Multiple Email Support (#179)

* Agent implementation plan

* Codex attempt

* Remove unused

* Remove unused

* Use EmailAddress type for verification form

* We don't need the primary email on the User currently, better to keep it simple with the sign in email

* Refine the add emails form to take the user back to the members page rather than their own

* Start to bring the email address editing for the /me page inline with how other settings such as form of address are edited

* Structured the email addresses table

* Working form to add email

* Add email working

* Sort out send-email-verification form as command

* Setting up rate limiting on sending verification emails

* Correcting code around commands to better follow existing structure

* Hook up sending verification email

* Sorting out the split between login and verify-email

* Getting landing page for email verification working

* Fix import

* Sorted out the landing page for verification - intentionally stepped away from completely fp/ts as part of a general move away

* Fix verify email misused promises

* Fix import loop

* Landing page for verifying email working

* Change wording for setting primary email

* Fix set primary email button

* Test that demonstrates issue that both types of magic token are interchangable

* Prevent magic tokens being interchangable

* Test + fix for add email form when adding email as a super-user

* Test for send email verification event not being handled

* Fix email verification requested not updating shared read model

* Use the normalised email when updating verification requested in the table

* Fix verification requested state not showing correctly

Author: Lan2u

agent plans/multiple-emails.md

@@ -0,0 +1,112 @@
+# Multi-Email Member Accounts With Verified Primary Email
+
+## Summary
+- Add support for multiple email addresses per member, with one selected `primaryEmailAddress`.
+- New emails are always added as `unverified`.
+- Only verified emails can be used for login and only verified emails can be selected as primary.
+- Users cannot remove emails.
+- Existing `MemberNumberLinkedToEmail` history remains valid by projecting it as a verified primary email, so current users continue to work without migration of the event store.
+
+## Key Changes
+- **Domain events and invariants**
+  - Add `MemberEmailAdded`, `MemberEmailVerificationRequested`, `MemberEmailVerified`, and `MemberPrimaryEmailChanged`.
+  - Keep `MemberNumberLinkedToEmail` as a legacy bootstrap event only.
+  - Enforce these rules in command processing:
+    - email addresses are globally unique across all members, including unverified ones
+    - adding an already-linked email is a no-op for the same member and a failure event for a different member
+    - `MemberPrimaryEmailChanged` is allowed only when the target email belongs to the member and is verified
+    - verification is idempotent
+  - Keep self-service commands authorized with the existing self-or-privileged pattern.
+
+- **Read model and types**
+  - Replace the single-email assumption in the shared member model with:
+    - `primaryEmailAddress: EmailAddress`
+    - `emails: ReadonlyArray<MemberEmail>`
+  - Introduce a `MemberEmail` shape with `emailAddress`, `verifiedAt: O.Option<Date>`, and `addedAt: Date`.
+  - Add a dedicated `memberEmails` table in the shared read model and store `primaryEmailAddress` on `members` for cheap rendering and stable downstream access.
+  - Project legacy `MemberNumberLinkedToEmail` into:
+    - a `members` row if missing
+    - a verified `memberEmails` row
+    - `members.primaryEmailAddress`
+  - Update member merge behavior so grouped member numbers merge all email rows and expose one primary email for the merged member. Primary selection should come from the highest-priority merged record, matching the current precedence pattern used in `mergeMemberCore`.
+
+- **Authentication and verification flow**
+  - Keep `POST /auth` as the login entrypoint.
+  - Change login lookup to search verified emails only; unverified emails behave as “no member associated”.
+  - Continue sending the login email to the matched verified address, not to the member’s primary email unless they are the same.
+  - Extend the session and JWT user payload to include:
+    - `memberNumber`
+    - `emailAddress` as the authenticated email used for that login
+    - `primaryEmailAddress`
+  - Add a separate email-verification token flow using a distinct token purpose from magic-link login.
+  - Add routes:
+    - `GET /auth/verify-email/landing`
+    - `GET /auth/verify-email/callback`
+    - an invalid-verification-link page or reuse the existing invalid-link pattern with verification-specific copy
+  - Verification tokens should carry `memberNumber`, `emailAddress`, purpose, and expiry.
+  - Reuse the existing email rate limiter for verification emails.
+
+- **UI and commands**
+  - Update the `/me` page to show:
+    - primary email prominently
+    - a table/list of all email addresses with `Verified` / `Unverified` status
+    - an add-email form
+    - a `Send verification email` action for unverified emails
+    - a `Make primary` action for verified non-primary emails
+  - Do not render any remove action.
+  - Mirror the multi-email display anywhere a member profile currently shows only `emailAddress`, but use `primaryEmailAddress` where the screen only has room for one canonical address.
+  - Add commands/forms under the existing `members` route family:
+    - `members/add-email`
+    - `members/send-email-verification`
+    - `members/change-primary-email`
+  - Use `primaryEmailAddress` everywhere the app currently means “default displayed member email”, including Gravatar, member tables, and training/admin views.
+
+- **Compatibility and downstream behavior**
+  - Update `sharedReadModel.members.findByEmail` to read from `memberEmails` and return only members with a verified match.
+  - Update any code that currently reads `member.emailAddress` to either:
+    - `member.primaryEmailAddress` for display/default contact behavior, or
+    - `member.emails` when the feature actually needs the full set
+  - Update Recurly subscription application so it resolves membership status through verified emails only. It must not activate a member based on an unverified address.
+  - Preserve the existing admin “link email + member number” workflow by making it project as an immediately verified primary email for bootstrap/import use.
+
+## Public Interfaces and Types
+- `User` gains `primaryEmailAddress` while keeping `emailAddress` as the authenticated email for the current session.
+- `MemberCoreInfo` and `Member` replace the single `emailAddress` field with `primaryEmailAddress` plus `emails`.
+- `SharedReadModel.members.findByEmail(email)` keeps the same signature but now matches verified emails only.
+- New form/command inputs:
+  - `AddMemberEmail { memberNumber, email }`
+  - `SendMemberEmailVerification { memberNumber, email }`
+  - `ChangeMemberPrimaryEmail { memberNumber, email }`
+
+## Test Plan
+- **Command tests**
+  - add unverified email to a member
+  - reject add when email belongs to another member
+  - no-op when re-adding same email to same member
+  - reject primary change to unverified email
+  - allow primary change to verified email
+  - verification is idempotent
+- **Read-model tests**
+  - legacy `MemberNumberLinkedToEmail` produces a verified primary email
+  - grouped/rejoined members expose all emails after merge
+  - only verified emails are returned by `findByEmail`
+  - primary email projection changes correctly after `MemberPrimaryEmailChanged`
+- **Authentication tests**
+  - login succeeds with any verified email
+  - login fails for unverified email
+  - login email is sent to the matched verified address
+  - verification token expiry and invalid token handling
+  - session decoding works with the new `User` shape
+- **Query/render tests**
+  - `/me` shows primary email and all addresses with status labels
+  - unverified rows show verification action only
+  - verified non-primary rows show `Make primary`
+  - pages that previously rendered `member.emailAddress` now render `member.primaryEmailAddress`
+
+## Assumptions and Defaults
+- Email uniqueness is global across all member emails, not just verified emails.
+- Users cannot delete emails in v1.
+- A member must always have a primary email once they have at least one email.
+- Legacy linked emails are treated as verified and primary automatically.
+- `primaryEmailAddress` is the canonical display/default-contact email; `emailAddress` on the session user is the email used to authenticate that session.
+- Recurly and any other email-based external syncs should trust verified emails only.

src/authentication/auth-routes.ts

@@ -1,19 +1,15 @@
 import {Dependencies} from '../dependencies';
-import {Safe, safe} from '../types/html';
-import {Route, get, post} from '../types/route';
-import {auth, landing, callback, invalidLink, logIn, logOut} from './handlers';
+import {Config} from '../configuration';
+import {Route} from '../types/route';
+import { routes as verifyEmailRoutes } from './verify-email/routes';
+import { loginRoutes } from './login/routes';
 
-export const logInPath: Safe = safe('/log-in');
-const invalidLinkPath = '/auth/invalid-magic-link';
-
-export const authRoutes = (deps: Dependencies): ReadonlyArray<Route> => {
+export const authRoutes = (
+  deps: Dependencies,
+  conf: Config
+): ReadonlyArray<Route> => {
   return [
-    get(logInPath, logIn(deps)),
-    get('/log-out', logOut),
-    post('/auth', auth),
-    get('/auth', (_req, res) => res.redirect(logInPath)),
-    get('/auth/landing', landing),
-    get('/auth/callback', callback(invalidLinkPath)),
-    get(invalidLinkPath, invalidLink(logInPath)),
+    ...loginRoutes(deps),
+    ...verifyEmailRoutes(deps, conf),
   ];
 };

src/authentication/index.ts

@@ -1,6 +1,6 @@
-export {magicLink} from './magic-link';
+export {magicLink} from './login/magic-link';
 export {authRoutes} from './auth-routes';
-export {getUserFromSession} from './get-user-from-session';
-export {startMagicLinkEmailPubSub} from './start-magic-link-email-pub-sub';
+export {getUserFromSession} from './login/get-user-from-session';
+export {startMagicLinkEmailPubSub} from './login/start-magic-link-email-pub-sub';
 export {sessionOptions as sessionConfig} from './session-config';
 export {cookieSessionPassportWorkaround} from './cookie-session-passport-workaround';

src/authentication/check-your-mail.ts …/authentication/login/check-your-mail.tssrc/authentication/check-your-mail.ts renamed to src/authentication/login/check-your-mail.ts src/authentication/check-your-mail.ts renamed to src/authentication/login/check-your-mail.ts

@@ -1,8 +1,8 @@
 import {pipe} from 'fp-ts/lib/function';
-import {isolatedPageTemplate} from '../templates/page-template';
-import {html, safe, sanitizeString} from '../types/html';
-import {EmailAddress} from '../types';
-import {normaliseEmailAddress} from '../read-models/shared-state/normalise-email-address';
+import {isolatedPageTemplate} from '../../templates/page-template';
+import {html, safe, sanitizeString} from '../../types/html';
+import {EmailAddress} from '../../types';
+import {normaliseEmailAddress} from '../../read-models/shared-state/normalise-email-address';
 
 export const checkYourMailPage = (submittedEmailAddress: EmailAddress) =>
   pipe(

…/authentication/get-user-from-session.ts …ntication/login/get-user-from-session.tssrc/authentication/get-user-from-session.ts renamed to src/authentication/login/get-user-from-session.ts src/authentication/get-user-from-session.ts renamed to src/authentication/login/get-user-from-session.ts

@@ -1,9 +1,9 @@
 import {flow, pipe} from 'fp-ts/lib/function';
 import * as t from 'io-ts';
-import {User} from '../types';
+import {User} from '../../types';
 import * as E from 'fp-ts/Either';
 import * as O from 'fp-ts/Option';
-import {Dependencies} from '../dependencies';
+import {Dependencies} from '../../dependencies';
 import {formatValidationErrors} from 'io-ts-reporters';
 
 const SessionCodec = t.strict({

src/authentication/handlers.ts src/authentication/login/handlers.tssrc/authentication/handlers.ts renamed to src/authentication/login/handlers.ts

@@ -9,17 +9,16 @@ import passport from 'passport';
 import {magicLink} from './magic-link';
 import {logInPage} from './log-in-page';
 import {checkYourMailPage} from './check-your-mail';
-import {oopsPage, isolatedPageTemplate} from '../templates';
+import {oopsPage, isolatedPageTemplate} from '../../templates';
 import {StatusCodes} from 'http-status-codes';
 import {getUserFromSession} from './get-user-from-session';
-import {Dependencies} from '../dependencies';
+import {Dependencies} from '../../dependencies';
 import {
   html,
-  HtmlSubstitution,
   CompleteHtmlDocument,
   sanitizeString,
   safe,
-} from '../types/html';
+} from '../../types/html';
 
 export const logIn =
   (deps: Dependencies) =>
@@ -57,19 +56,6 @@ export const auth = (req: Request, res: Response<CompleteHtmlDocument>) => {
   );
 };
 
-export const invalidLink =
-  (logInPath: HtmlSubstitution) =>
-  (req: Request, res: Response<CompleteHtmlDocument>) => {
-    res
-      .status(StatusCodes.UNAUTHORIZED)
-      .send(
-        oopsPage(
-          html`The link you have used is (no longer) valid. Go back to the
-            <a href=${logInPath}>log in</a> page.`
-        )
-      );
-  };
-
 export const landing = (req: Request, res: Response<CompleteHtmlDocument>) => {
   const index = req.originalUrl.indexOf('?');
   const suffix = index === -1 ? '' : req.originalUrl.slice(index);

src/authentication/login/invalid-link.ts

@@ -0,0 +1,22 @@
+import {Request, Response} from 'express';
+import {oopsPage} from '../../templates';
+import {StatusCodes} from 'http-status-codes';
+import {
+  html,
+  HtmlSubstitution,
+  CompleteHtmlDocument,
+} from '../../types/html';
+
+
+export const invalidLink =
+  (logInPath: HtmlSubstitution) =>
+  (req: Request, res: Response<CompleteHtmlDocument>) => {
+    res
+      .status(StatusCodes.UNAUTHORIZED)
+      .send(
+        oopsPage(
+          html`The link you have used is (no longer) valid. Go back to the
+            <a href=${logInPath}>log in</a> page.`
+        )
+      );
+  };

src/authentication/log-in-page.ts src/authentication/login/log-in-page.tssrc/authentication/log-in-page.ts renamed to src/authentication/login/log-in-page.ts

@@ -1,6 +1,6 @@
 import {pipe} from 'fp-ts/lib/function';
-import {html, safe} from '../types/html';
-import {isolatedPageTemplate} from '../templates/page-template';
+import {html, safe} from '../../types/html';
+import {isolatedPageTemplate} from '../../templates/page-template';
 
 export const logInPage = pipe(
   html`

src/authentication/magic-link.ts src/authentication/login/magic-link.tssrc/authentication/magic-link.ts renamed to src/authentication/login/magic-link.ts

@@ -1,39 +1,44 @@
 import {pipe} from 'fp-ts/lib/function';
 import * as E from 'fp-ts/Either';
 import * as t from 'io-ts';
-import {failure} from '../types';
 import {Strategy as CustomStrategy} from 'passport-custom';
-import jwt from 'jsonwebtoken';
-import {Config} from '../configuration';
-import {Dependencies} from '../dependencies';
-import {User} from '../types/user';
-import {logPassThru} from '../util';
+import {Config} from '../../configuration';
+import {Dependencies} from '../../dependencies';
+import {User} from '../../types/user';
+import {logPassThru} from '../../util';
 import {Logger} from 'pino';
+import {createSignedToken, verifyToken} from '../signed-token';
+import { EmailAddressCodec } from '../../types';
+
+const MagicLinkTokenPayload = t.strict({
+  memberNumber: t.number,
+  emailAddress: EmailAddressCodec,
+  purpose: t.literal('MagicLinkToken')
+});
+type MagicLinkTokenPayload = t.TypeOf<typeof MagicLinkTokenPayload>;
 
 const createMagicLink = (conf: Config) => (user: User) =>
   pipe(
-    jwt.sign(user, conf.TOKEN_SECRET, {expiresIn: '10m'}),
+    {
+      ...user,
+      purpose: 'MagicLinkToken',
+    },
+    createSignedToken<MagicLinkTokenPayload>(conf, '10m'),
     token => `${conf.PUBLIC_URL}/auth/landing?token=${token}`
   );
 
 const MagicLinkQuery = t.strict({
   token: t.string,
 });
 
-const verifyToken = (token: string, secret: Config['TOKEN_SECRET']) =>
-  E.tryCatch(
-    () => jwt.verify(token, secret),
-    failure('Could not verify token')
-  );
-
-const decodeMagicLinkFromQuery =
+export const decodeMagicLinkFromQuery =
   (logger: Logger, conf: Config) => (input: unknown) =>
     pipe(
       input,
       logPassThru(logger, 'Attempting to decode magic link from query'), // Logging is required as a basic form of auth enumeration detection.
       MagicLinkQuery.decode,
       E.chainW(({token}) => verifyToken(token, conf.TOKEN_SECRET)),
-      E.chainW(User.decode)
+      E.chainW(MagicLinkTokenPayload.decode)
     );
 
 const strategy = (deps: Dependencies, conf: Config) => {

…ication/parse-email-address-from-body.ts …n/login/parse-email-address-from-body.tssrc/authentication/parse-email-address-from-body.ts renamed to src/authentication/login/parse-email-address-from-body.ts src/authentication/parse-email-address-from-body.ts renamed to src/authentication/login/parse-email-address-from-body.ts

@@ -2,7 +2,7 @@ import * as E from 'fp-ts/Either';
 import {flow, pipe} from 'fp-ts/lib/function';
 import * as t from 'io-ts';
 import {formatValidationErrors} from 'io-ts-reporters';
-import {EmailAddress, EmailAddressCodec} from '../types';
+import {EmailAddress, EmailAddressCodec} from '../../types';
 
 const BodyCodec = t.type({
   email: EmailAddressCodec,