[Feature]: change email address

[wajeht]

Add Email Change to Settings Page

Goal

Let users change their email address from the settings page.

Tasks

1. Database migration

• Add columns to users table: pending_email, pending_email_token, pending_email_expires_at

2. Update types (src/types.ts)

• Add new fields to User interface

3. Update repository (src/db/user.ts)

• Add findByPendingEmailToken(token: string) method

4. Update form (src/routes/auth/settings.html)

• Change email display (line 51-52) from read-only div to text input

5. Update POST handler (src/routes/auth/auth.ts)

• Add email to updateNameValidation schema (rename to updateSettingsValidation)
• If email !== req.user.email:
  • Check new email isn't already in use (findByEmail)
  • Generate token via context.helpers.generateToken()
  • Set expiry using VERIFICATION_TOKEN_EXPIRY_MS constant
  • Store pending_email, pending_email_token, pending_email_expires_at
  • Send verification email to new address

6. Add endpoint (GET /verify-email-change)

• Add middleware.authRateLimitMiddleware
• Accept ?token=xxx query param
• Find user by pending_email_token
• Check token hasn't expired
• Update email field, clear pending fields
• Destroy session (req.session.destroy())
• Redirect to /login with flash message

Reference

• Existing /verify-email endpoint (auth.ts:349) for verification pattern
• VERIFICATION_TOKEN_EXPIRY_MS constant (auth.ts:9)