fix: harden auth token handling

storage/framework/core/auth/src/email-verification.ts

@@ -29,17 +29,26 @@ export interface EmailVerificationResult {
  */
 function generateVerificationToken(userId: number): { token: string, hash: string } {
   const nonce = randomBytes(32).toString('hex')
-  const appKey = config.app.key || 'stacks-default-key'
+  const appKey = getAppKey()
   const payload = `${userId}:${nonce}`
   const hash = createHmac('sha256', appKey).update(payload).digest('hex')
   return { token: nonce, hash }
 }
 
+function getAppKey(): string {
+  const appKey = config.app.key
+  if (typeof appKey !== 'string' || appKey.length === 0) {
+    throw new Error('[auth/email-verification] Missing config.app.key; refusing to sign verification tokens with a fallback key')
+  }
+
+  return appKey
+}
+
 /**
  * Verify a token matches the stored hash
  */
 function verifyToken(userId: number, token: string, storedHash: string): boolean {
-  const appKey = config.app.key || 'stacks-default-key'
+  const appKey = getAppKey()
   const payload = `${userId}:${token}`
   const hash = createHmac('sha256', appKey).update(payload).digest('hex')
   const a = Buffer.from(hash)

storage/framework/core/auth/src/password/reset.ts

@@ -63,6 +63,11 @@ export function passwordResets(email: string): PasswordResetActions {
     const token = generateResetToken()
     const hashedToken = await makeHash(token, { algorithm: 'bcrypt' })
 
+    await db
+      .deleteFrom('password_resets')
+      .where('email', '=', email)
+      .execute()
+
     await db
       .insertInto('password_resets')
       .values({
@@ -139,6 +144,7 @@ export function passwordResets(email: string): PasswordResetActions {
       const resetRecord = await trx
         .selectFrom('password_resets')
         .where('email', '=', email)
+        .orderBy('created_at', 'desc')
         .selectAll()
         .executeTakeFirst()