery

---
 apps/web/src/server/api/routers/user.ts |  8 +++-----
 apps/web/src/server/mailer.ts           | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/apps/web/src/server/api/routers/user.ts b/apps/web/src/server/api/routers/user.ts
index 573fd6f..77184e0 100644
--- a/apps/web/src/server/api/routers/user.ts
+++ b/apps/web/src/server/api/routers/user.ts
@@ -2,7 +2,7 @@ import { z } from "zod";
 import { createTRPCRouter, protectedProcedure, publicProcedure } from "~/server/api/trpc";
 import { db } from "~/server/db";
 import { TRPCError } from "@trpc/server";
-import { sendEmailChangeVerificationEmail } from "~/server/mailer";
+import { sendEmailChangeVerificationEmail, sendBackupEmailVerificationEmail } from "~/server/mailer";
 import {
   generateTwoFactorSecret,
   verifyTwoFactorToken,
@@ -692,10 +692,8 @@ export const userRouter = createTRPCRouter({
         },
       });
 
-      // Store the hashed password in session (client will pass it back on verification)
-      // This is done client-side to avoid storing plaintext passwords in DB temporarily
-      // TODO: Send verification email to backup email address
-      // await sendBackupEmailVerificationEmail(backupEmail, code);
+      // Send verification email to backup email address
+      await sendBackupEmailVerificationEmail(backupEmail, code);
 
       return {
         step: "verify" as const,
diff --git a/apps/web/src/server/mailer.ts b/apps/web/src/server/mailer.ts
index 64c1e8b..642ecb3 100644
--- a/apps/web/src/server/mailer.ts
+++ b/apps/web/src/server/mailer.ts
@@ -106,6 +106,29 @@ export async function sendEmailChangeVerificationEmail(
   await sendMail(email, finalSubject, text, html);
 }
 
+export async function sendBackupEmailVerificationEmail(
+  email: string,
+  token: string
+) {
+  if (env.NODE_ENV === "development") {
+    logger.info({ email, token }, "Sending backup email verification code");
+    return;
+  }
+
+  const subject = "Verify your backup email address";
+  const text = `Hey,\n\nUse this verification code to confirm your backup email address:\n\n${token}\n\nThis code expires in 15 minutes.\n\nIf you did not request this, you can ignore this email.\n\nThanks,\nByteSend Team`;
+  const html = [
+    "<p>Hey,</p>",
+    "<p>Use this verification code to confirm your backup email address:</p>",
+    `<p style=\"font-size:24px;font-weight:700;letter-spacing:0.08em;\">${token}</p>`,
+    "<p>This code expires in 15 minutes.</p>",
+    "<p>If you did not request this, you can ignore this email.</p>",
+    "<p>Thanks,<br/>ByteSend Team</p>",
+  ].join("");
+
+  await sendMail(email, subject, text, html);
+}
+
 export async function sendMail(
   email: string,
   subject: string,