rspace-online/backlog/tasks/task-55 - Wire-up-account-settings-endpoints-email-verification-device-registration-guardians.md

id	title	status	assignee	created_date	labels	dependencies	references	priority
TASK-55	Wire up account settings endpoints (email verification, device registration, guardians)	Done	@claude	2026-02-25 22:59	identity backend encryptid		src/encryptid/server.ts src/encryptid/db.ts shared/components/rstack-identity.ts	high

Description

Add server-side endpoints for the three account settings features and wire up the client modals to use them. Email verification uses SMTP with 6-digit codes. Device registration uses WebAuthn for same-device passkey addition. Social recovery uses the existing guardian API.

Acceptance Criteria

• #1 POST /api/account/email/start sends 6-digit code via SMTP
• #2 POST /api/account/email/verify validates code and sets email on account
• #3 POST /api/account/device/start returns WebAuthn creation options for authenticated user
• #4 POST /api/account/device/complete stores new credential under existing account
• #5 Social recovery modal loads guardians from GET /api/guardians on open
• #6 Adding guardian calls POST /api/guardians with name + optional email
• #7 Removing guardian calls DELETE /api/guardians/:id
• #8 StoredChallenge.type includes device_registration
• #9 StoredRecoveryToken.type includes email_verification

Final Summary

Implemented in commit 914d0e6. Added 4 new server endpoints under /api/account/ namespace. Email verification sends styled HTML email with 6-digit code via Mailcow SMTP, stores as recovery token. Device registration reuses existing challenge/credential infrastructure with new device_registration type. Client social recovery modal rewritten to use existing guardian API (add/remove individual guardians, load on open, show status). DB types extended for new token/challenge types.