@robelest/convex-auth 0.0.2 → 0.0.3-preview.1

package/src/server/convex-auth.ts

@@ -6,11 +6,24 @@
  * ```ts
  * // convex/auth.ts
  * import { Auth, Portal } from "@robelest/convex-auth/component";
- * import github from "@auth/core/providers/github";
+ * import google from "@auth/core/providers/google";
  * import { components } from "./_generated/api";
  *
  * export const auth = new Auth(components.auth, {
- *   providers: [github],
+ *   providers: [google],
+ *   email: {
+ *     from: "My App <noreply@example.com>",
+ *     send: async (_ctx, { from, to, subject, html }) => {
+ *       await fetch("https://api.resend.com/emails", {
+ *         method: "POST",
+ *         headers: {
+ *           Authorization: `Bearer ${process.env.AUTH_RESEND_KEY}`,
+ *           "Content-Type": "application/json",
+ *         },
+ *         body: JSON.stringify({ from, to, subject, html }),
+ *       });
+ *     },
+ *   },
  * });
  * export const { signIn, signOut, store } = auth;
  * export const { portalQuery, portalMutation, portalInternal } = Portal(auth);
@@ -23,27 +36,36 @@ import {
   queryGeneric,
   mutationGeneric,
   internalMutationGeneric,
+  httpActionGeneric,
 } from "convex/server";
 import type { HttpRouter } from "convex/server";
 import { v } from "convex/values";
 import type { ComponentApi as AuthComponentApi } from "../component/_generated/component.js";
 import { Auth as AuthFactory } from "./implementation/index.js";
-import type { ConvexAuthConfig } from "./types.js";
+import type { ConvexAuthConfig, EmailTransport } from "./types.js";
 import { registerStaticRoutes } from "@convex-dev/self-hosting";
 import { portalMagicLinkEmail } from "./portal-email.js";
-import email from "../providers/email.js";
+import { defaultMagicLinkEmail } from "./email-templates.js";
+import emailProvider from "../providers/email.js";
+import { AUTH_VERSION } from "./version.js";
+import { throwAuthError } from "./errors.js";
 
 // ============================================================================
 // Types
 // ============================================================================
 
 /**
- * Config for the ConvexAuth class. Extends the standard auth config.
+ * Config for the Auth class. Extends the standard auth config
+ * minus `component` (which is passed as the first constructor argument).
  *
- * Portal functionality (admin dashboard, magic link provider, static hosting)
- * is always available — no configuration flag needed. The portal UI works
- * when you export `portalQuery`, `portalMutation`, `portalInternal` from
- * your `convex/auth.ts` and upload the portal static files via CLI.
+ * When `email` is configured, the library auto-registers:
+ * - A magic link provider (`id: "email"`) for user-facing sign-in
+ * - A portal provider (`id: "portal"`) for admin dashboard sign-in
+ *
+ * Portal functionality is always available — no configuration flag
+ * needed. The portal UI works when you export `portalQuery`,
+ * `portalMutation`, `portalInternal` from your `convex/auth.ts`
+ * and upload the portal static files via CLI.
  */
 export type AuthClassConfig = Omit<ConvexAuthConfig, "component">;
 
@@ -70,7 +92,7 @@ async function requirePortalAdmin(
       invite.role === "portalAdmin" && invite.acceptedByUserId === userId,
   );
   if (!isAdmin) {
-    throw new Error("Not authorized: portal admin access required");
+    throwAuthError("PORTAL_NOT_AUTHORIZED");
   }
 }
 
@@ -84,7 +106,11 @@ async function requirePortalAdmin(
  *
  * ```ts
  * export const auth = new Auth(components.auth, {
- *   providers: [github, resend({ ... })],
+ *   providers: [google, password],
+ *   email: {
+ *     from: "My App <noreply@example.com>",
+ *     send: (ctx, params) => resend.sendEmail(ctx, params),
+ *   },
  * });
  * export const { signIn, signOut, store } = auth;
  * export const { portalQuery, portalMutation, portalInternal } = Portal(auth);
@@ -106,23 +132,29 @@ export class Auth {
   readonly portalUrl: string;
 
   // ---- Proxied auth helper sub-objects ----
-  /** User helpers: `.current(ctx)`, `.require(ctx)`, `.get(ctx, userId)`, `.viewer(ctx)` */
+  /** User helpers: `.current(ctx)`, `.require(ctx)`, `.get(ctx, userId)`, `.patch(ctx, userId, data)`, `.viewer(ctx)`, `.group.list(ctx, ...)`, `.group.get(ctx, ...)` */
   get user() { return this._auth.user; }
-  /** Session helpers */
+  /** Session helpers: `.current(ctx)`, `.invalidate(ctx, { userId, except? })` */
   get session() { return this._auth.session; }
-  /** Provider helpers */
+  /** Provider helpers: `.signIn(ctx, provider, args)` */
   get provider() { return this._auth.provider; }
-  /** Account helpers */
+  /** Account helpers: `.create(ctx, args)`, `.get(ctx, args)`, `.updateCredentials(ctx, args)` */
   get account() { return this._auth.account; }
-  /** Group helpers */
+  /** Group helpers: `.create(ctx, ...)`, `.get(ctx, id)`, `.list(ctx, ...)`, `.update(ctx, ...)`, `.delete(ctx, id)`, `.member.*` */
   get group() { return this._auth.group; }
-  /** Invite helpers */
+  /** Invite helpers: `.create(ctx, ...)`, `.get(ctx, id)`, `.getByTokenHash(ctx, hash)`, `.list(ctx, ...)`, `.accept(ctx, ...)`, `.revoke(ctx, id)` */
   get invite() { return this._auth.invite; }
-  /** Passkey helpers */
+  /** Passkey helpers: `.list(ctx, { userId })`, `.rename(ctx, id, name)`, `.remove(ctx, id)` */
   get passkey() { return this._auth.passkey; }
-  /** TOTP helpers */
+  /** TOTP helpers: `.list(ctx, { userId })`, `.remove(ctx, id)` */
   get totp() { return this._auth.totp; }
+  /** API key helpers: `.create(ctx, ...)`, `.verify(ctx, rawKey)`, `.list(ctx, ...)`, `.get(ctx, id)`, `.update(ctx, ...)`, `.revoke(ctx, id)`, `.remove(ctx, id)` */
+  get key() { return this._auth.key; }
 
+  /**
+   * @param component - The auth component reference from `components.auth`.
+   * @param config - Auth configuration (providers, email transport, session, JWT, callbacks).
+   */
   constructor(component: AuthComponentApi, config: AuthClassConfig) {
     this.component = component;
 
@@ -131,45 +163,78 @@ export class Auth {
       ? `${process.env.CONVEX_SITE_URL.replace(/\/$/, "")}/auth`
       : "/auth";
 
-    // Auto-register the `portal` email provider for magic link sign-in
+    const emailTransport = config.email;
     const providers = [...config.providers];
+
+    // Auto-register user-facing magic link provider when email is configured.
+    // Skipped if the user already registered their own provider with id "email".
+    const hasUserEmailProvider = providers.some(
+      (p) => typeof p === "object" && "id" in p && p.id === "email",
+    );
+    if (emailTransport && !hasUserEmailProvider) {
+      providers.push(
+        emailProvider({
+          id: "email",
+          maxAge: 60 * 60 * 24, // 24 hours
+          authorize: undefined, // Magic link — no OTP email check needed
+          async sendVerificationRequest({ identifier, url }, ctx) {
+            if (!ctx) {
+              throwAuthError("MISSING_ACTION_CONTEXT");
+            }
+            const { host } = new URL(url);
+            await emailTransport.send(ctx, {
+              from: emailTransport.from,
+              to: identifier,
+              subject: `Sign in to ${host}`,
+              html: defaultMagicLinkEmail(url, host),
+            });
+          },
+        }),
+      );
+    }
+
+    // Auto-register portal admin magic link provider.
+    // Uses its own styled dark-theme email template.
     providers.push(
-      email({
+      emailProvider({
         id: "portal",
         maxAge: 60 * 60 * 24, // 24 hours
-        authorize: undefined, // Magic link — no email check needed
-        async sendVerificationRequest({ identifier, url, expires }) {
+        authorize: undefined, // Magic link — no OTP email check needed
+        async sendVerificationRequest({ identifier, url, expires }, ctx) {
+          if (!emailTransport) {
+            throwAuthError("EMAIL_CONFIG_REQUIRED");
+          }
+          if (!ctx) {
+            throwAuthError("MISSING_ACTION_CONTEXT");
+          }
+
+          // Check authorization BEFORE sending — only portal-authorized emails
+          const invites = await ctx.runQuery(component.public.inviteList, {
+            status: "accepted",
+          });
+          const hasAccess = invites.some(
+            (invite: any) => invite.role === "portalAdmin" && invite.email === identifier,
+          );
+          if (!hasAccess) {
+            throwAuthError("PORTAL_NOT_AUTHORIZED");
+          }
+
           const hours = Math.max(
             1,
             Math.floor((+expires - Date.now()) / (60 * 60 * 1000)),
           );
-          const html = portalMagicLinkEmail(url, hours);
-          const siteUrl = process.env.CONVEX_SITE_URL;
-          if (!siteUrl) {
-            throw new Error(
-              "CONVEX_SITE_URL is required to send portal magic link email",
-            );
-          }
-          const response = await fetch(`${siteUrl}/auth-email-dispatch`, {
-            method: "POST",
-            headers: {
-              "Content-Type": "application/json",
-              ...(process.env.AUTH_EMAIL_DISPATCH_SECRET
-                ? {
-                    "x-auth-email-dispatch-secret":
-                      process.env.AUTH_EMAIL_DISPATCH_SECRET,
-                  }
-                : {}),
-            },
-            body: JSON.stringify({
+          try {
+            await emailTransport.send(ctx, {
+              from: emailTransport.from,
               to: identifier,
-              subject: "Sign in to Convex Auth Portal",
-              html,
-            }),
-          });
-          if (!response.ok) {
-            throw new Error(
-              `Could not send portal magic link email: ${response.status}`,
+              subject: "Sign in to Auth Portal",
+              html: portalMagicLinkEmail(url, hours),
+            });
+          } catch (e: unknown) {
+            throwAuthError(
+              "EMAIL_SEND_FAILED",
+              "Failed to send portal sign-in email.",
+              { detail: e instanceof Error ? e.message : String(e) },
             );
           }
         },
@@ -203,6 +268,10 @@ export class Auth {
    * auth.addHttpRoutes(http);
    * export default http;
    * ```
+   *
+   * @param http - The Convex HTTP router to register routes on.
+   * @param opts.pathPrefix - URL prefix for portal static files. Defaults to `"/auth"`.
+   * @param opts.spaFallback - Serve `index.html` for unmatched sub-paths. Defaults to `true`.
    */
   addHttpRoutes(
     http: HttpRouter,
@@ -211,9 +280,36 @@ export class Auth {
     // Core auth routes (OAuth, JWKS, etc.)
     this._auth.addHttpRoutes(http);
 
-    // Portal static file serving
     const prefix = opts?.pathPrefix ?? "/auth";
 
+    // Portal configuration endpoint — serves Convex URLs + version info.
+    // The portal SPA fetches this at startup to discover its Convex backend,
+    // which is critical for custom domain deployments where the hostname
+    // alone doesn't reveal the Convex cloud URL.
+    // Registered as an exact path match before the static file prefix catch-all.
+    http.route({
+      path: `${prefix}/.well-known/portal-config`,
+      method: "GET",
+      handler: httpActionGeneric(async () => {
+        return new Response(
+          JSON.stringify({
+            convexUrl: process.env.CONVEX_CLOUD_URL,
+            siteUrl: process.env.CONVEX_SITE_URL,
+            version: AUTH_VERSION,
+          }),
+          {
+            status: 200,
+            headers: {
+              "Content-Type": "application/json",
+              "Cache-Control":
+                "public, max-age=60, stale-while-revalidate=60",
+              "Access-Control-Allow-Origin": "*",
+            },
+          },
+        );
+      }),
+    });
+
     // Create a shim that maps the self-hosting ComponentApi shape
     // to the auth component's portalBridge functions
     const selfHostingShim = {
@@ -241,15 +337,17 @@ export class Auth {
 // ============================================================================
 
 /**
- * Create portal function definitions from a ConvexAuth instance.
+ * Create portal function definitions from an `Auth` instance.
  *
- * This is a standalone function (not a class method) because Convex's
- * bundler can trace through `export const { x } = fn(instance)` but
- * cannot trace through `instance.method()`.
+ * Standalone function (not a class method) because Convex's bundler
+ * can trace `export const { x } = fn(instance)` but not `instance.method()`.
  *
  * ```ts
  * export const { portalQuery, portalMutation, portalInternal } = Portal(auth);
  * ```
+ *
+ * @param auth - The `Auth` class instance from your `convex/auth.ts`.
+ * @returns `{ portalQuery, portalMutation, portalInternal }` — export all three.
  */
 export function Portal(auth: Auth) {
   const authComponent = auth.component;
@@ -309,7 +407,7 @@ export function Portal(auth: Auth) {
         case "validateInvite": {
           // userId param repurposed as tokenHash for this action
           const tokenHash = userId;
-          if (!tokenHash) throw new Error("tokenHash required");
+          if (!tokenHash) throwAuthError("INVITE_TOKEN_REQUIRED");
           const invite = await ctx.runQuery(
             authComponent.public.inviteGetByTokenHash,
             { tokenHash },
@@ -328,8 +426,22 @@ export function Portal(auth: Auth) {
             authComponent.portalBridge.getCurrentDeployment,
           );
 
+        // ---- API Keys (portal admin) ----
+        case "listKeys":
+          return await ctx.runQuery(authComponent.public.keyList);
+
+        case "getUserKeys":
+          return await ctx.runQuery(authComponent.public.keyListByUserId, {
+            userId: userId!,
+          });
+
+        case "getKey":
+          return await ctx.runQuery(authComponent.public.keyGetById, {
+            keyId: userId!, // userId param repurposed as keyId
+          });
+
         default:
-          throw new Error(`Unknown portal query action: ${action}`);
+          throwAuthError("PORTAL_UNKNOWN_ACTION", `Unknown portal query action: ${action}`);
       }
     },
   });
@@ -339,30 +451,42 @@ export function Portal(auth: Auth) {
       action: v.string(),
       sessionId: v.optional(v.string()),
       tokenHash: v.optional(v.string()),
+      // API key fields
+      keyId: v.optional(v.string()),
+      keyUserId: v.optional(v.string()),
+      keyName: v.optional(v.string()),
+      keyScopes: v.optional(
+        v.array(
+          v.object({
+            resource: v.string(),
+            actions: v.array(v.string()),
+          }),
+        ),
+      ),
+      keyRateLimit: v.optional(
+        v.object({
+          maxRequests: v.number(),
+          windowMs: v.number(),
+        }),
+      ),
+      keyExpiresAt: v.optional(v.number()),
     },
-    handler: async (
-      ctx: any,
-      {
-        action,
-        sessionId,
-        tokenHash,
-      }: { action: string; sessionId?: string; tokenHash?: string },
-    ) => {
+    handler: async (ctx: any, args: any) => {
       const currentUserId = await authHelper.user.require(ctx);
 
-      switch (action) {
+      switch (args.action) {
         case "acceptInvite": {
-          if (!tokenHash) throw new Error("tokenHash required");
+          if (!args.tokenHash) throwAuthError("INVITE_TOKEN_REQUIRED");
           const invite = await ctx.runQuery(
             authComponent.public.inviteGetByTokenHash,
-            { tokenHash },
+            { tokenHash: args.tokenHash },
           );
-          if (!invite) throw new Error("Invalid invite token");
+          if (!invite) throwAuthError("INVALID_INVITE");
           if (invite.status !== "pending") {
-            throw new Error(`Invite already ${invite.status}`);
+            throwAuthError("INVITE_ALREADY_USED", `Invite already ${invite.status}`);
           }
           if (invite.expiresTime && invite.expiresTime < Date.now()) {
-            throw new Error("Invite has expired");
+            throwAuthError("INVITE_EXPIRED");
           }
           await ctx.runMutation(authComponent.public.inviteAccept, {
             inviteId: invite._id,
@@ -374,13 +498,49 @@ export function Portal(auth: Auth) {
         case "revokeSession": {
           await requirePortalAdmin(ctx, authComponent, currentUserId);
           await ctx.runMutation(authComponent.public.sessionDelete, {
-            sessionId: sessionId!,
+            sessionId: args.sessionId!,
+          });
+          return;
+        }
+
+        // ---- API Keys (portal admin) ----
+        case "createKey": {
+          await requirePortalAdmin(ctx, authComponent, currentUserId);
+          const result = await authHelper.key.create(ctx, {
+            userId: args.keyUserId!,
+            name: args.keyName!,
+            scopes: args.keyScopes ?? [],
+            rateLimit: args.keyRateLimit,
+            expiresAt: args.keyExpiresAt,
           });
+          // Return the raw key — portal will show it once
+          return result;
+        }
+
+        case "revokeKey": {
+          await requirePortalAdmin(ctx, authComponent, currentUserId);
+          await authHelper.key.revoke(ctx, args.keyId!);
+          return;
+        }
+
+        case "deleteKey": {
+          await requirePortalAdmin(ctx, authComponent, currentUserId);
+          await authHelper.key.remove(ctx, args.keyId!);
+          return;
+        }
+
+        case "updateKey": {
+          await requirePortalAdmin(ctx, authComponent, currentUserId);
+          const data: Record<string, any> = {};
+          if (args.keyName) data.name = args.keyName;
+          if (args.keyScopes) data.scopes = args.keyScopes;
+          if (args.keyRateLimit) data.rateLimit = args.keyRateLimit;
+          await authHelper.key.update(ctx, args.keyId!, data);
           return;
         }
 
         default:
-          throw new Error(`Unknown portal mutation action: ${action}`);
+          throwAuthError("PORTAL_UNKNOWN_ACTION", `Unknown portal mutation action: ${args.action}`);
       }
     },
   });
@@ -461,10 +621,162 @@ export function Portal(auth: Auth) {
         }
 
         default:
-          throw new Error(`Unknown portalInternal action: ${args.action}`);
+          throwAuthError("PORTAL_UNKNOWN_ACTION", `Unknown portalInternal action: ${args.action}`);
       }
     },
   });
 
   return { portalQuery, portalMutation, portalInternal };
 }
+
+// ============================================================================
+// AuthCtx — ctx enrichment for customQuery / customMutation
+// ============================================================================
+
+/**
+ * Configuration for auth context enrichment.
+ */
+export type AuthCtxConfig = {
+  /**
+   * When `true`, unauthenticated requests set `ctx.auth.userId` and
+   * `ctx.auth.user` to `null` instead of throwing.
+   *
+   * @default false
+   */
+  optional?: boolean;
+  /**
+   * Resolve additional context after authentication succeeds (e.g.
+   * group/role for multi-tenant apps). The returned object is spread
+   * into `ctx.auth`.
+   */
+  resolve?: (
+    ctx: any,
+    user: any,
+  ) => Promise<Record<string, unknown>> | Record<string, unknown>;
+};
+
+/**
+ * Create a `convex-helpers`–compatible customization object that
+ * enriches `ctx.auth` with the authenticated user's data.
+ *
+ * Standalone function (not a class method) because Convex's bundler
+ * can trace `export const x = fn(instance)` but not `instance.method()`.
+ *
+ * ### Basic usage (with `convex-helpers`)
+ *
+ * ```ts
+ * // convex/functions.ts
+ * import { customQuery, customMutation } from "convex-helpers/server/customFunctions";
+ * import { query as rawQuery, mutation as rawMutation } from "./_generated/server";
+ * import { AuthCtx } from "\@robelest/convex-auth/component";
+ * import { auth } from "./auth";
+ *
+ * const authCtx = AuthCtx(auth);
+ *
+ * export const query = customQuery(rawQuery, authCtx);
+ * export const mutation = customMutation(rawMutation, authCtx);
+ * ```
+ *
+ * Then in any function file:
+ *
+ * ```ts
+ * // convex/messages.ts
+ * import { query, mutation } from "./functions";
+ *
+ * export const list = query({
+ *   args: {},
+ *   handler: async (ctx) => {
+ *     // ctx.auth.userId and ctx.auth.user are already resolved
+ *     return ctx.db.query("messages").collect();
+ *   },
+ * });
+ * ```
+ *
+ * ### Optional auth (public routes)
+ *
+ * ```ts
+ * export const publicQuery = customQuery(rawQuery, AuthCtx(auth, { optional: true }));
+ * // ctx.auth.userId is null when unauthenticated
+ * ```
+ *
+ * ### Multi-tenant with group resolution
+ *
+ * ```ts
+ * const authCtx = AuthCtx(auth, {
+ *   resolve: async (ctx, user) => {
+ *     const groupId = user?.extend?.lastActiveGroup;
+ *     const membership = await auth.user.group.get(ctx, {
+ *       userId: user._id,
+ *       groupId,
+ *     });
+ *     return { groupId, role: membership?.role ?? "member" };
+ *   },
+ * });
+ * // ctx.auth.groupId and ctx.auth.role available in handlers
+ * ```
+ *
+ * @param auth - The `Auth` class instance from your `convex/auth.ts`.
+ * @param config - Optional configuration for optional auth and group resolution.
+ * @returns A `{ args, input }` customization object compatible with
+ *          `customQuery` / `customMutation` from `convex-helpers`.
+ */
+export function AuthCtx(auth: Auth, config?: AuthCtxConfig) {
+  const authHelper = (auth as any)._auth;
+
+  return {
+    args: {},
+    input: async (ctx: any, _args: any, _extra?: any) => {
+      const nativeAuth = ctx.auth;
+
+      if (config?.optional) {
+        const userId = await authHelper.user.current(ctx);
+        if (!userId) {
+          return {
+            ctx: {
+              auth: {
+                getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
+                userId: null,
+                user: null,
+              },
+            },
+            args: {},
+          };
+        }
+        const user = await authHelper.user.get(ctx, userId);
+        const extra = config.resolve
+          ? await config.resolve(ctx, user)
+          : {};
+        return {
+          ctx: {
+            auth: {
+              getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
+              userId,
+              user,
+              ...extra,
+            },
+          },
+          args: {},
+        };
+      }
+
+      // Required mode (default): throws NOT_SIGNED_IN
+      const userId = await authHelper.user.require(ctx);
+      const user = await authHelper.user.get(ctx, userId);
+      const extra = config?.resolve
+        ? await config.resolve(ctx, user)
+        : {};
+
+      return {
+        ctx: {
+          auth: {
+            getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
+            userId,
+            user,
+            ...extra,
+          },
+        },
+        args: {},
+      };
+    },
+  };
+}

package/src/server/email-templates.ts

@@ -0,0 +1,77 @@
+/**
+ * Default email templates generated by the Auth library.
+ *
+ * These are used when the library sends emails on behalf of the developer
+ * (magic links, portal admin sign-in). The developer provides the transport
+ * via `email.send`; the library provides the content.
+ *
+ * @module
+ */
+
+/**
+ * Default magic link email template.
+ *
+ * Clean, minimal design that works across email clients.
+ * Used by the auto-registered `email` provider when `email` is
+ * configured in the Auth constructor.
+ */
+export function defaultMagicLinkEmail(url: string, host: string): string {
+  const escapedHost = host.replace(/[&<>"']/g, (c) =>
+    ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]!,
+  );
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Sign in to ${escapedHost}</title>
+</head>
+<body style="margin:0;padding:0;background-color:#f9fafb;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color:#f9fafb;padding:40px 16px;">
+    <tr>
+      <td align="center">
+        <table role="presentation" width="480" cellpadding="0" cellspacing="0" style="background-color:#ffffff;border:1px solid #e5e7eb;border-radius:8px;overflow:hidden;">
+          <tr>
+            <td style="padding:32px 32px 0 32px;text-align:center;">
+              <h1 style="margin:0 0 8px 0;font-size:20px;font-weight:600;color:#111827;line-height:1.3;">
+                Sign in to ${escapedHost}
+              </h1>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:24px 32px;">
+              <p style="margin:0 0 24px 0;font-size:15px;line-height:1.6;color:#4b5563;text-align:center;">
+                Click the button below to sign in. This link will expire shortly.
+              </p>
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td align="center" style="padding:0 0 24px 0;">
+                    <a href="${url}" target="_blank" style="display:inline-block;background-color:#111827;color:#ffffff;font-size:15px;font-weight:600;text-decoration:none;padding:12px 32px;border-radius:6px;line-height:1;">
+                      Sign in
+                    </a>
+                  </td>
+                </tr>
+              </table>
+              <p style="margin:0 0 12px 0;font-size:13px;line-height:1.6;color:#9ca3af;">
+                If the button doesn't work, copy and paste this URL into your browser:
+              </p>
+              <p style="margin:0;font-size:13px;line-height:1.5;color:#6b7280;word-break:break-all;">
+                ${url}
+              </p>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:20px 32px;border-top:1px solid #e5e7eb;">
+              <p style="margin:0;font-size:12px;line-height:1.5;color:#9ca3af;text-align:center;">
+                If you didn't request this email, you can safely ignore it.
+              </p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+}