UNPKG

oneie

Version:

Build apps, websites, and AI agents in English. Zero-interaction setup for AI agents (Claude Code, Cursor, Windsurf). Download to your computer, run in the cloud, deploy to the edge. Open source and free forever.

one.ie

one-ie/one

115 lines (90 loc) 4.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
--- title: Next Features dimension: things category: plans tags: ai related_dimensions: connections, events, people scope: global created: 2025-11-03 updated: 2025-11-03 version: 1.0.0 ai_context: | This document is part of the things dimension in the plans category. Location: one/things/plans/next-features.md Purpose: Documents next features to implement Related dimensions: connections, events, people For AI agents: Read this to understand next features. --- # Next Features to Implement ## Current Status ✅ Working: Email/password auth, password reset, session management, OAuth (GitHub & Google), Rate limiting, Email verification, Magic Links, Two-Factor Auth (TOTP) ❌ Missing: Passkeys (WebAuthn) ## Priority Implementation Order ### 1. OAuth (GitHub & Google) - ✅ COMPLETED **Status:** Social login buttons now fully functional! **Implementation:** -`src/pages/api/auth/github.ts` - GitHub OAuth initiation -`src/pages/api/auth/github/callback.ts` - GitHub OAuth callback -`src/pages/api/auth/google.ts` - Google OAuth initiation -`src/pages/api/auth/google/callback.ts` - Google OAuth callback -`convex/auth.ts` - signInWithOAuth mutation - ✅ OAuth credentials configured in `.env.local` - ✅ Social login buttons wired in SimpleSignInForm and SimpleSignUpForm ### 2. Rate Limiting - ✅ COMPLETED **Status:** Brute force protection now active! **Implementation:** - ✅ Installed `@convex-dev/rate-limiter` component - ✅ Configured in `convex/convex.config.ts` - ✅ Added to signIn (5 attempts per 15 minutes) - ✅ Added to signUp (3 attempts per hour) - ✅ Added to requestPasswordReset (3 attempts per hour) - ✅ Rate limits per email address ### 3. Email Verification - ✅ COMPLETED **Status:** Email verification system now active! **Implementation:** - ✅ Updated `convex/schema.ts` to add emailVerifications table and emailVerified field - ✅ Added `createEmailVerificationToken` internal mutation - ✅ Added `sendVerificationEmailAction` to send verification emails via Resend - ✅ Added `verifyEmail` mutation to verify email tokens - ✅ Added `isEmailVerified` query to check verification status - ✅ Updated `signUp` mutation to optionally send verification email - ✅ Created `/verify-email` page with auto-verification - ✅ Created `VerifyEmailForm` component - ✅ Verification link expires in 24 hours ### 4. Magic Links - ✅ COMPLETED **Status:** Passwordless authentication now available! **Implementation:** - ✅ Updated `convex/schema.ts` to add magicLinks table - ✅ Added `createMagicLinkToken` internal mutation - ✅ Added `sendMagicLinkEmailAction` to send magic links via Resend - ✅ Added `requestMagicLink` mutation with rate limiting (3 per hour) - ✅ Added `signInWithMagicLink` mutation for authentication - ✅ Created `/request-magic-link` page for requesting links - ✅ Created `/auth/magic-link` page with auto-authentication - ✅ Created `RequestMagicLinkForm` component - ✅ Created `MagicLinkAuth` component - ✅ Added magic link option to sign-in page - ✅ Magic links expire after 15 minutes and can only be used once ### 5. Two-Factor Auth (TOTP) - ✅ COMPLETED **Status:** Enhanced security with Google Authenticator-style 2FA! **Implementation:** - ✅ Installed `otpauth` and `qrcode` packages - ✅ Updated `convex/schema.ts` to add twoFactorAuth table - ✅ Added `setup2FA` mutation (generates secret + 10 backup codes) - ✅ Added `verify2FA` mutation to enable 2FA - ✅ Added `disable2FA` mutation with password verification - ✅ Added `get2FAStatus` query to check status - ✅ Created `TwoFactorSettings` component with QR code generation - ✅ Client-side TOTP verification with 30-second window - ✅ Backup codes for account recovery - ✅ Secure secret generation (32 characters) - ✅ Compatible with Google Authenticator, Authy, 1Password ### 6. Passkeys (WebAuthn) - LOW PRIORITY **Why:** Future-proof, but complex **Effort:** 4-6 hours **Implementation:** - WebAuthn registration - WebAuthn authentication - Passkey management UI ## Let's Start: OAuth Implementation Since social login buttons already exist, let's make them functional!