feat: implements user account recovery

[akhilmhdh]

Context

If you originally signed in using Google SSO and later your email address changes, the system may treat this as a new account—even if your old email still exists as an alias. Because the login is tied to Google OAuth, the new email results in a separate account instead of linking to your existing one.

Account recovery solves this by sending a verification email and allowing you to enable email-based authentication for your SSO account, so you can regain access to the original account.

Screenshots

Screenshots

Email Templates

SSO User Account Recovery

Email User Account Recovery

Account Recovery Steps

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR implements a comprehensive account recovery feature that allows users to regain access to their accounts when they lose access to their SSO authentication method or need to reset their password. The implementation adds new /account-recovery endpoints and moves password reset functionality from /password/email/password-reset* to the new account recovery flow.

Key Changes:

• New account recovery service with email-based verification flow
• Enhanced email templates that detect and display the user's last authentication method (SSO, SAML, OIDC, LDAP)
• Multi-step frontend wizard for account recovery (email confirmation, recovery method selection, password reset)
• Increased token entropy from 16 to 32 bytes for improved security
• Moved password reset endpoints from /password router to /account-recovery router

Security Improvements:

• Timing attack prevention by running email sends in background
• Rate limiting on all recovery endpoints
• Password breach checking during reset
• Proper JWT validation for token-based operations

Critical Issues Found:

• Account takeover vulnerability: The enableEmailAuthForUser function allows enabling email authentication with only a JWT token, without requiring fresh email verification. An attacker who intercepts the recovery token could enable email auth and take over the account.
• Case-sensitive email logic inconsistency: Database query is case-insensitive but post-filtering is case-sensitive, creating potential for confusion or enumeration.
• Breaking API changes: Removed public endpoints /email/password-reset and /email/password-reset-verify without deprecation period.

Confidence Score: 2/5

• This PR has a critical security vulnerability in the account recovery flow that could lead to account takeover.
• The implementation is well-structured with good security practices (rate limiting, timing attack prevention, password validation), but contains a critical logic flaw in enableEmailAuthForUser that allows an attacker with an intercepted token to take over accounts by enabling email authentication without additional verification. Additionally, breaking API changes and case-sensitive email handling inconsistencies pose risks.
• backend/src/services/account-recovery/account-recovery-service.ts requires immediate attention for the account takeover vulnerability. backend/src/server/routes/v1/password-router.ts needs review for API compatibility.

Important Files Changed

Filename	Overview
backend/src/services/account-recovery/account-recovery-service.ts	Implements core account recovery flow with email verification and auth method enabling. Minor security concern with token entropy increase.
backend/src/server/routes/v1/account-recovery-router.ts	Defines API endpoints for account recovery with proper rate limiting and validation.
backend/src/services/auth-token/auth-token-service.ts	Increases password reset token entropy from 16 to 32 bytes for improved security.
backend/src/server/routes/v1/password-router.ts	Removes password reset endpoints - potential breaking change that moves functionality to account-recovery endpoints.

[greptile-apps]

_{32 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[victorvhs017]

We need to backmerge main here and update this file backend/src/services/auth/auth-signup-service.ts because a new email template was added, and it has a button to reset the password.

[victorvhs017]

LGTM!