Replace email verification with custom implementation

[XiNiHa]

Background

The existing email verification relied on SuperTokens' implementation, which was not flexible enough to be used in wider use cases like email verification for SSO accounts during account linking.

Description

• Creates the email_verifications table and fills it based on the existing supertokens_emailverification_verified_emails table
• Implements the email verification system through the GraphQL API
• Replaces the existing email verification system from SuperTokens with the new implementation
• Updates the frontend to use the new system

Checklist

• Input validation
• Output encoding
• Authentication management
• Session management
• Access control
• Cryptographic practices
• Error handling and logging
• Data protection
• Communication security
• System configuration
• Database security
• File management
• Memory management
• Testing

[gemini-code-assist]

Summary of Changes

Hello @XiNiHa, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request overhauls the email verification mechanism by transitioning from SuperTokens' built-in solution to a custom-developed system. This change addresses limitations in the previous implementation, particularly concerning advanced authentication flows like SSO account linking. The modifications span across the database schema, API layer with new GraphQL mutations, and the frontend user interface, ensuring a cohesive and flexible email verification process.

Highlights

• Custom Email Verification: The existing SuperTokens email verification system has been replaced with a custom implementation to offer greater flexibility, especially for scenarios like SSO account linking.
• Database Migration: A new email_verifications table has been introduced in the database. A migration script is included to populate this new table with existing verified email data from the old SuperTokens tables.
• GraphQL API Endpoints: New GraphQL mutations, sendVerificationEmail and verifyEmail, have been added to the API to manage the custom email verification flow.
• Frontend Integration: The frontend email verification page (AuthVerifyEmail) has been updated to utilize the newly implemented GraphQL API for sending and verifying emails, replacing the previous SuperTokens SDK calls.
• SuperTokens Email Verification Removal: The SuperTokens EmailVerification recipe and its related configurations have been removed from both the backend and frontend, as the custom solution now handles this functionality.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
@graphql-hive/cli	0.57.2-alpha-20260115190127-3f467ee3b8a0ee56828fda44325e6277c8f9f545	npm ↗︎ unpkg ↗︎
hive	9.0.0-alpha-20260115190127-3f467ee3b8a0ee56828fda44325e6277c8f9f545	npm ↗︎ unpkg ↗︎

[github-actions]

📚 Storybook Deployment

The latest changes are available as preview in: https://pr-7504.hive-storybook.pages.dev

[gemini-code-assist]

Code Review

This pull request replaces the SuperTokens email verification with a custom implementation, providing more flexibility. The changes include a new database migration for email verifications, backend logic to handle the verification flow, and frontend updates to use the new system. My review focuses on a style guide violation regarding legacy module usage, a potential bug in token generation logic, and a React best practice issue in the frontend.

[gemini-code-assist]

According to the repository's style guide (lines 60-66), new logic for database interactions should not be added to the legacy /packages/services/storage module. Instead, it should be encapsulated in smaller classes within the corresponding GraphQL modules.

The new methods checkUserEmailVerified, getOrCreateEmailVerification, and verifyEmail should be moved out of this file and into a new data-access class within packages/services/api/src/modules/auth/. This will improve modularity and adhere to the established architectural pattern.

References

1. Adding new major logic to /packages/services/storage is discouraged. This module is considered legacy. Instead, we now have smaller classes within the corresponding GraphQL modules that hold the logic for interacting with Postgres. ^(link)

[XiNiHa]

Oops, had no idea about this and actually was feeling weird dealing with the Storage module 🫠

[gemini-code-assist]

The current implementation of getOrCreateEmailVerification may re-send an already expired verification link. If an expired, unverified token exists, it will be returned and emailed to the user, who will then find that the link is expired. This leads to a poor user experience.

The logic should be updated to create a new token if the existing one is expired. Using ON CONFLICT ... DO UPDATE would make this more robust by either inserting a new record or updating an existing one (including expired ones), ensuring a fresh token and expiry date are always generated when needed.

      return tracedTransaction('getOrCreateEmailVerification', pool, async t => {
        const user = await shared.getUserBySuperTokenId({ superTokensUserId }, t);

        if (!user) {
          return {
            ok: false,
            message: 'User not found.',
          };
        }

        const emailVerification = await t.maybeOne<{
          verifiedAt: number | null;
        }>(sql`/* getOrCreateEmailVerification: check if verified */
          SELECT "verified_at" "verifiedAt"
          FROM "email_verifications"
          WHERE
            "user_id" = ${user.id}
            AND "provider" = ${user.provider}
            AND "email" = ${user.email}
        `);

        if (emailVerification?.verifiedAt) {
          return {
            ok: false,
            message: 'Your email address has already been verified.',
          };
        }

        const newEmailVerification = await t.one<{
          token: string;
          expiresAt: number;
        }>(sql`/* getOrCreateEmailVerification: upsert token */
          INSERT INTO "email_verifications" (
            "user_id"
            , "provider"
            , "email"
            , "token"
            , "expires_at"
          )
          VALUES (
            ${user.id}
            , ${user.provider}
            , ${user.email}
            , ${randomBytes(16).toString('hex')}
            , now() + INTERVAL '30 minutes'
          )
          ON CONFLICT ("user_id", "provider", "email") DO UPDATE SET
            "token" = EXCLUDED.token,
            "expires_at" = EXCLUDED.expires_at,
            "verified_at" = NULL -- Ensure it's not marked as verified
          RETURNING
            "token"
            , "expires_at" "expiresAt"
        `);

        return {
          ok: true,
          userId: user.id,
          token: newEmailVerification.token,
          expiresAt: new Date(newEmailVerification.expiresAt),
        };
      });

[XiNiHa]

@n1ru4l what do you think about this?

[github-actions]

🐋 This PR was built and pushed to the following Docker images:

Targets: build

Platforms: linux/amd64

Image Tag: 3f467ee3b8a0ee56828fda44325e6277c8f9f545

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-7504.hive-landing-page.pages.dev