diff --git a/backend/package-lock.json b/backend/package-lock.json
index a811ffc..6017748 100644
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -16,6 +16,7 @@
"multer": "^2.1.1",
"mysql2": "^3.20.0",
"nanoid": "^5.1.7",
+ "nodemailer": "^8.0.4",
"session-file-store": "^1.5.0",
"sharp": "^0.34.5",
"zod": "^4.3.6"
@@ -1594,6 +1595,15 @@
"node": ">= 0.6"
}
},
+ "node_modules/nodemailer": {
+ "version": "8.0.4",
+ "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.4.tgz",
+ "integrity": "sha512-k+jf6N8PfQJ0Fe8ZhJlgqU5qJU44Lpvp2yvidH3vp1lPnVQMgi4yEEMPXg5eJS1gFIJTVq1NHBk7Ia9ARdSBdQ==",
+ "license": "MIT-0",
+ "engines": {
+ "node": ">=6.0.0"
+ }
+ },
"node_modules/nodemon": {
"version": "3.1.14",
"resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.14.tgz",
diff --git a/backend/package.json b/backend/package.json
index 37e0aa0..85eb687 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -22,6 +22,7 @@
"multer": "^2.1.1",
"mysql2": "^3.20.0",
"nanoid": "^5.1.7",
+ "nodemailer": "^8.0.4",
"session-file-store": "^1.5.0",
"sharp": "^0.34.5",
"zod": "^4.3.6"
diff --git a/backend/src/db.js b/backend/src/db.js
index 1c929d0..f329632 100644
--- a/backend/src/db.js
+++ b/backend/src/db.js
@@ -59,6 +59,7 @@ function mapUserRow(row) {
id: row.id,
email: row.email,
nickname: row.nickname || '',
+ emailVerified: row.email_verified == null ? true : !!row.email_verified,
isAdmin: !!row.is_admin,
avatarSrc: row.avatar_src || '',
createdAt: Number(row.created_at),
@@ -275,12 +276,47 @@ async function ensureSchema() {
email VARCHAR(255) NOT NULL UNIQUE,
nickname VARCHAR(80) NOT NULL DEFAULT '',
password_hash VARCHAR(255) NOT NULL,
+ email_verified TINYINT(1) NOT NULL DEFAULT 1,
is_admin TINYINT(1) NOT NULL DEFAULT 0,
avatar_src VARCHAR(255) NOT NULL DEFAULT '',
created_at BIGINT NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
`)
+ const userEmailVerifiedColumns = await query("SHOW COLUMNS FROM users LIKE 'email_verified'")
+ if (!userEmailVerifiedColumns.length) {
+ await query('ALTER TABLE users ADD COLUMN email_verified TINYINT(1) NOT NULL DEFAULT 1 AFTER password_hash')
+ await query('UPDATE users SET email_verified = 1 WHERE email_verified IS NULL')
+ }
+
+ await query(`
+ CREATE TABLE IF NOT EXISTS email_verification_tokens (
+ id VARCHAR(64) PRIMARY KEY,
+ user_id VARCHAR(64) NOT NULL,
+ token_hash CHAR(64) NOT NULL UNIQUE,
+ expires_at BIGINT NOT NULL,
+ consumed_at BIGINT NOT NULL DEFAULT 0,
+ created_at BIGINT NOT NULL,
+ INDEX idx_email_verification_user (user_id, consumed_at, expires_at),
+ INDEX idx_email_verification_expires (expires_at),
+ CONSTRAINT fk_email_verification_user FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
+ `)
+
+ await query(`
+ CREATE TABLE IF NOT EXISTS password_reset_tokens (
+ id VARCHAR(64) PRIMARY KEY,
+ user_id VARCHAR(64) NOT NULL,
+ token_hash CHAR(64) NOT NULL UNIQUE,
+ expires_at BIGINT NOT NULL,
+ consumed_at BIGINT NOT NULL DEFAULT 0,
+ created_at BIGINT NOT NULL,
+ INDEX idx_password_reset_user (user_id, consumed_at, expires_at),
+ INDEX idx_password_reset_expires (expires_at),
+ CONSTRAINT fk_password_reset_user FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
+ `)
+
await query(`
CREATE TABLE IF NOT EXISTS topics (
id VARCHAR(120) PRIMARY KEY,
@@ -567,7 +603,7 @@ async function countUsers() {
async function findUserByEmail(email) {
const rows = await query(
- 'SELECT id, email, nickname, password_hash, is_admin, avatar_src, created_at FROM users WHERE email = ? LIMIT 1',
+ 'SELECT id, email, nickname, password_hash, email_verified, is_admin, avatar_src, created_at FROM users WHERE email = ? LIMIT 1',
[email]
)
const row = rows[0]
@@ -581,7 +617,7 @@ async function findUserByNickname(nickname, excludeUserId = '') {
const rows = excludeUserId
? await query(
`
- SELECT id, email, nickname, password_hash, is_admin, avatar_src, created_at
+ SELECT id, email, nickname, password_hash, email_verified, is_admin, avatar_src, created_at
FROM users
WHERE TRIM(LOWER(nickname)) = TRIM(LOWER(?)) AND id <> ?
LIMIT 1
@@ -590,7 +626,7 @@ async function findUserByNickname(nickname, excludeUserId = '') {
)
: await query(
`
- SELECT id, email, nickname, password_hash, is_admin, avatar_src, created_at
+ SELECT id, email, nickname, password_hash, email_verified, is_admin, avatar_src, created_at
FROM users
WHERE TRIM(LOWER(nickname)) = TRIM(LOWER(?))
LIMIT 1
@@ -604,24 +640,138 @@ async function findUserByNickname(nickname, excludeUserId = '') {
async function findUserById(id) {
const rows = await query(
- 'SELECT id, email, nickname, is_admin, avatar_src, created_at FROM users WHERE id = ? LIMIT 1',
+ 'SELECT id, email, nickname, email_verified, is_admin, avatar_src, created_at FROM users WHERE id = ? LIMIT 1',
[id]
)
return mapUserRow(rows[0])
}
-async function createUser({ id, email, nickname, passwordHash, isAdmin }) {
+async function createUser({ id, email, nickname, passwordHash, emailVerified = true, isAdmin }) {
const createdAt = now()
await query(
`
- INSERT INTO users (id, email, nickname, password_hash, is_admin, avatar_src, created_at)
- VALUES (?, ?, ?, ?, ?, ?, ?)
+ INSERT INTO users (id, email, nickname, password_hash, email_verified, is_admin, avatar_src, created_at)
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?)
`,
- [id, email, nickname || '', passwordHash, isAdmin ? 1 : 0, '', createdAt]
+ [id, email, nickname || '', passwordHash, emailVerified ? 1 : 0, isAdmin ? 1 : 0, '', createdAt]
)
return findUserById(id)
}
+async function updateUserPassword({ id, passwordHash }) {
+ await query('UPDATE users SET password_hash = ? WHERE id = ?', [passwordHash, id])
+ return findUserById(id)
+}
+
+async function verifyUserEmail(userId) {
+ await query('UPDATE users SET email_verified = 1 WHERE id = ?', [userId])
+ return findUserById(userId)
+}
+
+async function createEmailVerificationToken({ id, userId, tokenHash, expiresAt }) {
+ const createdAt = now()
+ await query('UPDATE email_verification_tokens SET consumed_at = ? WHERE user_id = ? AND consumed_at = 0', [createdAt, userId])
+ await query(
+ `
+ INSERT INTO email_verification_tokens (id, user_id, token_hash, expires_at, consumed_at, created_at)
+ VALUES (?, ?, ?, ?, ?, ?)
+ `,
+ [id, userId, tokenHash, expiresAt, 0, createdAt]
+ )
+ return {
+ id,
+ userId,
+ tokenHash,
+ expiresAt,
+ consumedAt: 0,
+ createdAt,
+ }
+}
+
+async function findEmailVerificationTokenByHash(tokenHash) {
+ const rows = await query(
+ `
+ SELECT
+ id,
+ user_id,
+ token_hash,
+ expires_at,
+ consumed_at,
+ created_at
+ FROM email_verification_tokens
+ WHERE token_hash = ?
+ LIMIT 1
+ `,
+ [tokenHash]
+ )
+ const row = rows[0]
+ if (!row) return null
+ return {
+ id: row.id,
+ userId: row.user_id,
+ tokenHash: row.token_hash,
+ expiresAt: Number(row.expires_at || 0),
+ consumedAt: Number(row.consumed_at || 0),
+ createdAt: Number(row.created_at || 0),
+ }
+}
+
+async function consumeEmailVerificationToken(tokenId) {
+ await query('UPDATE email_verification_tokens SET consumed_at = ? WHERE id = ? AND consumed_at = 0', [now(), tokenId])
+}
+
+async function createPasswordResetToken({ id, userId, tokenHash, expiresAt }) {
+ const createdAt = now()
+ await query('UPDATE password_reset_tokens SET consumed_at = ? WHERE user_id = ? AND consumed_at = 0', [createdAt, userId])
+ await query(
+ `
+ INSERT INTO password_reset_tokens (id, user_id, token_hash, expires_at, consumed_at, created_at)
+ VALUES (?, ?, ?, ?, ?, ?)
+ `,
+ [id, userId, tokenHash, expiresAt, 0, createdAt]
+ )
+ return {
+ id,
+ userId,
+ tokenHash,
+ expiresAt,
+ consumedAt: 0,
+ createdAt,
+ }
+}
+
+async function findPasswordResetTokenByHash(tokenHash) {
+ const rows = await query(
+ `
+ SELECT
+ id,
+ user_id,
+ token_hash,
+ expires_at,
+ consumed_at,
+ created_at
+ FROM password_reset_tokens
+ WHERE token_hash = ?
+ LIMIT 1
+ `,
+ [tokenHash]
+ )
+ const row = rows[0]
+ if (!row) return null
+ return {
+ id: row.id,
+ userId: row.user_id,
+ tokenHash: row.token_hash,
+ expiresAt: Number(row.expires_at || 0),
+ consumedAt: Number(row.consumed_at || 0),
+ createdAt: Number(row.created_at || 0),
+ }
+}
+
+async function consumePasswordResetToken(tokenId) {
+ await query('UPDATE password_reset_tokens SET consumed_at = ? WHERE id = ? AND consumed_at = 0', [now(), tokenId])
+}
+
async function updateUserProfile({ id, nickname, avatarSrc }) {
if (typeof avatarSrc === 'string') {
await query('UPDATE users SET nickname = ?, avatar_src = ? WHERE id = ?', [nickname || '', avatarSrc, id])
@@ -633,7 +783,7 @@ async function updateUserProfile({ id, nickname, avatarSrc }) {
async function findPrimaryAdminUser() {
const rows = await query(
- 'SELECT id, email, nickname, is_admin, avatar_src, created_at FROM users WHERE is_admin = 1 ORDER BY created_at ASC, email ASC LIMIT 1'
+ 'SELECT id, email, nickname, email_verified, is_admin, avatar_src, created_at FROM users WHERE is_admin = 1 ORDER BY created_at ASC, email ASC LIMIT 1'
)
return mapUserRow(rows[0])
}
@@ -668,6 +818,7 @@ async function listUsers({ queryText = '', sort = 'recent', direction = 'desc' }
u.id,
u.email,
u.nickname,
+ u.email_verified,
u.is_admin,
u.avatar_src,
u.created_at,
@@ -679,7 +830,7 @@ async function listUsers({ queryText = '', sort = 'recent', direction = 'desc' }
FROM users u
LEFT JOIN tierlists t ON t.author_id = u.id
${where.length ? `WHERE ${where.join(' AND ')}` : ''}
- GROUP BY u.id, u.email, u.nickname, u.is_admin, u.avatar_src, u.created_at
+ GROUP BY u.id, u.email, u.nickname, u.email_verified, u.is_admin, u.avatar_src, u.created_at
ORDER BY ${orderBy}
`,
params
@@ -2501,6 +2652,14 @@ module.exports = {
findUserByNickname,
findUserById,
createUser,
+ updateUserPassword,
+ verifyUserEmail,
+ createEmailVerificationToken,
+ findEmailVerificationTokenByHash,
+ consumeEmailVerificationToken,
+ createPasswordResetToken,
+ findPasswordResetTokenByHash,
+ consumePasswordResetToken,
updateUserProfile,
findPrimaryAdminUser,
listUsers,
diff --git a/backend/src/lib/mailer.js b/backend/src/lib/mailer.js
new file mode 100644
index 0000000..f4a766e
--- /dev/null
+++ b/backend/src/lib/mailer.js
@@ -0,0 +1,113 @@
+const nodemailer = require('nodemailer')
+
+const SMTP_HOST = process.env.SMTP_HOST || 'smtp.gmail.com'
+const SMTP_PORT = process.env.SMTP_PORT ? Number(process.env.SMTP_PORT) : 465
+const SMTP_SECURE = process.env.SMTP_SECURE ? process.env.SMTP_SECURE === 'true' : SMTP_PORT === 465
+const SMTP_USER = process.env.SMTP_USER || ''
+const SMTP_PASS = process.env.SMTP_PASS || ''
+const SMTP_FROM = process.env.SMTP_FROM || SMTP_USER
+
+let transporterPromise = null
+
+function isMailerConfigured() {
+ return !!SMTP_USER && !!SMTP_PASS && !!SMTP_FROM
+}
+
+async function getTransporter() {
+ if (!isMailerConfigured()) {
+ const error = new Error('mail_not_configured')
+ error.code = 'mail_not_configured'
+ throw error
+ }
+
+ if (!transporterPromise) {
+ transporterPromise = (async () => {
+ const transporter = nodemailer.createTransport({
+ host: SMTP_HOST,
+ port: SMTP_PORT,
+ secure: SMTP_SECURE,
+ auth: {
+ user: SMTP_USER,
+ pass: SMTP_PASS,
+ },
+ })
+ await transporter.verify()
+ return transporter
+ })()
+ }
+
+ return transporterPromise
+}
+
+async function sendMail({ to, subject, text, html }) {
+ const transporter = await getTransporter()
+ await transporter.sendMail({
+ from: SMTP_FROM,
+ to,
+ subject,
+ text,
+ html,
+ })
+}
+
+async function sendEmailVerificationMail({ to, nickname, verificationUrl }) {
+ const displayName = nickname || to.split('@')[0] || '사용자'
+ await sendMail({
+ to,
+ subject: '[Tier Maker] 이메일 인증을 완료해주세요',
+ text: [
+ `${displayName}님, Tier Maker 가입을 완료하려면 아래 링크로 이메일 인증을 진행해주세요.`,
+ '',
+ verificationUrl,
+ '',
+ '이 링크는 24시간 동안 유효합니다.',
+ '직접 요청하지 않았다면 이 메일은 무시하셔도 됩니다.',
+ ].join('\n'),
+ html: `
+
+
Tier Maker 이메일 인증
+
${displayName}님, Tier Maker 가입을 완료하려면 아래 버튼으로 이메일 인증을 진행해주세요.
+
+ 이메일 인증하기
+
+
버튼이 열리지 않으면 아래 주소를 브라우저에 직접 붙여넣어주세요.
+
${verificationUrl}
+
이 링크는 24시간 동안 유효합니다. 직접 요청하지 않았다면 이 메일은 무시하셔도 됩니다.
+
+
Tier Maker 비밀번호 재설정
+
${displayName}님, 비밀번호를 다시 설정하려면 아래 버튼을 눌러주세요.
+
+ 비밀번호 재설정
+
+
버튼이 열리지 않으면 아래 주소를 브라우저에 직접 붙여넣어주세요.
+
${resetUrl}
+
이 링크는 1시간 동안 유효합니다. 직접 요청하지 않았다면 이 메일은 무시하셔도 됩니다.
+