Skip to content

[Feature] Email verification for email/password accounts #26

New issue
New issue
Open
Open
[Feature] Email verification for email/password accounts#26
@fregataa

Description

@fregataa
fregataa
opened on Jan 8, 2026

Summary

Implement email verification for users who sign up with email/password. OAuth accounts are excluded from this requirement.

Scope

Backend (API Server)

Database

  • Add email_verified column to users table (default: false)
  • Add email_verification_tokens table 
    CREATE TABLE email_verification_tokens (
    id UUID PRIMARY KEY,
    user_id UUID REFERENCES users(id),
    token VARCHAR(255) NOT NULL UNIQUE,
    expires_at TIMESTAMP NOT NULL,
    created_at TIMESTAMP DEFAULT NOW()
);

API Endpoints

  • POST /api/v1/auth/send-verification - Send/resend verification email
  • GET /api/v1/auth/verify-email?token=xxx - Verify email with token
  • Update POST /api/v1/auth/signup - Send verification email after signup

Email Service

  • Integrate email service (SES, SendGrid, or similar)
  • Create verification email template
  • Generate secure verification token (UUID or JWT)
  • Set token expiration (e.g., 24 hours)

Verification Flow

  • Generate token on signup
  • Send verification email with link
  • Validate token on verification endpoint
  • Mark user as verified
  • Delete used token

Frontend

  • Show "email not verified" banner for unverified users
  • Add verification pending page after signup
  • Add "Resend verification email" button
  • Handle verification callback page
  • Show success message after verification

Behavior

  • OAuth accounts: email_verified = true (auto-verified)
  • Email accounts: email_verified = false until verified
  • Unverified users can still login but see reminder
  • Optional: Restrict certain features for unverified users

Environment Variables

# Email Service (example: AWS SES)
SMTP_HOST=
SMTP_PORT=
SMTP_USER=
SMTP_PASSWORD=
EMAIL_FROM=noreply@truegul.com

# Or use API-based service
SENDGRID_API_KEY=

Acceptance Criteria

  • Verification email sent on signup (email accounts only)
  • Users can verify email via link
  • Users can resend verification email
  • Token expires after set time
  • OAuth users are auto-verified
  • Verification status visible in user profile

Notes

  • Consider rate limiting for resend requests
  • Verification link should work only once
  • Consider email change flow (re-verification needed)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions