Milestone 5.4 — Password auth
Status: Shipped (P1) — signup verification + password reset
Tracking: ehx-web#12 · #29 · #30
Shipped
| Piece | Behavior |
|---|---|
| Signup | Requires password (min 8 chars) when EHX_AUTH_PASSWORD=1 (default) |
| Login | Verifies PBKDF2-SHA256 hash; returns 401 invalid_credentials on mismatch |
| Legacy | Accounts without password_hash can still email-only login when EHX_AUTH_EMAIL_LOGIN=1 |
GET /auth/me | has_password, email_verified on account |
| M5.4.1 | Signup sends verification email; /account/verify-email?token=; POST /auth/email/verify-request to resend — ehx-api@6e10010, ehx-web@d69f9a1 (#29) |
| M5.4.2 | /account/forgot-password + /account/reset-password?token=; POST /auth/password/reset-request + reset-redeem — ehx-api@6e10010, ehx-web@d69f9a1 (#30) |
Password signup no longer auto-verifies recovery until the user clicks the verification link (sets email_verified_at and recovery_email_verified_at). OAuth accounts still auto-verify via trust_oauth_email.
Configuration
| Variable | Default | Notes |
|---|---|---|
EHX_AUTH_PASSWORD | 1 | Require password on signup |
EHX_AUTH_EMAIL_LOGIN | 1 | Allow email-only for legacy accounts without password |
EHX_RESEND_API_KEY / EHX_EMAIL_FROM | — | Required in production to send verify/reset mail (else logged) |
EHX_APP_BASE_URL | https://ehxlabs.xyz | Links in transactional email |
Not yet shipped
- OAuth (Google, GitHub) — Auth0 path exists separately
- Session revoke all devices (M5.5.1)