Email verification

.env.example

@@ -6,6 +6,8 @@ POSTGRES_PORT=5432
 
 DATABASE_PRISMA_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost:${POSTGRES_PORT}/${POSTGRES_DATABASE}"
 
+SENDGRID_API_KEY=""
+VERIFICATION_FROM_EMAIL="example@gmail.com"
 
 # Windows Version:
 # Strings must be in double quotes on Windows, and template strings cannot be used
@@ -15,4 +17,7 @@ DATABASE_PRISMA_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhos
 # POSTGRES_DATABASE="good-dog"
 # POSTGRES_PORT=5432
 
-# DATABASE_PRISMA_URL="postgresql://user:password@localhost:5432/good-dog"
+# DATABASE_PRISMA_URL="postgresql://user:password@localhost:5432/good-dog"
+
+# SENDGRID_API_KEY=""
+# VERIFICATION_FROM_EMAIL="example@gmail.com"

packages/db/prisma/migrations/20241102200137_email_verification_code/migration.sql

@@ -0,0 +1,13 @@
+-- CreateTable
+CREATE TABLE "EmailVerificationCode" (
+    "email" TEXT NOT NULL,
+    "code" TEXT NOT NULL,
+    "emailConfirmed" BOOLEAN NOT NULL DEFAULT false,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "EmailVerificationCode_pkey" PRIMARY KEY ("email")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "EmailVerificationCode_email_key" ON "EmailVerificationCode"("email");

packages/db/prisma/schema.prisma

@@ -31,3 +31,11 @@ model Session {
   createdAt DateTime @default(now())
   expiresAt DateTime
 }
+
+model EmailVerificationCode {
+  email          String   @id @unique
+  code           String
+  emailConfirmed Boolean  @default(false)
+  createdAt      DateTime @default(now())
+  expiresAt      DateTime
+}

packages/email/eslint.config.js

@@ -0,0 +1,9 @@
+import baseConfig from "@good-dog/eslint/base";
+
+/** @type {import('typescript-eslint').Config} */
+export default [
+  {
+    ignores: [],
+  },
+  ...baseConfig,
+];

packages/email/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@good-dog/email",
+  "private": true,
+  "version": "0.1.0",
+  "type": "module",
+  "exports": {
+    "./verification-email": "./src/verification-email.ts",
+    "./email-service": "./src/email-service.ts"
+  },
+  "license": "MIT",
+  "scripts": {
+    "clean": "rm -rf .turbo node_modules",
+    "format": "prettier --check . --ignore-path ../../.gitignore",
+    "lint": "eslint",
+    "typecheck": "tsc --noEmit --emitDeclarationOnly false"
+  },
+  "devDependencies": {
+    "@good-dog/eslint": "workspace:*",
+    "@good-dog/prettier": "workspace:*",
+    "@good-dog/typescript": "workspace:*",
+    "eslint": "9.10.0",
+    "prettier": "3.2.5",
+    "typescript": "5.4.5"
+  },
+  "prettier": "@good-dog/prettier",
+  "dependencies": {
+    "@good-dog/env": "workspace:*",
+    "@sendgrid/mail": "^8.1.4"
+  }
+}

packages/email/src/email-service.ts

@@ -0,0 +1,39 @@
+import sgMail from "@sendgrid/mail";
+
+// These functions are an abstraction over the sgMail module from sendgrid. The main
+// purpose is to throw runtime errors for blank api keys/from emails so we are alerted of
+// the issue ahead of time.
+
+function setApiKey(apiKey: string) {
+  if (apiKey == "") {
+    throw new TypeError("Invalid api key: Expected a non-empty string.");
+  }
+
+  sgMail.setApiKey(apiKey);
+}
+
+interface EmailMessage {
+  to: string;
+  from: string;
+  subject: string;
+  html: string;
+}
+
+async function send(msg: EmailMessage): Promise<boolean> {
+  if (msg.from == "") {
+    throw new TypeError("Invalid from email: Expected a non-empty string.");
+  }
+
+  try {
+    await sgMail.send(msg);
+    return true;
+  } catch (error) {
+    void error;
+    return false;
+  }
+}
+
+export default {
+  setApiKey,
+  send,
+};

packages/email/src/verification-email.ts

@@ -0,0 +1,18 @@
+import emailService from "@good-dog/email/email-service";
+import { env } from "@good-dog/env";
+
+export async function sendEmailVerification(
+  toEmail: string,
+  code: string,
+): Promise<boolean> {
+  emailService.setApiKey(env.SENDGRID_API_KEY ?? "");
+
+  const msg = {
+    to: toEmail,
+    from: env.VERIFICATION_FROM_EMAIL ?? "",
+    subject: "Verify Your Email - Good Dog Licensing",
+    html: `<p>Your Verification Code: <strong>${code}</strong></p>`,
+  };
+
+  return await emailService.send(msg);
+}

packages/email/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "@good-dog/typescript/base.json",
+  "compilerOptions": {
+    "tsBuildInfoFile": "node_modules/.cache/tsbuildinfo.json",
+    "lib": ["es2022"],
+    "types": ["bun"]
+  },
+  "include": ["*.ts", "src"],
+  "exclude": ["node_modules"]
+}

packages/env/src/env.js

@@ -10,6 +10,8 @@ export const env = createEnv({
    */
   runtimeEnv: {
     NODE_ENV: process.env.NODE_ENV,
+    SENDGRID_API_KEY: process.env.SENDGRID_API_KEY,
+    VERIFICATION_FROM_EMAIL: process.env.VERIFICATION_FROM_EMAIL,
   },
 
   /**
@@ -20,6 +22,8 @@ export const env = createEnv({
     NODE_ENV: z
       .enum(["development", "test", "production"])
       .default("development"),
+    SENDGRID_API_KEY: z.string().optional(),
+    VERIFICATION_FROM_EMAIL: z.string().email().optional(),
   },
 
   /**
@@ -30,6 +34,7 @@ export const env = createEnv({
   client: {
     // NEXT_PUBLIC_CLIENTVAR: z.string(),
   },
+
   /**
    * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation. This is especially
    * useful for Docker builds.

packages/trpc/package.json

@@ -27,6 +27,7 @@
   "dependencies": {
     "@good-dog/auth": "workspace:*",
     "@good-dog/db": "workspace:*",
+    "@good-dog/email": "workspace:*",
     "@good-dog/env": "workspace:*",
     "@tanstack/react-query": "5.56.2",
     "@trpc/client": "11.0.0-rc.544",

packages/trpc/src/internal/router.ts

@@ -1,5 +1,7 @@
 import {
+  confirmEmailProcedure,
   deleteAccountProcedure,
+  sendEmailVerificationProcedure,
   signInProcedure,
   signOutProcedure,
   signUpProcedure,
@@ -8,6 +10,8 @@ import { getAuthenticatedUserProcedure } from "../procedures/user";
 import { createTRPCRouter } from "./init";
 
 export const appRouter = createTRPCRouter({
+  sendEmailVerification: sendEmailVerificationProcedure,
+  confirmEmail: confirmEmailProcedure,
   signIn: signInProcedure,
   signOut: signOutProcedure,
   signUp: signUpProcedure,

packages/trpc/src/procedures/auth.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 
 import { deleteSessionCookie, setSessionCookie } from "@good-dog/auth/cookies";
 import { comparePassword, hashPassword } from "@good-dog/auth/password";
+import { sendEmailVerification } from "@good-dog/email/verification-email";
 
 import {
   authenticatedProcedureBuilder,
@@ -12,6 +13,126 @@ import {
 const getNewSessionExpirationDate = () =>
   new Date(Date.now() + 60_000 * 60 * 24 * 30);
 
+const getNewEmailVerificationCodeExpirationDate = () =>
+  new Date(Date.now() + 60_000 * 15);
+
+export const sendEmailVerificationProcedure = notAuthenticatedProcedureBuilder
+  .input(
+    z.object({
+      email: z.string().email(),
+    }),
+  )
+  .mutation(async ({ ctx, input }) => {
+    // Check if there is already an email verification code for the given email
+    const existingEmailVerificationCode =
+      await ctx.prisma.emailVerificationCode.findUnique({
+        where: {
+          email: input.email,
+        },
+      });
+    // If email already verified, throw error
+    if (existingEmailVerificationCode?.emailConfirmed) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: "Email already verified",
+      });
+    }
+    // If email not verified, delete current email verification code to create a new one
+    if (existingEmailVerificationCode !== null) {
+      await ctx.prisma.emailVerificationCode.delete({
+        where: {
+          email: input.email,
+        },
+      });
+    }
+
+    // Generate 6 digit code for email verification
+    let emailCode = "";
+    for (let i = 0; i < 6; i++) {
+      emailCode += Math.floor(Math.random() * 10);
+    }
+    // Send email. If sending fails, throw error.
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+    if (!(await sendEmailVerification(input.email, emailCode))) {
+      throw new TRPCError({
+        code: "INTERNAL_SERVER_ERROR",
+        message: `Email confirmation to ${input.email} failed to send.`,
+      });
+    }
+    // Create the email verification code in the database
+    await ctx.prisma.emailVerificationCode.create({
+      data: {
+        code: emailCode,
+        email: input.email,
+        expiresAt: getNewEmailVerificationCodeExpirationDate(),
+      },
+    });
+
+    return {
+      message: `Email verification code sent to ${input.email}`,
+    };
+  });
+
+export const confirmEmailProcedure = notAuthenticatedProcedureBuilder
+  .input(
+    z.object({
+      email: z.string().email(),
+      code: z.string(),
+    }),
+  )
+  .mutation(async ({ ctx, input }) => {
+    // Get email verification from database
+    const emailVerificationCode =
+      await ctx.prisma.emailVerificationCode.findUnique({
+        where: {
+          email: input.email,
+        },
+      });
+
+    // If email already verified, return a success
+    if (emailVerificationCode?.emailConfirmed) {
+      return {
+        message: `Email was successfully verified. Email: ${input.email}.`,
+      };
+    }
+
+    // If email verification not found, throw error
+    if (emailVerificationCode === null) {
+      throw new TRPCError({
+        code: "NOT_FOUND",
+        message: `${input.email} is not waiting to be confirmed.`,
+      });
+    }
+    // If given code is wrong, throw error
+    if (input.code !== emailVerificationCode.code) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: `Given code is incorrect for ${input.email}`,
+      });
+    }
+    // If given code is expired, throw error
+    if (emailVerificationCode.expiresAt < new Date()) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: "Given code is expired.",
+      });
+    }
+
+    // If here, the given code was valid, so we can update the emailVerificationCode.
+    await ctx.prisma.emailVerificationCode.update({
+      where: {
+        email: input.email,
+      },
+      data: {
+        emailConfirmed: true,
+      },
+    });
+
+    return {
+      message: `Email was successfully verified. Email: ${input.email}.`,
+    };
+  });
+
 export const signUpProcedure = notAuthenticatedProcedureBuilder
   .input(
     z.object({
@@ -21,6 +142,21 @@ export const signUpProcedure = notAuthenticatedProcedureBuilder
     }),
   )
   .mutation(async ({ ctx, input }) => {
+    // Throw error if email is not verified
+    const emailVerificationCode =
+      await ctx.prisma.emailVerificationCode.findUnique({
+        where: {
+          email: input.email,
+        },
+      });
+
+    if (!emailVerificationCode?.emailConfirmed) {
+      throw new TRPCError({
+        code: "FORBIDDEN",
+        message: "Email has not been verified.",
+      });
+    }
+
     const existingUserWithEmail = await ctx.prisma.user.findUnique({
       where: {
         email: input.email,
@@ -64,7 +200,7 @@ export const signUpProcedure = notAuthenticatedProcedureBuilder
     setSessionCookie(session.id, session.expiresAt);
 
     return {
-      message: `Successfully signed up and logged in as ${input.email}`,
+      message: `Successfully signed up and logged in as ${input.email}.`,
     };
   });