Merge branch 'dev' into emu-with-a-q

Author: mantrakp04

apps/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/backend",
-  "version": "2.8.77",
+  "version": "2.8.78",
   "repository": "https://github.com/stack-auth/stack-auth",
   "private": true,
   "type": "module",
@@ -62,7 +62,7 @@
     "@openrouter/ai-sdk-provider": "2.2.3",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/api-logs": "^0.53.0",
-    "@opentelemetry/auto-instrumentations-node": "^0.67.3",
+    "@opentelemetry/auto-instrumentations-node": "^0.71.0",
     "@opentelemetry/context-async-hooks": "^1.26.0",
     "@opentelemetry/core": "^1.26.0",
     "@opentelemetry/exporter-trace-otlp-http": "^0.53.0",
@@ -79,16 +79,16 @@
     "@prisma/extension-read-replicas": "^0.5.0",
     "@prisma/instrumentation": "^7.0.0",
     "@react-email/render": "^1.2.1",
-    "@sentry/nextjs": "^10.11.0",
-    "@simplewebauthn/server": "^11.0.0",
+    "@sentry/nextjs": "^10.45.0",
+    "@simplewebauthn/server": "^13.3.0",
     "@stackframe/stack": "workspace:*",
     "@stackframe/stack-shared": "workspace:*",
     "@upstash/qstash": "^2.8.2",
     "@vercel/functions": "^2.0.0",
     "@vercel/otel": "^1.10.4",
     "@vercel/sandbox": "^1.2.0",
     "ai": "^6.0.0",
-    "bcrypt": "^5.1.1",
+    "bcrypt": "^6.0.0",
     "cel-js": "^0.8.2",
     "chokidar-cli": "^3.0.0",
     "dotenv": "^16.4.5",
@@ -111,7 +111,7 @@
     "semver": "^7.6.3",
     "sharp": "^0.34.4",
     "stripe": "^18.3.0",
-    "svix": "^1.25.0",
+    "svix": "^1.89.0",
     "vite": "^6.1.0",
     "yaml": "^2.4.5",
     "yup": "^1.7.1",

apps/backend/prisma/migrations/20260308000000_add_signup_fraud_protection/migration.sql

@@ -10,6 +10,10 @@ ALTER TABLE "ProjectUser"
   ADD COLUMN "signUpEmailNormalized" TEXT,
   ADD COLUMN "signUpEmailBase" TEXT;
 
+-- Backward compatibility during rollout: old backends omit `signedUpAt` on
+-- INSERT, so set a default immediately in the first migration.
+ALTER TABLE "ProjectUser" ALTER COLUMN "signedUpAt" SET DEFAULT CURRENT_TIMESTAMP;
+
 -- Add the risk score bounds without validating existing rows yet.
 ALTER TABLE "ProjectUser"
   ADD CONSTRAINT "ProjectUser_risk_score_bot_range"

apps/backend/prisma/migrations/20260308000002_finalize_signup_fraud_protection/migration.sql

@@ -28,8 +28,6 @@ ALTER TABLE "ProjectUser" VALIDATE CONSTRAINT "ProjectUser_risk_score_bot_range"
 -- RUN_OUTSIDE_TRANSACTION_SENTINEL
 ALTER TABLE "ProjectUser" VALIDATE CONSTRAINT "ProjectUser_risk_score_free_trial_abuse_range";
 
--- Enforce `signedUpAt` after the backfill is complete. We intentionally require
--- inserts to provide the value explicitly instead of hiding that behavior in a trigger.
 -- SPLIT_STATEMENT_SENTINEL
 -- SINGLE_STATEMENT_SENTINEL
 -- RUN_OUTSIDE_TRANSACTION_SENTINEL

apps/backend/prisma/migrations/20260308000002_finalize_signup_fraud_protection/tests/finalized-signup-fraud-protection.ts

@@ -71,7 +71,7 @@ export const postMigration = async (sql: Sql) => {
   `;
   expect(colInfo).toHaveLength(1);
   expect(colInfo[0].is_nullable).toBe('NO');
-  expect(colInfo[0].column_default).toBe(null);
+  expect(colInfo[0].column_default).toBe('CURRENT_TIMESTAMP');
 
   await sql`
     INSERT INTO "Project" ("id", "createdAt", "updatedAt", "displayName", "description", "isProductionMode")
@@ -82,7 +82,9 @@ export const postMigration = async (sql: Sql) => {
     VALUES (${tenancyId}::uuid, NOW(), NOW(), ${projectId}, 'main', 'TRUE'::"BooleanTrue")
   `;
 
-  await expect(sql`
+  // INSERT without signedUpAt should succeed — DEFAULT CURRENT_TIMESTAMP fills it in.
+  const defaultUserId = randomUUID();
+  await sql`
     INSERT INTO "ProjectUser" (
       "projectUserId",
       "tenancyId",
@@ -92,16 +94,25 @@ export const postMigration = async (sql: Sql) => {
       "updatedAt",
       "lastActiveAt"
     ) VALUES (
-      ${userId}::uuid,
+      ${defaultUserId}::uuid,
       ${tenancyId}::uuid,
       ${projectId},
       'main',
       NOW(),
       NOW(),
       NOW()
     )
-  `).rejects.toThrow(/signedUpAt/);
+  `;
+
+  const defaultRows = await sql`
+    SELECT "signedUpAt"
+    FROM "ProjectUser"
+    WHERE "projectUserId" = ${defaultUserId}::uuid
+  `;
+  expect(defaultRows).toHaveLength(1);
+  expect(defaultRows[0].signedUpAt).not.toBeNull();
 
+  // INSERT with explicit signedUpAt should use the provided value.
   await sql`
     INSERT INTO "ProjectUser" (
       "projectUserId",

apps/backend/prisma/migrations/20260323000000_add_signed_up_at_default/migration.sql

@@ -55,7 +55,13 @@ export const POST = createSmartRouteHandler({
       timeout: REGISTRATION_TIMEOUT_MS,
     };
 
-    const registrationOptions = await generateRegistrationOptions(opts);
+    const registrationOptionsRaw = await generateRegistrationOptions(opts);
+    const registrationOptions = registrationOptionsRaw.hints != null && registrationOptionsRaw.hints.length === 0
+      ? (() => {
+        const { hints: _, ...rest } = registrationOptionsRaw;
+        return rest;
+      })()
+      : registrationOptionsRaw;
 
     const { code } = await registerVerificationCodeHandler.createCode({
       tenancy,

apps/backend/src/app/api/latest/auth/passkey/initiate-passkey-registration/route.tsx

@@ -75,7 +75,7 @@ export const registerVerificationCodeHandler = createVerificationCodeHandler({
     });
 
 
-    if (!verification.verified || !verification.registrationInfo) {
+    if (!verification.verified) {
       throw new KnownErrors.PasskeyRegistrationFailed("Passkey registration failed because the verification response is invalid");
     }
 

apps/backend/src/app/api/latest/auth/passkey/register/verification-code-handler.tsx

@@ -8,12 +8,11 @@ import { getPrismaClientForTenancy, globalPrismaClient, PrismaClientTransaction
 import { withTraceSpan } from "@/utils/telemetry";
 import { allPromisesAndWaitUntilEach } from "@/utils/vercel";
 import { groupBy } from "@stackframe/stack-shared/dist/utils/arrays";
-import { getEnvBoolean, getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
+import { getEnvBoolean, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
 import { captureError, errorToNiceString, StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { Json } from "@stackframe/stack-shared/dist/utils/json";
 import { filterUndefined } from "@stackframe/stack-shared/dist/utils/objects";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
-import { traceSpan } from "@stackframe/stack-shared/dist/utils/telemetry";
 import { randomUUID } from "node:crypto";
 import { checkEmailWithEmailable, type EmailableCheckResult } from "./emailable";
 import { lowLevelSendEmailDirectWithoutRetries } from "./emails-low-level";
@@ -66,14 +65,10 @@ async function verifyEmailDeliverability(
 ): Promise<EmailableCheckResult> {
   // Skip deliverability check if requested or using non-shared email config
   if (shouldSkipDeliverabilityCheck || emailConfigType !== "shared") {
-    return { status: "ok", emailableScore: null };
+    return { status: "deliverable", emailableScore: null };
   }
 
   const result = await checkEmailWithEmailable(email);
-  // Email queue should not block on emailable failures — treat errors as deliverable
-  if (result.status === "error") {
-    return { status: "ok", emailableScore: null };
-  }
   return result;
 }
 

apps/backend/src/lib/email-queue-step.tsx

@@ -1,5 +1,6 @@
 import { getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
 import { captureError, StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+import { wait } from "@stackframe/stack-shared/dist/utils/promises";
 import { traceSpan } from "@stackframe/stack-shared/dist/utils/telemetry";
 import createEmailableClient from "emailable";
 
@@ -12,9 +13,8 @@ const VERIFY_STATES = ["deliverable", "undeliverable", "risky", "unknown"] as co
 type EmailableVerifyResponse = ReturnType<typeof validateVerifyResponse>;
 
 export type EmailableCheckResult =
-  | { status: "ok", emailableScore: number | null }
+  | { status: "deliverable", emailableScore: number | null }
   | { status: "not-deliverable", emailableResponse: EmailableVerifyResponse, emailableScore: number | null }
-  | { status: "error", error: unknown, emailableScore: null };
 
 
 // ── Helpers ────────────────────────────────────────────────────────────
@@ -41,17 +41,15 @@ function validateVerifyResponse(value: unknown) {
 
 async function verifyWithRetries(verifyFn: () => Promise<unknown>, maxAttempts: number, delayBaseMs: number) {
   for (let i = 0; i < maxAttempts; i++) {
-    try {
-      return await verifyFn();
-    } catch (error) {
-      const code = (error != null && typeof error === "object" && !Array.isArray(error))
-        ? Reflect.get(error, "code")
-        : null;
-      if (code !== 249) throw error; // only retry rate-limit errors
-      if (i < maxAttempts - 1) {
-        await new Promise(r => setTimeout(r, (Math.random() + 0.5) * delayBaseMs * (2 ** i)));
+    const res: any = await verifyFn();
+    if (!("state" in res)) {
+      if ("message" in res && res.message.includes("Your request is taking longer than normal")) {
+        await wait((Math.random() + 0.5) * delayBaseMs * (2 ** i));
+        continue;
       }
+      throw new StackAssertionError("Emailable returned an unexpected response body", { response: res });
     }
+    return res;
   }
   throw new StackAssertionError("Timed out while verifying email address with Emailable");
 }
@@ -81,46 +79,47 @@ export async function checkEmailWithEmailable(
     _clientFactory?: (apiKey: string) => { verify: (email: string) => Promise<unknown> },
   },
 ): Promise<EmailableCheckResult> {
-  const rawApiKey = getEnvVariable("STACK_EMAILABLE_API_KEY", "");
-  const emailDomain = email.split("@")[1]?.toLowerCase() ?? "";
+  try {
+    const rawApiKey = getEnvVariable("STACK_EMAILABLE_API_KEY", "");
+    const emailDomain = email.split("@")[1]?.toLowerCase() ?? "";
+
+    // Always reject the explicit test domain, regardless of API key
+    if (emailDomain === EMAILABLE_NOT_DELIVERABLE_TEST_DOMAIN) {
+      const testResponse = buildTestUndeliverableResponse(email);
+      return { status: "not-deliverable", emailableResponse: testResponse, emailableScore: testResponse.score };
+    }
 
-  // Always reject the explicit test domain, regardless of API key
-  if (emailDomain === EMAILABLE_NOT_DELIVERABLE_TEST_DOMAIN) {
-    const testResponse = buildTestUndeliverableResponse(email);
-    return { status: "not-deliverable", emailableResponse: testResponse, emailableScore: testResponse.score };
-  }
+    if (!rawApiKey) {
+      if (["development", "test"].includes(getNodeEnvironment())) {
+        return { status: "deliverable", emailableScore: null };
+      }
+      throw new StackAssertionError("STACK_EMAILABLE_API_KEY must not be empty; set it to 'disable_email_validation' to disable email validation");
+    }
 
-  if (!rawApiKey) {
-    if (["development", "test"].includes(getNodeEnvironment())) {
-      return { status: "ok", emailableScore: null };
+    const apiKey = rawApiKey === "disable_email_validation" ? "" : rawApiKey;
+    if (!apiKey || isReservedTestDomain(emailDomain)) {
+      return { status: "deliverable", emailableScore: null };
     }
-    throw new StackAssertionError("STACK_EMAILABLE_API_KEY must not be empty; set it to 'disable_email_validation' to disable email validation");
-  }
 
-  const apiKey = rawApiKey === "disable_email_validation" ? "" : rawApiKey;
-  if (!apiKey || isReservedTestDomain(emailDomain)) {
-    return { status: "ok", emailableScore: null };
-  }
+    const clientFactory = options?._clientFactory ?? createEmailableClient;
+    const retryDelayBase = options?.retryExponentialDelayBaseMs ?? RETRY_BACKOFF_BASE_MS;
 
-  const clientFactory = options?._clientFactory ?? createEmailableClient;
-  const retryDelayBase = options?.retryExponentialDelayBaseMs ?? RETRY_BACKOFF_BASE_MS;
-
-  return await traceSpan("checking email address with Emailable", async () => {
-    const client = clientFactory(apiKey);
-    let raw: unknown;
-    try {
-      raw = await verifyWithRetries(() => client.verify(email), 4, retryDelayBase);
-    } catch (error) {
-      captureError("emailable-api-error", error);
-      return { status: "error", error, emailableScore: null };
-    }
-    const response = validateVerifyResponse(raw);
+    return await traceSpan("checking email address with Emailable", async () => {
+      const client = clientFactory(apiKey);
+      const raw = await verifyWithRetries(() => client.verify(email), 4, retryDelayBase);
+      console.log("Received emailable response", { email, raw });
+      const response = validateVerifyResponse(raw);
 
-    if (response.state === "undeliverable" || response.disposable) {
-      return { status: "not-deliverable", emailableResponse: response, emailableScore: response.score };
-    }
-    return { status: "ok", emailableScore: response.score };
-  });
+      if (response.state === "undeliverable") {
+        return { status: "not-deliverable", emailableResponse: response, emailableScore: response.score };
+      }
+      return { status: "deliverable", emailableScore: response.score };
+    });
+  } catch (error) {
+    captureError("emailable-api-error", new StackAssertionError("Error while checking email address with Emailable", { cause: error, email, options }));
+    // If there's an error, let's pretend the email is deliverable, albeit with the score unavailable
+    return { status: "deliverable", emailableScore: null };
+  }
 }
 
 
@@ -157,17 +156,29 @@ import.meta.vitest?.describe("checkEmailWithEmailable(...)", () => {
 
   test("returns ok for deliverable email", async ({ expect }) => {
     const result = await checkEmailWithEmailable("test@gmail.com", { _clientFactory: deliverableClient });
-    expect(result.status).toBe("ok");
+    expect(result).toMatchObject({ status: "deliverable", emailableScore: 95 });
+  });
+
+  test("successfully retries and verifies deliverable email if Emailable asks for a retry the first time", async ({ expect }) => {
+    let retryCount = 0;
+    const retryClient = fakeClient(async () => retryCount++ === 0 ? {
+      message: "Your request is taking longer than normal. Please send your request again."
+    } : {
+      state: "deliverable", disposable: false, score: 95, domain: "gmail.com", email: "test@gmail.com", user: "test",
+    });
+    const result = await checkEmailWithEmailable("test@gmail.com", { _clientFactory: retryClient });
+    expect(retryCount).toBe(2);
+    expect(result).toMatchObject({ status: "deliverable", emailableScore: 95 });
   });
 
-  test("returns error on API error", async ({ expect }) => {
+  test("returns deliverable on API error", async ({ expect }) => {
     const result = await checkEmailWithEmailable("test@gmail.com", { _clientFactory: errorClient });
-    expect(result.status).toBe("error");
+    expect(result).toMatchObject({ status: "deliverable", emailableScore: null });
   });
 
-  test("throws on malformed Emailable response bodies", async ({ expect }) => {
+  test("returns deliverable on malformed Emailable response bodies", async ({ expect }) => {
     const malformedClient = fakeClient(async () => "definitely not an object");
-    await expect(checkEmailWithEmailable("test@gmail.com", { _clientFactory: malformedClient }))
-      .rejects.toThrowError("Emailable returned a non-object response body");
+    const result = await checkEmailWithEmailable("test@gmail.com", { _clientFactory: malformedClient });
+    expect(result).toMatchObject({ status: "deliverable", emailableScore: null });
   });
 });