Add email activation flow and replace is_active with status column

Email signup now creates inactive users who must activate via a 30-minute email token before signing in. Team creation is deferred to first login after activation, while OAuth users continue to get teams immediately. - Replace boolean is_active with status column (inactive/active/disabled/deleted) - Add POST /v1/auth/activate endpoint with Redis-backed token consumption - Signup returns message instead of JWT, sends activation email - Login differentiates error messages by user status - Add confirm password field to signup form - Add /activate frontend page that auto-logs in on success - Handle inactive user cleanup on re-signup (30-min cooldown) and OAuth collision
2026-04-16 04:05:41 +06:00
parent e8a2217247
commit a3f75300a9
18 changed files with 726 additions and 265 deletions
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@ -2,15 +2,21 @@ package api

 import (
 	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
+	"fmt"
 	"log/slog"
 	"net/http"
 	"strings"
+	"time"

 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/redis/go-redis/v9"

 	"git.omukk.dev/wrenn/wrenn/internal/email"
 	"git.omukk.dev/wrenn/wrenn/pkg/auth"
@ -18,6 +24,12 @@ import (
 	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )

+const (
+	activationKeyPrefix = "wrenn:activation:"
+	activationTTL       = 30 * time.Minute
+	signupCooldown      = 30 * time.Minute
+)
+
 // loginTeam returns the team and role to stamp into a login JWT.
 // It prefers the user's default team; if none is flagged as default it falls
 // back to the earliest-joined team. Returns pgx.ErrNoRows when the user has
@ -53,19 +65,89 @@ func loginTeam(ctx context.Context, q *db.Queries, userID pgtype.UUID) (db.Team,
 	}, first.Role, nil
 }

+// ensureDefaultTeam creates a default team for a user if they have none.
+// This happens on first login after activation or for edge cases where a user
+// has no teams. Returns the team, role, and whether the user was set as admin.
+func ensureDefaultTeam(ctx context.Context, qtx *db.Queries, pool *pgxpool.Pool, userID pgtype.UUID, userName string) (db.Team, string, bool, error) {
+	// Try existing teams first.
+	team, role, err := loginTeam(ctx, qtx, userID)
+	if err == nil {
+		return team, role, false, nil
+	}
+	if !errors.Is(err, pgx.ErrNoRows) {
+		return db.Team{}, "", false, err
+	}
+
+	// No teams — create default team in a transaction.
+	tx, err := pool.Begin(ctx)
+	if err != nil {
+		return db.Team{}, "", false, fmt.Errorf("begin tx: %w", err)
+	}
+	defer tx.Rollback(ctx) //nolint:errcheck
+
+	txq := qtx.WithTx(tx)
+
+	// First active user to have a team becomes admin.
+	activeCount, err := txq.CountActiveUsers(ctx)
+	if err != nil {
+		return db.Team{}, "", false, fmt.Errorf("count active users: %w", err)
+	}
+	isFirstUser := activeCount == 1 // only this user is active
+
+	teamID := id.NewTeamID()
+	teamRow, err := txq.InsertTeam(ctx, db.InsertTeamParams{
+		ID:   teamID,
+		Name: userName + "'s Team",
+		Slug: id.NewTeamSlug(),
+	})
+	if err != nil {
+		return db.Team{}, "", false, fmt.Errorf("insert team: %w", err)
+	}
+
+	if err := txq.InsertTeamMember(ctx, db.InsertTeamMemberParams{
+		UserID:    userID,
+		TeamID:    teamID,
+		IsDefault: true,
+		Role:      "owner",
+	}); err != nil {
+		return db.Team{}, "", false, fmt.Errorf("insert team member: %w", err)
+	}
+
+	if isFirstUser {
+		if err := txq.SetUserAdmin(ctx, db.SetUserAdminParams{ID: userID, IsAdmin: true}); err != nil {
+			return db.Team{}, "", false, fmt.Errorf("set admin: %w", err)
+		}
+	}
+
+	if err := tx.Commit(ctx); err != nil {
+		return db.Team{}, "", false, fmt.Errorf("commit: %w", err)
+	}
+
+	return db.Team{
+		ID:        teamRow.ID,
+		Name:      teamRow.Name,
+		Slug:      teamRow.Slug,
+		IsByoc:    teamRow.IsByoc,
+		CreatedAt: teamRow.CreatedAt,
+		DeletedAt: teamRow.DeletedAt,
+	}, "owner", isFirstUser, nil
+}
+
 type switchTeamRequest struct {
 	TeamID string `json:"team_id"`
 }

 type authHandler struct {
-	db        *db.Queries
-	pool      *pgxpool.Pool
-	jwtSecret []byte
-	mailer    email.Mailer
+	db          *db.Queries
+	pool        *pgxpool.Pool
+	jwtSecret   []byte
+	mailer      email.Mailer
+	rdb         *redis.Client
+	redirectURL string
 }

-func newAuthHandler(db *db.Queries, pool *pgxpool.Pool, jwtSecret []byte, mailer email.Mailer) *authHandler {
-	return &authHandler{db: db, pool: pool, jwtSecret: jwtSecret, mailer: mailer}
+func newAuthHandler(db *db.Queries, pool *pgxpool.Pool, jwtSecret []byte, mailer email.Mailer, rdb *redis.Client, redirectURL string) *authHandler {
+	return &authHandler{db: db, pool: pool, jwtSecret: jwtSecret, mailer: mailer, rdb: rdb, redirectURL: strings.TrimRight(redirectURL, "/")}
 }

 type signupRequest struct {
@ -79,6 +161,10 @@ type loginRequest struct {
 	Password string `json:"password"`
 }

+type activateRequest struct {
+	Token string `json:"token"`
+}
+
 type authResponse struct {
 	Token  string `json:"token"`
 	UserID string `json:"user_id"`
@ -87,6 +173,10 @@ type authResponse struct {
 	Name   string `json:"name"`
 }

+type signupResponse struct {
+	Message string `json:"message"`
+}
+
 // Signup handles POST /v1/auth/signup.
 func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 	var req signupRequest
@ -112,32 +202,41 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {

 	ctx := r.Context()

+	// Check for existing user with this email.
+	existing, err := h.db.GetUserByEmail(ctx, req.Email)
+	if err == nil {
+		// User exists — decide what to do based on status.
+		switch existing.Status {
+		case "inactive":
+			// Unactivated user — allow re-signup after cooldown.
+			if time.Since(existing.CreatedAt.Time) < signupCooldown {
+				writeError(w, http.StatusConflict, "signup_cooldown",
+					"an activation email was recently sent to this address — please check your inbox or try again later")
+				return
+			}
+			// Cooldown passed — delete the old row and proceed with fresh signup.
+			if err := h.db.HardDeleteUser(ctx, existing.ID); err != nil {
+				writeError(w, http.StatusInternalServerError, "db_error", "failed to clean up previous signup")
+				return
+			}
+		default:
+			// active, disabled, deleted — email is taken.
+			writeError(w, http.StatusConflict, "email_taken", "an account with this email already exists")
+			return
+		}
+	} else if !errors.Is(err, pgx.ErrNoRows) {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up user")
+		return
+	}
+
 	passwordHash, err := auth.HashPassword(req.Password)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to hash password")
 		return
 	}

-	// Use a transaction to atomically create user + team + membership.
-	tx, err := h.pool.Begin(ctx)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to begin transaction")
-		return
-	}
-	defer tx.Rollback(ctx) //nolint:errcheck
-
-	qtx := h.db.WithTx(tx)
-
-	// The first user to sign up becomes a platform admin.
-	userCount, err := qtx.CountUsers(ctx)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to check user count")
-		return
-	}
-	isFirstUser := userCount == 0
-
 	userID := id.NewUserID()
-	_, err = qtx.InsertUser(ctx, db.InsertUserParams{
+	_, err = h.db.InsertUserInactive(ctx, db.InsertUserInactiveParams{
 		ID:           userID,
 		Email:        req.Email,
 		PasswordHash: pgtype.Text{String: passwordHash, Valid: true},
@ -153,61 +252,111 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if isFirstUser {
-		if err := qtx.SetUserAdmin(ctx, db.SetUserAdminParams{ID: userID, IsAdmin: true}); err != nil {
-			writeError(w, http.StatusInternalServerError, "db_error", "failed to set admin status")
-			return
+	// Generate activation token and store in Redis.
+	rawToken := generateActivationToken()
+	tokenHash := hashActivationToken(rawToken)
+	redisKey := activationKeyPrefix + tokenHash
+
+	if err := h.rdb.Set(ctx, redisKey, id.FormatUserID(userID), activationTTL).Err(); err != nil {
+		slog.Error("signup: failed to store activation token in redis", "error", err)
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to create activation token")
+		return
+	}
+
+	activateURL := h.redirectURL + "/activate?token=" + rawToken
+	go func() {
+		sendCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := h.mailer.Send(sendCtx, req.Email, "Activate your Wrenn account", email.EmailData{
+			RecipientName: req.Name,
+			Message:       "Welcome to Wrenn! Click the button below to activate your account. This link expires in 30 minutes.",
+			Button:        &email.Button{Text: "Activate Account", URL: activateURL},
+			Closing:       "If you didn't create this account, you can safely ignore this email.",
+		}); err != nil {
+			slog.Warn("signup: failed to send activation email", "email", req.Email, "error", err)
 		}
+	}()
+
+	writeJSON(w, http.StatusCreated, signupResponse{
+		Message: "Account created. Please check your email to activate your account.",
+	})
+}
+
+// Activate handles POST /v1/auth/activate.
+func (h *authHandler) Activate(w http.ResponseWriter, r *http.Request) {
+	var req activateRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
 	}

-	// Create default team.
-	teamID := id.NewTeamID()
-	if _, err := qtx.InsertTeam(ctx, db.InsertTeamParams{
-		ID:   teamID,
-		Name: req.Name + "'s Team",
-		Slug: id.NewTeamSlug(),
+	if req.Token == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "token is required")
+		return
+	}
+
+	ctx := r.Context()
+	tokenHash := hashActivationToken(req.Token)
+	redisKey := activationKeyPrefix + tokenHash
+
+	userIDStr, err := h.rdb.GetDel(ctx, redisKey).Result()
+	if errors.Is(err, redis.Nil) {
+		writeError(w, http.StatusBadRequest, "invalid_token", "activation link is invalid or has expired")
+		return
+	}
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to verify token")
+		return
+	}
+
+	userID, err := id.ParseUserID(userIDStr)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "invalid stored user ID")
+		return
+	}
+
+	user, err := h.db.GetUserByID(ctx, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	if user.Status != "inactive" {
+		writeError(w, http.StatusBadRequest, "already_activated", "this account has already been activated")
+		return
+	}
+
+	// Activate the user.
+	if err := h.db.SetUserStatus(ctx, db.SetUserStatusParams{
+		ID:     userID,
+		Status: "active",
 	}); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to create team")
+		slog.Error("activate: failed to set user status", "user_id", id.FormatUserID(userID), "error", err)
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to activate user")
 		return
 	}

-	if err := qtx.InsertTeamMember(ctx, db.InsertTeamMemberParams{
-		UserID:    userID,
-		TeamID:    teamID,
-		IsDefault: true,
-		Role:      "owner",
-	}); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to add user to team")
+	// Create default team and log them in.
+	team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, userID, user.Name)
+	if err != nil {
+		slog.Error("activate: failed to create default team", "error", err)
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to set up account")
 		return
 	}

-	if err := tx.Commit(ctx); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to commit signup")
-		return
-	}
-
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, req.Name, "owner", isFirstUser)
+	isAdmin := user.IsAdmin || isFirstUser
+	token, err := auth.SignJWT(h.jwtSecret, userID, team.ID, user.Email, user.Name, role, isAdmin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
 	}

-	go func() {
-		if err := h.mailer.Send(context.Background(), req.Email, "Welcome to Wrenn", email.EmailData{
-			RecipientName: req.Name,
-			Message:       "Welcome to Wrenn! Your account has been created and you're ready to start building with secure, isolated sandboxes.",
-			Closing:       "If you have any questions, feel free to reach out. We're glad to have you.",
-		}); err != nil {
-			slog.Warn("failed to send welcome email", "email", req.Email, "error", err)
-		}
-	}()
-
-	writeJSON(w, http.StatusCreated, authResponse{
+	writeJSON(w, http.StatusOK, authResponse{
 		Token:  token,
 		UserID: id.FormatUserID(userID),
-		TeamID: id.FormatTeamID(teamID),
-		Email:  req.Email,
-		Name:   req.Name,
+		TeamID: id.FormatTeamID(team.ID),
+		Email:  user.Email,
+		Name:   user.Name,
 	})
 }

@ -249,23 +398,36 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if !user.IsActive {
-		slog.Warn("login failed: account deactivated", "email", req.Email, "ip", r.RemoteAddr)
-		writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
+	switch user.Status {
+	case "active":
+		// OK — proceed.
+	case "inactive":
+		slog.Warn("login failed: account not activated", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusForbidden, "account_not_activated", "please check your email and activate your account before signing in")
+		return
+	case "disabled":
+		slog.Warn("login failed: account disabled", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusForbidden, "account_disabled", "your account has been deactivated — contact your administrator to regain access")
+		return
+	case "deleted":
+		slog.Warn("login failed: account deleted", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
+		return
+	default:
+		writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
 		return
 	}

-	team, role, err := loginTeam(ctx, h.db, user.ID)
+	// Ensure user has a default team (creates one on first login after activation).
+	team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, user.ID, user.Name)
 	if err != nil {
-		if errors.Is(err, pgx.ErrNoRows) {
-			writeError(w, http.StatusForbidden, "no_team", "user is not a member of any team")
-			return
-		}
+		slog.Error("login: failed to ensure default team", "error", err)
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up team")
 		return
 	}

-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
+	isAdmin := user.IsAdmin || isFirstUser
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, isAdmin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@ -355,3 +517,18 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		Name:   user.Name,
 	})
 }
+
+// --- helpers ---
+
+func generateActivationToken() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		panic(fmt.Sprintf("crypto/rand failed: %v", err))
+	}
+	return hex.EncodeToString(b)
+}
+
+func hashActivationToken(raw string) string {
+	h := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(h[:])
+}
--- a/internal/api/handlers_me.go
+++ b/internal/api/handlers_me.go
@ -276,7 +276,7 @@ func (h *meHandler) RequestPasswordReset(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	if !user.IsActive || user.DeletedAt.Valid {
+	if user.Status != "active" {
 		w.WriteHeader(http.StatusNoContent)
 		return
 	}
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@ -217,8 +217,8 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		if !user.IsActive {
-			slog.Warn("oauth login: account deactivated", "email", user.Email)
+		if user.Status != "active" {
+			slog.Warn("oauth login: account not active", "email", user.Email, "status", user.Status)
 			redirectWithError(w, r, redirectBase, "account_deactivated")
 			return
 		}
@ -244,13 +244,21 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 	}

 	// New OAuth identity — check for email collision.
-	_, err = h.db.GetUserByEmail(ctx, email)
+	existingUser, err := h.db.GetUserByEmail(ctx, email)
 	if err == nil {
-		// Email already taken by another account.
-		redirectWithError(w, r, redirectBase, "email_taken")
-		return
-	}
-	if !errors.Is(err, pgx.ErrNoRows) {
+		if existingUser.Status == "inactive" {
+			// Unactivated email signup — delete and let OAuth take over.
+			if delErr := h.db.HardDeleteUser(ctx, existingUser.ID); delErr != nil {
+				slog.Error("oauth: failed to delete inactive user", "error", delErr)
+				redirectWithError(w, r, redirectBase, "db_error")
+				return
+			}
+		} else {
+			// Email already taken by an active/disabled/deleted account.
+			redirectWithError(w, r, redirectBase, "email_taken")
+			return
+		}
+	} else if !errors.Is(err, pgx.ErrNoRows) {
 		slog.Error("oauth: email check failed", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
@ -373,8 +381,8 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	if !user.IsActive {
-		slog.Warn("oauth: retry login: account deactivated", "email", user.Email)
+	if user.Status != "active" {
+		slog.Warn("oauth: retry login: account not active", "email", user.Email, "status", user.Status)
 		redirectWithError(w, r, redirectBase, "account_deactivated")
 		return
 	}
--- a/internal/api/handlers_users.go
+++ b/internal/api/handlers_users.go
@ -80,7 +80,7 @@ func (h *usersHandler) AdminListUsers(w http.ResponseWriter, r *http.Request) {
 		Email       string `json:"email"`
 		Name        string `json:"name"`
 		IsAdmin     bool   `json:"is_admin"`
-		IsActive    bool   `json:"is_active"`
+		Status      string `json:"status"`
 		CreatedAt   string `json:"created_at"`
 		TeamsJoined int32  `json:"teams_joined"`
 		TeamsOwned  int32  `json:"teams_owned"`
@ -93,7 +93,7 @@ func (h *usersHandler) AdminListUsers(w http.ResponseWriter, r *http.Request) {
 			Email:       u.Email,
 			Name:        u.Name,
 			IsAdmin:     u.IsAdmin,
-			IsActive:    u.IsActive,
+			Status:      u.Status,
 			CreatedAt:   u.CreatedAt.Format(time.RFC3339),
 			TeamsJoined: u.TeamsJoined,
 			TeamsOwned:  u.TeamsOwned,
@ -135,9 +135,14 @@ func (h *usersHandler) SetUserActive(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.svc.SetUserActive(r.Context(), userID, req.Active); err != nil {
-		status, code, msg := serviceErrToHTTP(err)
-		writeError(w, status, code, msg)
+	newStatus := "active"
+	if !req.Active {
+		newStatus = "disabled"
+	}
+
+	if err := h.svc.SetUserStatus(r.Context(), userID, newStatus); err != nil {
+		httpStatus, code, msg := serviceErrToHTTP(err)
+		writeError(w, httpStatus, code, msg)
 		return
 	}

--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@ -71,7 +71,7 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 					writeError(w, http.StatusUnauthorized, "unauthorized", "user not found")
 					return
 				}
-				if !user.IsActive {
+				if user.Status != "active" {
 					writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
 					return
 				}
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@ -50,7 +50,7 @@ func requireJWT(secret []byte, queries *db.Queries) func(http.Handler) http.Hand
 				writeError(w, http.StatusUnauthorized, "unauthorized", "user not found")
 				return
 			}
-			if !user.IsActive {
+			if user.Status != "active" {
 				writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
 				return
 			}
--- a/internal/api/openapi.yaml
+++ b/internal/api/openapi.yaml
@ -16,6 +16,10 @@ paths:
      summary: Create a new account
      operationId: signup
      tags: [auth]
+      description: |
+        Creates an inactive user account and sends an activation email.
+        The user must activate their account within 30 minutes.
+        Does not return a JWT — the user must activate first, then sign in.
      requestBody:
        required: true
        content:
@ -24,11 +28,11 @@ paths:
              $ref: "#/components/schemas/SignupRequest"
      responses:
        "201":
-          description: Account created
+          description: Account created, activation email sent
          content:
            application/json:
              schema:
-                $ref: "#/components/schemas/AuthResponse"
+                $ref: "#/components/schemas/SignupResponse"
        "400":
          description: Invalid request (bad email, short password)
          content:
@ -36,7 +40,39 @@ paths:
              schema:
                $ref: "#/components/schemas/Error"
        "409":
-          description: Email already registered
+          description: Email already registered or signup cooldown active
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/auth/activate:
+    post:
+      summary: Activate account via email token
+      operationId: activate
+      tags: [auth]
+      description: |
+        Consumes the activation token sent via email and activates the user account.
+        Creates a default team and returns a JWT to log the user in.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [token]
+              properties:
+                token:
+                  type: string
+      responses:
+        "200":
+          description: Account activated, JWT issued
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AuthResponse"
+        "400":
+          description: Invalid or expired token
          content:
            application/json:
              schema:
@ -229,7 +265,7 @@ paths:
      security:
        - bearerAuth: []
      description: |
-        Soft-deletes the account (sets is_active=false, deleted_at=now).
+        Soft-deletes the account (sets status=deleted, deleted_at=now).
        The account is permanently removed after 15 days. Blocked if the user
        owns any team that has other members.
      requestBody:
@ -2323,6 +2359,13 @@ components:
        password:
          type: string

+    SignupResponse:
+      type: object
+      properties:
+        message:
+          type: string
+          description: Confirmation message instructing user to check email
+
    AuthResponse:
      type: object
      properties:
--- a/internal/api/server.go
+++ b/internal/api/server.go
@ -70,7 +70,7 @@ func New(
 	filesStream := newFilesStreamHandler(queries, pool)
 	fsH := newFSHandler(queries, pool)
 	snapshots := newSnapshotHandler(templateSvc, queries, pool, al)
-	authH := newAuthHandler(queries, pgPool, jwtSecret, mailer)
+	authH := newAuthHandler(queries, pgPool, jwtSecret, mailer, rdb, oauthRedirectURL)
 	oauthH := newOAuthHandler(queries, pgPool, jwtSecret, oauthRegistry, oauthRedirectURL)
 	apiKeys := newAPIKeyHandler(apiKeySvc, al)
 	hostH := newHostHandler(hostSvc, queries, al)
@ -93,6 +93,7 @@ func New(
 	// Unauthenticated auth endpoints.
 	r.Post("/v1/auth/signup", authH.Signup)
 	r.Post("/v1/auth/login", authH.Login)
+	r.Post("/v1/auth/activate", authH.Activate)
 	r.Get("/auth/oauth/{provider}", oauthH.Redirect)
 	r.Get("/auth/oauth/{provider}/callback", oauthH.Callback)