Add circuit breaker pattern to email verification system

Implement rate limiting and attempt tracking to prevent verification abuse and infinite reload loops. Add temporary blocking with clear user feedback, enhanced error states, and retry logic. Includes new verification state utilities and improved UI components for better user experience during blocked states.
2025-08-10 15:48:11 +02:00
parent c4379f0813
commit 62be77ec34
5 changed files with 816 additions and 57 deletions
--- a/server/utils/email-tokens.ts
+++ b/server/utils/email-tokens.ts
@@ -109,9 +109,7 @@ export async function verifyEmailToken(token: string): Promise<{ userId: string;
      throw new Error('Token payload mismatch');
    }

-    // Remove token after successful verification (single use)
-    activeTokens.delete(token);
-
+    // DON'T DELETE TOKEN YET - let the caller decide when to consume it
    console.log('[email-tokens] Successfully verified token for user:', decoded.userId, 'email:', decoded.email);

    return {
@@ -133,6 +131,32 @@ export async function verifyEmailToken(token: string): Promise<{ userId: string;
  }
 }

+/**
+ * Consume a token after successful operations
+ */
+export async function consumeEmailToken(token: string): Promise<void> {
+  if (!token) {
+    throw new Error('Token is required');
+  }
+
+  // Remove token from active tokens (single use)
+  const wasRemoved = activeTokens.delete(token);
+  
+  if (wasRemoved) {
+    console.log('[email-tokens] Token consumed successfully');
+  } else {
+    console.log('[email-tokens] Token was already consumed or not found');
+  }
+}
+
+/**
+ * Verify token without consuming it (for retries)
+ */
+export async function verifyEmailTokenWithoutConsuming(token: string): Promise<{ userId: string; email: string }> {
+  // This is the same as verifyEmailToken but more explicit about not consuming
+  return await verifyEmailToken(token);
+}
+
 /**
 * Check if a token is still valid without consuming it
 */