feat(email): PWA login sends code only; drop admin link from alert emails #185

Merged
developer merged 1 commits from feature/pwa-login-code-only into development 2026-07-05 20:26:04 +00:00
Owner

Two email changes (both requested by the owner in one pass).

1. Code-only login from an installed PWA

A login requested while running as a standalone PWA now omits the one-tap confirm link from the email. That link opens in a separate browser whose minted session cannot reach the PWA (separate storage), so the login stranded there while the PWA sat on the form. Now the PWA-origin login email carries only the six-digit code, typed in the same window.

  • Client sends a pwa flag (isStandalone()) on the email-code request — new EmailRequestRequest.pwa FBS field, threaded through the gateway to the backend.
  • Backend omits the deeplink when pwa is set, reusing the existing deletion-code link-omission path (issueCode omitLink).
  • Plain-browser logins keep the one-tap link (unchanged). No polling, no DB migration (the flag only shapes the email; it is not stored).

2. Security: no admin link in alert emails

The operator alert digest (internal/adminalert) embedded a direct /_gm admin-console URL. An admin URL must never travel in an email, where a mail provider could cache or index it. Removed the console link entirely (field + param + digest line + the main.go construction); the operator opens the console directly.

Tests

  • inttest: a PWA login email omits the one-tap link; a non-PWA login keeps it.
  • codec: round-trips the new pwa field.
  • adminalert: the digest test flipped to guard the admin link is absent.

Verify (local, all green)

go build/vet/test ./backend/... ./gateway/... + gofmt; the email integration suite on a real Postgres; pnpm check (0 errors) + test:unit (419) + build + bundle-size (110.8/112) + full e2e (196). FBS regen churn limited to the one table.

Docs

ARCHITECTURE (the deeplink PWA exception + the alert-email no-link note), FUNCTIONAL (+ru) the email-login-from-PWA note.

Two email changes (both requested by the owner in one pass). ## 1. Code-only login from an installed PWA A login requested while running as a standalone **PWA** now omits the one-tap confirm link from the email. That link opens in a separate browser whose minted session cannot reach the PWA (separate storage), so the login stranded there while the PWA sat on the form. Now the PWA-origin login email carries **only the six-digit code**, typed in the same window. - Client sends a `pwa` flag (`isStandalone()`) on the email-code request — new `EmailRequestRequest.pwa` FBS field, threaded through the gateway to the backend. - Backend omits the deeplink when `pwa` is set, reusing the existing deletion-code link-omission path (`issueCode` `omitLink`). - **Plain-browser logins keep the one-tap link** (unchanged). No polling, no DB migration (the flag only shapes the email; it is not stored). ## 2. Security: no admin link in alert emails The operator alert digest (`internal/adminalert`) embedded a direct `/_gm` admin-console URL. An admin URL must never travel in an email, where a mail provider could cache or index it. Removed the console link entirely (field + param + digest line + the `main.go` construction); the operator opens the console directly. ## Tests - inttest: a PWA login email omits the one-tap link; a non-PWA login keeps it. - codec: round-trips the new `pwa` field. - adminalert: the digest test flipped to **guard** the admin link is absent. ## Verify (local, all green) `go build/vet/test ./backend/... ./gateway/...` + `gofmt`; the email **integration** suite on a real Postgres; `pnpm check` (0 errors) + `test:unit` (419) + `build` + **bundle-size** (110.8/112) + full **e2e** (196). FBS regen churn limited to the one table. ## Docs ARCHITECTURE (the deeplink PWA exception + the alert-email no-link note), FUNCTIONAL (+ru) the email-login-from-PWA note.
developer added 1 commit 2026-07-05 20:13:42 +00:00
feat(email): PWA login sends code only; drop admin link from alert emails
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 15s
CI / ui (pull_request) Successful in 1m8s
CI / conformance (pull_request) Successful in 9s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m40s
061366da5a
Two email changes, per the owner:

1. Code-only login from an installed PWA. A login requested while running as a
   standalone PWA now omits the one-tap confirm link from the email — the link
   would open in a separate browser whose minted session cannot reach the PWA,
   stranding the login. The code is typed in the same window instead. The client
   sends a `pwa` flag (isStandalone) on the email-code request (a new FBS field,
   threaded through the gateway); the backend omits the deeplink when it is set,
   reusing the existing deletion-code link-omission path. Non-PWA browser logins
   keep the one-tap link. No polling, no migration.

2. Security: the operator alert digest no longer embeds the admin-console (/_gm)
   URL. An admin link must never travel in an email, where a mail provider could
   cache or index it; the operator opens the console directly.

Tests: an inttest asserting the PWA login email omits the link (and a browser one
keeps it); a codec round-trip of the new pwa field; the alert-digest test flipped
to guard the admin link is absent. Docs: ARCHITECTURE + FUNCTIONAL (+ru).
owner approved these changes 2026-07-05 20:25:35 +00:00
developer merged commit a2c79c149a into development 2026-07-05 20:26:04 +00:00
developer deleted branch feature/pwa-login-code-only 2026-07-05 20:26:04 +00:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: developer/scrabble-game#185