fix: api-gateway Redis URL, cleanup safety, and auth error handling (#2038)

* fix: api-gateway Redis URL parsing, partial cleanup, and auth error handling

- Parse Redis URL with redis.ParseURL() (with fallback for bare addr) so
  REDIS_URL values like redis://host:port are handled correctly (task 13.1)
- Defer buildServerOptions cleanups before the error check so partial
  wiring (e.g. ssoCleanup after wireBFFSSO) always runs on failure (task 13.2)
- Return 403 Forbidden for ErrEmailNotVerified instead of falling through
  to generic 500 in handleLoginError (task 14)
- Log internal FindByEmail failures in issueResendVerificationToken while
  preserving timing-safe 200 response for email enumeration prevention (task 14)

* fix: redact Redis URL credentials in fallback warn log

* fix: align test stub with connector contract and harden URL redaction fallback

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

services/api-gateway/auth_handler.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/meridianhub/meridian/services/identity/connector"
+	identitydomain "github.com/meridianhub/meridian/services/identity/domain"
 	platformauth "github.com/meridianhub/meridian/shared/platform/auth"
 	"github.com/meridianhub/meridian/shared/platform/tenant"
 )
@@ -173,6 +174,12 @@ func (h *AuthHandler) handleLoginError(ctx context.Context, w http.ResponseWrite
 		})
 		return
 	}
+	if errors.Is(err, identitydomain.ErrEmailNotVerified) {
+		writeJSON(w, http.StatusForbidden, map[string]string{
+			"error": "email address has not been verified",
+		})
+		return
+	}
 	if strings.HasPrefix(err.Error(), "sign:") {
 		h.logger.ErrorContext(ctx, "auth: failed to sign token",
 			"tenant_id", tenantID, "error", err)

services/api-gateway/auth_handler_test.go

@@ -13,6 +13,7 @@ import (
 
 	gateway "github.com/meridianhub/meridian/services/api-gateway"
 	"github.com/meridianhub/meridian/services/identity/connector"
+	identitydomain "github.com/meridianhub/meridian/services/identity/domain"
 	platformauth "github.com/meridianhub/meridian/shared/platform/auth"
 	"github.com/meridianhub/meridian/shared/platform/tenant"
 	"github.com/stretchr/testify/assert"
@@ -227,3 +228,40 @@ func TestAuthHandler_MethodNotAllowed(t *testing.T) {
 	handler.HandleLogin(rec, req)
 	assert.Equal(t, http.StatusMethodNotAllowed, rec.Code)
 }
+
+func TestAuthHandler_EmailNotVerified_Returns403(t *testing.T) {
+	signer := newTestSigner(t)
+
+	conn := &stubConnector{
+		loginFn: func(_ context.Context, _ []string, _, _ string) (connector.Identity, bool, error) {
+			return connector.Identity{}, false, identitydomain.ErrEmailNotVerified
+		},
+	}
+
+	handler, err := gateway.NewAuthHandler(gateway.AuthHandlerConfig{
+		Connector: conn,
+		Signer:    signer,
+		Logger:    slog.Default(),
+	})
+	require.NoError(t, err)
+
+	body, _ := json.Marshal(map[string]string{
+		"email":    "unverified@example.com",
+		"password": "correct",
+	})
+
+	req := httptest.NewRequest(http.MethodPost, "/api/auth/login", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	tid, _ := tenant.NewTenantID("volterra")
+	req = req.WithContext(tenant.WithTenant(req.Context(), tid))
+
+	rec := httptest.NewRecorder()
+	handler.HandleLogin(rec, req)
+
+	assert.Equal(t, http.StatusForbidden, rec.Code)
+
+	var resp map[string]string
+	err = json.NewDecoder(rec.Body).Decode(&resp)
+	require.NoError(t, err)
+	assert.Equal(t, "email address has not been verified", resp["error"])
+}

services/api-gateway/cmd/main.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
+	"net/url"
 	"strings"
 	"time"
 
@@ -89,14 +90,16 @@ func run(logger *slog.Logger) error {
 
 	// Build server options
 	serverOpts, eventRouter, optCleanups, err := buildServerOptions(config, logger, healthChecker, redisClient)
-	if err != nil {
-		return err
-	}
+	// Defer cleanups before checking err: buildServerOptions may return partial
+	// cleanups (e.g., ssoCleanup) even when it fails midway through wiring.
 	defer func() {
 		for _, cleanup := range optCleanups {
 			cleanup()
 		}
 	}()
+	if err != nil {
+		return err
+	}
 
 	// Create server
 	server := gateway.NewServer(config, logger, nil, serverOpts...)
@@ -141,9 +144,16 @@ func initRedisAndHealth(config *gateway.Config, dbPool *db.PostgresPool, logger
 	var redisClient *redis.Client
 	var cleanup func()
 	if config.RedisURL != "" {
-		redisClient = redis.NewClient(&redis.Options{
-			Addr: config.RedisURL,
-		})
+		opt, err := redis.ParseURL(config.RedisURL)
+		if err != nil {
+			redacted := "<unparseable>"
+			if u, parseErr := url.Parse(config.RedisURL); parseErr == nil {
+				redacted = u.Redacted()
+			}
+			logger.Warn("redis URL parse failed, falling back to direct addr", "url", redacted, "error", err)
+			opt = &redis.Options{Addr: config.RedisURL}
+		}
+		redisClient = redis.NewClient(opt)
 		cleanup = func() { _ = redisClient.Close() }
 
 		if err := redisClient.Ping(context.Background()).Err(); err != nil {

services/api-gateway/verification_handler.go

@@ -199,6 +199,9 @@ func (h *VerificationHandler) issueResendVerificationToken(ctx context.Context,
 
 	identity, err := h.identityRepo.FindByEmail(tenantCtx, req.Email)
 	if err != nil {
+		if !errors.Is(err, identitydomain.ErrIdentityNotFound) {
+			h.logger.ErrorContext(ctx, "verification: failed to find identity by email", "error", err)
+		}
 		return
 	}
 

services/api-gateway/verification_handler_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
@@ -357,6 +358,24 @@ func TestResendVerification_RateLimited(t *testing.T) {
 	assert.Empty(t, or.entries)
 }
 
+func TestResendVerification_InternalFindByEmailError_StillReturns200(t *testing.T) {
+	ir := &stubIdentityRepo{
+		findByEmailFn: func(_ context.Context, _ string) (*identitydomain.Identity, error) {
+			return nil, errors.New("db connection lost")
+		},
+	}
+	or := &stubOutboxRepo{}
+	h := newVerificationHandler(t, ir, or)
+
+	w := postResendVerification(h, map[string]string{
+		"email":     "user@test.com",
+		"tenant_id": "test_tenant",
+	})
+	// Timing-safe: always returns 200 to prevent email enumeration.
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Empty(t, or.entries)
+}
+
 func TestResendVerification_MissingFields(t *testing.T) {
 	ir := &stubIdentityRepo{}
 	or := &stubOutboxRepo{}