sveltekit-auth-example 5.6.1 → 5.8.2

package/.env.example

@@ -2,6 +2,8 @@ DATABASE_URL=postgres://REPLACE_WITH_USER:REPLACE_WITH_PASSWORD@localhost:5432/a
 DATABASE_SSL=false
 DOMAIN=http://localhost:3000
 JWT_SECRET=replace_with_your_own
-SENDGRID_KEY=replace_with_your_own
-SENDGRID_SENDER=replace_with_your_own
-PUBLIC_GOOGLE_CLIENT_ID=REPLACE_WITH_YOUR_OWN
+BREVO_KEY=replace_with_your_own
+EMAIL=replace_with_your_own
+PUBLIC_GOOGLE_CLIENT_ID=replace_with_your_own
+PUBLIC_TURNSTILE_SITE_KEY=replace_with_your_own
+TURNSTILE_SECRET_KEY=replace_with_your_own

package/CHANGELOG.md

@@ -2,6 +2,34 @@
 
 - Add password complexity checking on /register and /profile pages (only checks for length currently despite what the pages say)
 
+# 5.8.2
+
+- Add Chrome DevTools
+
+# 5.8.1
+
+- Fix MFA verification code always showing "6-digit verification code required" for valid codes: replaced `form.checkValidity()` and `codeInput.checkValidity()` (which picked up Cloudflare Turnstile's injected form elements) with a direct JS regex test against the bound `mfaCode` value
+- Move `<Turnstile>` outside the MFA `<form>` so its injected inputs are never part of the form's element collection
+- Fix `google is not defined` crash on hard reload of `/login`: Google GSI script is loaded `async defer` and may not be ready when `onMount` fires; added `whenGoogleReady()` helper in `src/lib/google.ts` that polls until `google` is available (up to 10 s) before calling `initializeGoogleAccounts()` and `renderGoogleButton()`
+
+# 5.8.0
+
+- Replace SendGrid with Brevo for all transactional email (password reset, email verification, MFA code)
+- New `src/lib/server/brevo.ts` sends email via the Brevo API with exponential-backoff retry logic (up to 4 attempts), 30-second per-request timeout, and `Retry-After` header support
+- Email templates (`password-reset.ts`, `mfa-code.ts`, `verify-email.ts`) updated to use Brevo message format (`sender`, `to[]`, `htmlContent`, `tags`)
+- Env vars changed: `SENDGRID_KEY` → `BREVO_KEY`, `SENDGRID_SENDER` → `EMAIL`
+- `app.d.ts` `PrivateEnv` updated to reflect new env vars
+- README updated with Brevo setup instructions and new env var names
+
+# 5.7.0
+
+- Add Cloudflare Turnstile CAPTCHA to login, register, forgot password, MFA, and password reset forms
+- New `src/lib/Turnstile.svelte` reusable Svelte 5 component wraps the Turnstile widget with `reset()` export
+- New `src/lib/server/turnstile.ts` server-side token verification utility (`verifyTurnstileToken`)
+- All auth endpoints verify the Turnstile challenge token before processing requests
+- New env vars: `PUBLIC_TURNSTILE_SITE_KEY` (client) and `TURNSTILE_SECRET_KEY` (server)
+- Extend `app.d.ts` with `PublicEnv`, `PrivateEnv` (add `TURNSTILE_SECRET_KEY`), and `Window.turnstile` types; wrap in `declare global`
+
 # 5.6.1
 
 - Add JSDoc comments throughout the codebase (`app.d.ts`, server hooks, route handlers, lib utilities, Svelte components)

package/README.md

@@ -4,7 +4,7 @@
 [![Node](https://img.shields.io/node/v/sveltekit-auth-example)](https://nodejs.org)
 [![Svelte](https://img.shields.io/badge/Svelte-5-orange)](https://svelte.dev)
 
-A complete, production-ready authentication and authorization starter for **Svelte 5** and **SvelteKit 2**. Skip the boilerplate — get secure local accounts, Google OAuth, MFA, email verification, role-based access control, and OWASP-compliant password hashing out of the box.
+A complete, production-ready authentication and authorization starter for **Svelte 5** and **SvelteKit 2**. Skip the boilerplate — get secure local accounts, Google OAuth, MFA, email verification, role-based access control, OWASP-compliant password hashing, and bot protection out of the box.
 
 ## Features
 
@@ -12,10 +12,11 @@ A complete, production-ready authentication and authorization starter for **Svel
 | ---------------------------------------------- | --------------------------------------- |
 | ✅ Local accounts (email + password)           | ✅ Sign in with Google / Google One Tap |
 | ✅ Multi-factor authentication (MFA via email) | ✅ Email verification                   |
-| ✅ Forgot password / email reset (SendGrid)    | ✅ User profile management              |
+| ✅ Forgot password / email reset (Brevo)       | ✅ User profile management              |
 | ✅ Session management + timeout                | ✅ Rate limiting                        |
 | ✅ Role-based access control                   | ✅ Password complexity enforcement      |
 | ✅ Content Security Policy (CSP)               | ✅ OWASP-compliant password hashing     |
+| ✅ Cloudflare Turnstile CAPTCHA (bot protection) |                                       |
 
 ## Stack
 
@@ -28,8 +29,9 @@ A complete, production-ready authentication and authorization starter for **Svel
 
 - Node.js 24.14.0 or later
 - PostgreSQL 16 or later
-- A [SendGrid](https://sendgrid.com) account (for password reset emails)
+- A [Brevo](https://brevo.com) account (for transactional emails)
 - A [Google API client ID](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid) (for Sign in with Google)
+- A [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) site key and secret key (for bot protection on auth forms)
 
 ## Setting up the project
 
@@ -49,7 +51,7 @@ bash db_create.sh
 
 2. Create a **Google API client ID** per [these instructions](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid). Make sure you include `http://localhost:3000` and `http://localhost` in the Authorized JavaScript origins, and `http://localhost:3000/auth/google/callback` in the Authorized redirect URIs for your Client ID for Web application. **Do not access the site using http://127.0.0.1:3000** — use `http://localhost:3000` or it will not work.
 
-3. [Create a free Twilio SendGrid account](https://signup.sendgrid.com) and generate an API Key following [this documentation](https://docs.sendgrid.com/ui/account-and-settings/api-keys) and add a sender as documented [here](https://docs.sendgrid.com/ui/sending-email/senders).
+3. [Create a free Brevo account](https://app.brevo.com/account/register) and generate an API Key under **SMTP & API** settings. Set `EMAIL` to the sender address verified in your Brevo account.
 
 4. Create a **.env** file at the top level of the project with the following values (substituting your own id and PostgreSQL username and password):
 
@@ -58,9 +60,11 @@ DATABASE_URL=postgres://user:password@localhost:5432/auth
 DATABASE_SSL=false
 DOMAIN=http://localhost:3000
 JWT_SECRET=replace_with_your_own
-SENDGRID_KEY=replace_with_your_own
-SENDGRID_SENDER=replace_with_your_own
+BREVO_KEY=replace_with_your_own
+EMAIL=replace_with_your_own
 PUBLIC_GOOGLE_CLIENT_ID=replace_with_your_own
+PUBLIC_TURNSTILE_SITE_KEY=replace_with_your_own
+TURNSTILE_SECRET_KEY=replace_with_your_own
 ```
 
 ## Run locally
@@ -86,9 +90,11 @@ The db_create.sql script adds three users to the database with obvious roles:
 
 | Email               | Password   | Role    |
 | ------------------- | ---------- | ------- |
-| admin@example.com   | admin123   | admin   |
-| teacher@example.com | teacher123 | teacher |
-| student@example.com | student123 | student |
+| admin@example.com   | Admin1234!   | admin   |
+| teacher@example.com | Teacher1234! | teacher |
+| student@example.com | Student1234! | student |
+
+> **MFA note:** Local account logins require a 6-digit code sent to the user's email address. To successfully log in with the seed accounts above, either update their email addresses in the database to your own (`UPDATE users SET email = 'you@yourdomain.com' WHERE email = 'admin@example.com';`), or retrieve the code directly from the `mfa_codes` table after submitting the login form (`SELECT code FROM mfa_codes;`).
 
 ## How it works
 

package/db_schema.sql

@@ -357,13 +357,13 @@ $BODY$;
 ALTER FUNCTION public.verify_mfa_code (text, text) OWNER TO auth;
 
 CALL public.upsert_user (
-	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"admin123", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
+	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"Admin1234!", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
 );
 
 CALL public.upsert_user (
-	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"teacher123", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
+	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"Teacher1234!", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
 );
 
 CALL public.upsert_user (
-	'{"id":0, "role":"student", "email":"student@example.com", "password":"student123", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
+	'{"id":0, "role":"student", "email":"student@example.com", "password":"Student1234!", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
 );

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "sveltekit-auth-example",
 	"description": "SvelteKit Authentication Example",
-	"version": "5.6.1",
+	"version": "5.8.2",
 	"author": "Nate Stuyvesant",
 	"license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
 	"repository": {
@@ -49,7 +49,7 @@
 		"@sveltejs/adapter-node": "^5.5.4",
 		"@sveltejs/kit": "^2.54.0",
 		"@sveltejs/mcp": "^0.1.21",
-		"@sveltejs/vite-plugin-svelte": "^6.2.4",
+		"@sveltejs/vite-plugin-svelte": "^7.0.0",
 		"@tailwindcss/vite": "^4.2.1",
 		"@types/bootstrap": "5.2.10",
 		"@types/google.accounts": "^0.0.18",
@@ -64,13 +64,14 @@
 		"prettier-plugin-sql": "^0.19.2",
 		"prettier-plugin-svelte": "^3.5.1",
 		"prettier-plugin-tailwindcss": "^0.7.2",
-		"svelte": "^5.53.10",
+		"svelte": "^5.53.11",
 		"svelte-check": "^4.4.5",
 		"tslib": "^2.8.1",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.57.0",
-		"vite": "^7.3.1",
-		"vitest": "^4.0.18",
+		"vite": "^8.0.0",
+		"vite-plugin-devtools-json": "^1.0.0",
+		"vitest": "^4.1.0",
 		"vitest-browser-svelte": "^2.0.2"
 	},
 	"packageManager": "yarn@4.13.0"

package/src/app.d.ts

@@ -3,75 +3,139 @@
 // See https://kit.svelte.dev/docs/types#app
 // for information about these interfaces
 // and what to do when importing types
-declare namespace App {
-	/** Per-request server-side locals populated by `hooks.server.ts`. */
-	interface Locals {
-		/** The authenticated user, or `undefined` when no valid session exists. */
-		user: User | undefined
-	}
+declare global {
+	declare namespace App {
+		/** Per-request server-side locals populated by `hooks.server.ts`. */
+		interface Locals {
+			/** The authenticated user, or `undefined` when no valid session exists. */
+			user: User | undefined
+		}
+
+		// interface Platform {}
+
+		/** Error response returned by the Brevo email API. */
+		interface BrevoErrorResponse {
+			/** Optional machine‑readable error code. */
+			code?: string
+			/** Human‑readable error message. */
+			message?: string
+		}
+
+		/** Successful response returned by the Brevo email API. */
+		interface BrevoSuccessResponse {
+			/** Message identifier assigned by Brevo. */
+			messageId: string
+		}
 
-	// interface Platform {}
+		/** Basic email address with optional display name. */
+		interface EmailAddress {
+			/** Email address string. */
+			email: string
+			/** Optional display name associated with the address. */
+			name?: string
+		}
 
-	/** Private environment variables (server-side only). */
-	interface PrivateEnv {
-		// $env/static/private
-		/** PostgreSQL connection string. */
-		DATABASE_URL: string
-		/** Public-facing domain used to construct email links (e.g. `https://example.com`). */
-		DOMAIN: string
-		/** Secret key used to sign and verify JWTs. */
-		JWT_SECRET: string
-		/** SendGrid API key. */
-		SENDGRID_KEY: string
-		/** Default sender email address for outgoing mail. */
-		SENDGRID_SENDER: string
+		/** Payload used when sending email via Brevo. */
+		interface EmailMessageBrevo {
+			/** Primary recipients. */
+			to: EmailAddress[]
+			/** Carbon‑copy recipients. */
+			cc?: EmailAddress[]
+			/** Blind carbon‑copy recipients. */
+			bcc?: EmailAddress[]
+			/** Sender address. */
+			sender: EmailAddress
+			/** Optional reply‑to address. */
+			replyTo?: EmailAddress
+			/** Subject line for the email. */
+			subject: string
+			/** Additional SMTP or provider‑specific headers. */
+			headers?: Record<string, string>
+			/** Tag names applied to the message. */
+			tags?: string[]
+			/** HTML content of the email. */
+			htmlContent?: string
+			/** Plain‑text content of the email. */
+			textContent?: string
+			/** Attachments encoded as base64 strings. */
+			attachment?: Array<{ content: string; name: string }>
+		}
+
+		/** Private environment variables (server-side only). */
+		interface PrivateEnv {
+			// $env/static/private
+			/** PostgreSQL connection string. */
+			DATABASE_URL: string
+			/** Public-facing domain used to construct email links (e.g. `https://example.com`). */
+			DOMAIN: string
+			/** Secret key used to sign and verify JWTs. */
+			JWT_SECRET: string
+			/** Brevo (Sendinblue) API key. */
+			BREVO_KEY: string
+			/** Default sender email address for outgoing mail. */
+			EMAIL: string
+			/** Cloudflare Turnstile secret key used to verify challenge tokens server-side. */
+			TURNSTILE_SECRET_KEY: string
+		}
+
+		/** Public environment variables (safe to expose to the client). */
+		interface PublicEnv {
+			// $env/static/public
+			/** Google OAuth 2.0 client ID for Google Sign-In. */
+			PUBLIC_GOOGLE_CLIENT_ID: string
+			/** Cloudflare Turnstile site key rendered in the browser widget. */
+			PUBLIC_TURNSTILE_SITE_KEY: string
+		}
 	}
 
-	/** Public environment variables (safe to expose to the client). */
-	interface PublicEnv {
-		// $env/static/public
-		/** Google OAuth 2.0 client ID for Google Sign-In. */
-		PUBLIC_GOOGLE_CLIENT_ID: string
+	/** Result returned by the `authenticate` and `register` SQL functions. */
+	interface AuthenticationResult {
+		/** HTTP status code to use when the operation fails. */
+		statusCode: NumericRange<400, 599>
+		/** Human-readable status message. */
+		status: string
+		/** The authenticated or registered user, if successful. */
+		user: User
+		/** The newly created session ID. */
+		sessionId: string
 	}
-}
 
-/** Result returned by the `authenticate` and `register` SQL functions. */
-interface AuthenticationResult {
-	/** HTTP status code to use when the operation fails. */
-	statusCode: NumericRange<400, 599>
-	/** Human-readable status message. */
-	status: string
-	/** The authenticated or registered user, if successful. */
-	user: User
-	/** The newly created session ID. */
-	sessionId: string
-}
+	/** Raw login credentials submitted by the user. */
+	interface Credentials {
+		email: string
+		password: string
+	}
 
-/** Raw login credentials submitted by the user. */
-interface Credentials {
-	email: string
-	password: string
-}
+	/** Persistent properties stored in the database for a user account. */
+	interface UserProperties {
+		id: number
+		/** ISO-8601 datetime at which the current session expires. */
+		expires?: string
+		role: 'student' | 'teacher' | 'admin'
+		password?: string
+		firstName?: string
+		lastName?: string
+		email?: string
+		phone?: string
+	}
 
-/** Persistent properties stored in the database for a user account. */
-interface UserProperties {
-	id: number
-	/** ISO-8601 datetime at which the current session expires. */
-	expires?: string
-	role: 'student' | 'teacher' | 'admin'
-	password?: string
-	firstName?: string
-	lastName?: string
-	email?: string
-	phone?: string
-}
+	/** A user record, or `undefined`/`null` when unauthenticated. */
+	type User = UserProperties | undefined | null
 
-/** A user record, or `undefined`/`null` when unauthenticated. */
-type User = UserProperties | undefined | null
+	/** A database session paired with its associated user. */
+	interface UserSession {
+		/** UUID session identifier stored in the `session` cookie. */
+		id: string
+		user: User
+	}
 
-/** A database session paired with its associated user. */
-interface UserSession {
-	/** UUID session identifier stored in the `session` cookie. */
-	id: string
-	user: User
+	interface Window {
+		turnstile?: {
+			render: (container: HTMLElement, options: Record<string, unknown>) => string
+			reset: (widgetId: string) => void
+			remove: (widgetId: string) => void
+		}
+	}
 }
+
+export {}

package/src/app.html

@@ -11,6 +11,12 @@
 			async
 			defer
 		></script>
+		<script
+			nonce="%sveltekit.nonce%"
+			src="https://challenges.cloudflare.com/turnstile/v0/api.js"
+			async
+			defer
+		></script>
 		%sveltekit.head%
 	</head>
 	<body data-sveltekit-preload-data="hover">

package/src/lib/Turnstile.svelte

@@ -0,0 +1,53 @@
+<script lang="ts">
+	import { onMount, onDestroy } from 'svelte'
+	import { PUBLIC_TURNSTILE_SITE_KEY } from '$env/static/public'
+
+	interface Props {
+		token: string
+		theme?: 'light' | 'dark' | 'auto'
+	}
+
+	let { token = $bindable(''), theme = 'auto' }: Props = $props()
+
+	let container: HTMLDivElement | undefined = $state()
+	let widgetId: string | undefined
+
+	/** Resets the Turnstile widget and clears the token. Call this after a failed submission. */
+	export function reset() {
+		if (widgetId !== undefined && typeof window !== 'undefined' && window.turnstile) {
+			window.turnstile.reset(widgetId)
+			token = ''
+		}
+	}
+
+	onMount(() => {
+		const tryRender = () => {
+			if (!container || !window.turnstile) {
+				setTimeout(tryRender, 50)
+				return
+			}
+			widgetId = window.turnstile.render(container, {
+				sitekey: PUBLIC_TURNSTILE_SITE_KEY,
+				theme,
+				callback: (t: string) => {
+					token = t
+				},
+				'expired-callback': () => {
+					token = ''
+				},
+				'error-callback': () => {
+					token = ''
+				}
+			})
+		}
+		tryRender()
+	})
+
+	onDestroy(() => {
+		if (widgetId !== undefined && window.turnstile) {
+			window.turnstile.remove(widgetId)
+		}
+	})
+</script>
+
+<div bind:this={container}></div>

package/src/lib/google.ts

@@ -2,6 +2,26 @@ import { PUBLIC_GOOGLE_CLIENT_ID } from '$env/static/public'
 import { appState } from '$lib/app-state.svelte'
 import { redirectAfterLogin } from '$lib/auth-redirect'
 
+/**
+ * Waits for the Google Identity Services SDK to load, then calls `fn`.
+ * Polls every 50 ms; gives up after 10 seconds.
+ */
+function whenGoogleReady(fn: () => void) {
+	if (typeof google !== 'undefined') {
+		fn()
+		return
+	}
+	const deadline = Date.now() + 10_000
+	const id = setInterval(() => {
+		if (typeof google !== 'undefined') {
+			clearInterval(id)
+			fn()
+		} else if (Date.now() > deadline) {
+			clearInterval(id)
+		}
+	}, 50)
+}
+
 /**
  * Renders the Google Sign-In button inside the element with id `googleButton`.
  *
@@ -10,16 +30,18 @@ import { redirectAfterLogin } from '$lib/auth-redirect'
  * correctly within its container.
  */
 export function renderGoogleButton() {
-	const btn = document.getElementById('googleButton')
-	if (btn) {
-		const width = btn.offsetWidth || btn.parentElement?.offsetWidth || 400
-		google.accounts.id.renderButton(btn, {
-			type: 'standard',
-			theme: 'outline',
-			size: 'large',
-			width: Math.floor(width)
-		})
-	}
+	whenGoogleReady(() => {
+		const btn = document.getElementById('googleButton')
+		if (btn) {
+			const width = btn.offsetWidth || btn.parentElement?.offsetWidth || 400
+			google.accounts.id.renderButton(btn, {
+				type: 'standard',
+				theme: 'outline',
+				size: 'large',
+				width: Math.floor(width)
+			})
+		}
+	})
 }
 
 /**
@@ -33,13 +55,15 @@ export function renderGoogleButton() {
  * 3. Redirects the user via {@link redirectAfterLogin}.
  */
 export function initializeGoogleAccounts() {
-	if (!appState.googleInitialized) {
-		google.accounts.id.initialize({
-			client_id: PUBLIC_GOOGLE_CLIENT_ID,
-			callback: googleCallback
-		})
-		appState.googleInitialized = true
-	}
+	whenGoogleReady(() => {
+		if (!appState.googleInitialized) {
+			google.accounts.id.initialize({
+				client_id: PUBLIC_GOOGLE_CLIENT_ID,
+				callback: googleCallback
+			})
+			appState.googleInitialized = true
+		}
+	})
 
 	async function googleCallback(response: google.accounts.id.CredentialResponse) {
 		const res = await fetch('/auth/google', {

package/src/lib/server/brevo.ts

@@ -0,0 +1,179 @@
+// See https://developers.brevo.com/reference/sendtransacemail
+import { env } from '$env/dynamic/private'
+
+/**
+ * Delays execution for the specified number of milliseconds.
+ * @param ms - The number of milliseconds to delay.
+ * @returns A promise that resolves after the specified delay.
+ */
+async function delay(ms: number) {
+	return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+/**
+ * Calculates an exponential backoff delay with jitter for retry attempts.
+ * Formula: 1000ms * 2^(attempt - 1) + random(0-500ms)
+ * Example delays: attempt 1 = 1000-1500ms, attempt 2 = 2000-2500ms, attempt 3 = 4000-4500ms
+ * @param attempt - The retry attempt number (1-based).
+ * @returns The backoff delay in milliseconds with added jitter.
+ */
+function getBackoffDelay(attempt: number) {
+	// attempt: 1, 2, 3 -> 1000, 2000, 4000 (plus jitter)
+	const base = 1000
+	const exponential = base * 2 ** (attempt - 1)
+	const jitter = Math.random() * 500 // 0-500ms jitter
+	return exponential + jitter
+}
+
+/**
+ * Type guard to check if the response data is a Brevo error response.
+ * @param data - The response data to check.
+ * @returns True if the data is a BrevoErrorResponse.
+ */
+function isBrevoError(data: unknown): data is BrevoErrorResponse {
+	return typeof data === 'object' && data !== null && 'code' in data
+}
+
+/**
+ * Validates that an email message has all required fields.
+ * @param message - The email message to validate.
+ * @throws {Error} If any required field is missing or invalid.
+ */
+function validateMessage(message: EmailMessageBrevo): void {
+	if (!message.sender) {
+		throw new Error('Email message is missing sender')
+	}
+	if (!message.to || message.to.length === 0) {
+		throw new Error('Email message is missing recipients')
+	}
+	if (!message.subject) {
+		throw new Error('Email message is missing subject')
+	}
+	if (!message.htmlContent && !message.textContent) {
+		throw new Error('Email message is missing content (htmlContent or textContent required)')
+	}
+}
+
+/**
+ * Sends an email message via the Brevo API with automatic retry logic.
+ * Implements exponential backoff with jitter for transient failures (429, 5xx errors).
+ * Validates message fields and throws errors for missing required data or non-retriable failures.
+ *
+ * @param message - The email message object containing sender, recipients, subject, and content.
+ * @throws {Error} If BREVO_KEY is missing, message validation fails, or sending fails after all retry attempts.
+ * @returns A promise that resolves when the email is successfully sent (HTTP 201).
+ *
+ * @remarks
+ * - Retries up to 4 times (1 initial attempt + 3 retries) for network errors and retriable HTTP errors.
+ * - Uses 30-second timeout per request.
+ * - Respects Retry-After header from rate limit responses.
+ * - Logs warnings for retriable failures and errors for permanent failures.
+ */
+export async function sendMessage(message: EmailMessageBrevo): Promise<void> {
+	if (!env.BREVO_KEY) {
+		throw new Error('Brevo API key is missing from environment variables')
+	}
+
+	validateMessage(message)
+
+	const maxAttempts = 4 // initial try + 3 retries
+	const recipients = message.to.map(r => r.email).join(', ')
+
+	for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+		let response: Response
+
+		try {
+			const controller = new AbortController()
+			const timeoutId = setTimeout(() => controller.abort(), 30000) // 30s timeout
+
+			response = await fetch('https://api.brevo.com/v3/smtp/email', {
+				method: 'POST',
+				headers: {
+					accept: 'application/json',
+					'content-type': 'application/json',
+					'api-key': env.BREVO_KEY
+				},
+				body: JSON.stringify(message),
+				signal: controller.signal
+			})
+
+			clearTimeout(timeoutId)
+		} catch (error) {
+			if (attempt === maxAttempts) {
+				console.error('Brevo send failed after retries (network error)', {
+					error,
+					subject: message.subject,
+					to: recipients
+				})
+				throw new Error('Failed to send email after retries', { cause: error })
+			}
+
+			const wait = getBackoffDelay(attempt)
+			console.warn(
+				`Brevo send network error (attempt ${attempt}) — retrying in ${Math.round(wait)}ms`,
+				{
+					error,
+					subject: message.subject
+				}
+			)
+			await delay(wait)
+			continue
+		}
+
+		if (response.status === 201) {
+			return // Success - email sent
+		}
+
+		// Handle 400 bad request errors with code property
+		if (response.status === 400) {
+			const body = await response.json().catch(() => null)
+			const errorCode = isBrevoError(body) ? body.code : undefined
+			console.error('Brevo send failed (bad request)', {
+				status: response.status,
+				code: errorCode,
+				body,
+				subject: message.subject,
+				to: recipients
+			})
+			throw new Error(`Failed to send email: ${errorCode || 'Bad request'}`)
+		}
+
+		const retriable = response.status === 429 || (response.status >= 500 && response.status <= 599)
+
+		if (!retriable || attempt === maxAttempts) {
+			const body = await response.json().catch(() => null)
+			console.error('Brevo send failed (no more retries)', {
+				status: response.status,
+				statusText: response.statusText,
+				body,
+				subject: message.subject,
+				to: recipients
+			})
+			throw new Error(`Failed to send email: ${response.status} ${response.statusText}`)
+		}
+
+		// Check for Retry-After header and use it if available
+		const retryAfterHeader = response.headers.get('Retry-After')
+		let retryAfter: number | null = null
+
+		if (retryAfterHeader) {
+			const parsed = parseInt(retryAfterHeader, 10)
+			// If it's a valid number, treat as seconds; otherwise it might be an HTTP date
+			if (!isNaN(parsed)) {
+				retryAfter = parsed * 1000
+			}
+		}
+
+		const wait = retryAfter || getBackoffDelay(attempt)
+
+		console.warn(`Brevo send failed (attempt ${attempt}) — retrying in ${Math.round(wait)}ms`, {
+			status: response.status,
+			statusText: response.statusText,
+			subject: message.subject,
+			retryAfter: retryAfter ? `${retryAfter}ms (from header)` : undefined
+		})
+		await delay(wait)
+	}
+
+	throw new Error('Unexpected Brevo retry logic failure')
+}

package/src/lib/server/email/mfa-code.ts

@@ -1,5 +1,5 @@
-import { SENDGRID_SENDER } from '$env/static/private'
-import { sendMessage } from '$lib/server/sendgrid'
+import { EMAIL } from '$env/static/private'
+import { sendMessage } from '$lib/server/brevo'
 
 /**
  * Sends a multi-factor authentication (MFA) verification code email to the user.
@@ -9,11 +9,11 @@ import { sendMessage } from '$lib/server/sendgrid'
  */
 export const sendMfaCodeEmail = async (toEmail: string, code: string) => {
 	await sendMessage({
-		to: { email: toEmail },
-		from: SENDGRID_SENDER,
+		to: [{ email: toEmail }],
+		sender: { email: EMAIL },
 		subject: 'Your login verification code',
-		categories: ['account'],
-		html: `
+		tags: ['account'],
+		htmlContent: `
       <p>Your verification code is:</p>
       <p style="font-size: 2em; font-weight: bold; letter-spacing: 0.25em;">${code}</p>
       <p>This code expires in 10 minutes. If you did not attempt to log in, you can safely ignore this email.</p>

package/src/lib/server/email/password-reset.ts

@@ -1,5 +1,5 @@
-import { DOMAIN, SENDGRID_SENDER } from '$env/static/private'
-import { sendMessage } from '$lib/server/sendgrid'
+import { DOMAIN, EMAIL } from '$env/static/private'
+import { sendMessage } from '$lib/server/brevo'
 
 /**
  * Sends a password reset email containing a link with a one-time reset token.
@@ -9,11 +9,11 @@ import { sendMessage } from '$lib/server/sendgrid'
  */
 export const sendPasswordResetEmail = async (toEmail: string, token: string) => {
 	await sendMessage({
-		to: { email: toEmail },
-		from: SENDGRID_SENDER,
+		to: [{ email: toEmail }],
+		sender: { email: EMAIL },
 		subject: 'Password reset',
-		categories: ['account'],
-		html: `
+		tags: ['account'],
+		htmlContent: `
       <p><a href="${DOMAIN}/auth/reset/${token}">Reset my password</a>. Your browser will open and ask you to
       provide a new password with a confirmation then redirect you to your login page.</p>
     `

package/src/lib/server/email/verify-email.ts

@@ -1,5 +1,5 @@
-import { DOMAIN, SENDGRID_SENDER } from '$env/static/private'
-import { sendMessage } from '$lib/server/sendgrid'
+import { DOMAIN, EMAIL } from '$env/static/private'
+import { sendMessage } from '$lib/server/brevo'
 
 /**
  * Sends an email verification link to a newly registered user.
@@ -9,11 +9,11 @@ import { sendMessage } from '$lib/server/sendgrid'
  */
 export const sendVerificationEmail = async (toEmail: string, token: string) => {
 	await sendMessage({
-		to: { email: toEmail },
-		from: SENDGRID_SENDER,
+		to: [{ email: toEmail }],
+		sender: { email: EMAIL },
 		subject: 'Verify your email address',
-		categories: ['account'],
-		html: `
+		tags: ['account'],
+		htmlContent: `
       <p>Thanks for registering! Please verify your email address by clicking the link below:</p>
       <p><a href="${DOMAIN}/auth/verify/${token}">Verify my email address</a></p>
       <p>This link expires in 24 hours. If you did not register, you can safely ignore this email.</p>

package/src/lib/server/turnstile.ts

@@ -0,0 +1,29 @@
+import { TURNSTILE_SECRET_KEY } from '$env/static/private'
+
+/**
+ * Verifies a Cloudflare Turnstile challenge token against the siteverify API.
+ *
+ * @param token - The `cf-turnstile-response` token submitted by the client.
+ * @param ip - Optional client IP address passed to Cloudflare for additional validation.
+ * @returns `true` if the token is valid, `false` otherwise.
+ */
+export async function verifyTurnstileToken(token: string, ip?: string): Promise<boolean> {
+	if (!token) return false
+
+	const formData = new FormData()
+	formData.append('secret', TURNSTILE_SECRET_KEY)
+	formData.append('response', token)
+	if (ip) formData.append('remoteip', ip)
+
+	try {
+		const res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+			method: 'POST',
+			body: formData
+		})
+		const data: { success: boolean } = await res.json()
+		return data.success === true
+	} catch (err) {
+		console.error('Turnstile verification error:', err)
+		return false
+	}
+}

package/src/routes/auth/forgot/+server.ts

@@ -4,6 +4,8 @@ import jwt from 'jsonwebtoken'
 import { JWT_SECRET } from '$env/static/private'
 import { query } from '$lib/server/db'
 import { sendPasswordResetEmail } from '$lib/server/email'
+import { error } from '@sveltejs/kit'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /**
  * Handles a forgot-password request.
@@ -17,6 +19,11 @@ import { sendPasswordResetEmail } from '$lib/server/email'
  */
 export const POST: RequestHandler = async event => {
 	const body = await event.request.json()
+
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) error(400, 'Security challenge failed. Please try again.')
+
 	const sql = `SELECT id as "userId" FROM users WHERE email = $1 LIMIT 1;`
 	const { rows } = await query(sql, [body.email])
 

package/src/routes/auth/login/+server.ts

@@ -5,6 +5,7 @@ import jwt from 'jsonwebtoken'
 import { JWT_SECRET } from '$env/static/private'
 import { query } from '$lib/server/db'
 import { sendMfaCodeEmail } from '$lib/server/email'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /**
  * In-memory failed-attempt tracker used for per-email account lockout.
@@ -41,13 +42,17 @@ const MFA_TRUSTED_COOKIE = 'mfa_trusted'
 export const POST: RequestHandler = async event => {
 	const { cookies } = event
 
-	let body: { email?: string; password?: string }
+	let body: { email?: string; password?: string; turnstileToken?: string }
 	try {
 		body = await event.request.json()
 	} catch {
 		error(400, 'Invalid request body.')
 	}
 
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) error(400, 'Security challenge failed. Please try again.')
+
 	const email = body.email?.toLowerCase() ?? ''
 
 	// Check per-email account lockout

package/src/routes/auth/mfa/+server.ts

@@ -4,6 +4,7 @@ import type { Secret } from 'jsonwebtoken'
 import jwt from 'jsonwebtoken'
 import { JWT_SECRET } from '$env/static/private'
 import { query } from '$lib/server/db'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /** Name of the cookie used to mark a device as MFA-trusted. */
 const MFA_TRUSTED_COOKIE = 'mfa_trusted'
@@ -26,7 +27,7 @@ const MFA_TRUSTED_MAX_AGE = 30 * 24 * 60 * 60 // 30 days in seconds
 export const POST: RequestHandler = async event => {
 	const { cookies } = event
 
-	let body: { email?: string; code?: string }
+	let body: { email?: string; code?: string; turnstileToken?: string }
 	try {
 		body = await event.request.json()
 	} catch {
@@ -35,6 +36,10 @@ export const POST: RequestHandler = async event => {
 
 	if (!body.email || !body.code) error(400, 'Email and verification code are required.')
 
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) error(400, 'Security challenge failed. Please try again.')
+
 	// Verify the code; returns user_id on success, NULL on failure/expiry
 	const verifyResult = await query(`SELECT verify_mfa_code($1, $2) AS "userId";`, [
 		body.email.toLowerCase(),

package/src/routes/auth/register/+server.ts

@@ -4,6 +4,7 @@ import jwt from 'jsonwebtoken'
 import { JWT_SECRET } from '$env/static/private'
 import { query } from '$lib/server/db'
 import { sendVerificationEmail } from '$lib/server/email'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /**
  * Registers a new user account.
@@ -23,13 +24,17 @@ import { sendVerificationEmail } from '$lib/server/email'
  * @throws The status code from the registration result on other failures (e.g. duplicate email).
  */
 export const POST: RequestHandler = async event => {
-	let body: { email?: string; password?: string; firstName?: string; lastName?: string }
+	let body: { email?: string; password?: string; firstName?: string; lastName?: string; turnstileToken?: string }
 	try {
 		body = await event.request.json()
 	} catch {
 		error(400, 'Invalid request body.')
 	}
 
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) error(400, 'Security challenge failed. Please try again.')
+
 	if (!body.email || !body.password || !body.firstName || !body.lastName)
 		error(400, 'Please supply all required fields: email, password, first and last name.')
 

package/src/routes/auth/reset/+server.ts

@@ -1,9 +1,10 @@
-import { json } from '@sveltejs/kit'
+import { json, error } from '@sveltejs/kit'
 import type { RequestHandler } from './$types'
 import type { JwtPayload } from 'jsonwebtoken'
 import jwt from 'jsonwebtoken'
 import { JWT_SECRET } from '$env/static/private'
 import { query } from '$lib/server/db'
+import { verifyTurnstileToken } from '$lib/server/turnstile'
 
 /**
  * Resets a user's password using a signed JWT reset token.
@@ -24,6 +25,10 @@ export const PUT: RequestHandler = async event => {
 	const body = await event.request.json()
 	const { token, password } = body
 
+	const ip = event.request.headers.get('CF-Connecting-IP') ?? event.getClientAddress()
+	const turnstileOk = await verifyTurnstileToken(body.turnstileToken ?? '', ip)
+	if (!turnstileOk) return json({ message: 'Security challenge failed. Please try again.' }, { status: 400 })
+
 	// Check the validity of the token and extract userId
 	try {
 		const decoded = <JwtPayload>jwt.verify(token, <jwt.Secret>JWT_SECRET)

package/src/routes/auth/reset/[token]/+page.svelte

@@ -4,6 +4,7 @@
 	import { goto } from '$app/navigation'
 	import { appState } from '$lib/app-state.svelte'
 	import { focusOnFirstError } from '$lib/focus'
+	import Turnstile from '$lib/Turnstile.svelte'
 
 	/** Props for the password-reset page. */
 	interface Props {
@@ -21,6 +22,8 @@
 	let submitted = $state(false)
 	let passwordMismatch = $state(false)
 	let loading = $state(false)
+	let turnstileToken = $state('')
+	let turnstile: Turnstile | undefined = $state()
 
 	onMount(() => {
 		// Remove the token from the URL to prevent it appearing in logs and Referer headers
@@ -53,6 +56,10 @@
 		}
 
 		if (form.checkValidity()) {
+			if (!turnstileToken) {
+				message = 'Please complete the security challenge.'
+				return
+			}
 			loading = true
 			try {
 				const url = `/auth/reset`
@@ -63,7 +70,8 @@
 					},
 					body: JSON.stringify({
 						token: data.token,
-						password
+						password,
+						turnstileToken
 					})
 				})
 
@@ -151,6 +159,8 @@
 		<p class="tw:text-red-600">{message}</p>
 	{/if}
 
+	<Turnstile bind:this={turnstile} bind:token={turnstileToken} />
+
 	<button type="submit" class="btn-primary" disabled={loading}>
 		{loading ? 'Resetting...' : 'Reset Password'}
 	</button>

package/src/routes/forgot/+page.svelte

@@ -3,6 +3,7 @@
 	import { goto } from '$app/navigation'
 	import { appState } from '$lib/app-state.svelte'
 	import { focusOnFirstError } from '$lib/focus'
+	import Turnstile from '$lib/Turnstile.svelte'
 
 	let focusedField: HTMLInputElement | undefined = $state()
 	let formEl: HTMLFormElement | undefined = $state()
@@ -10,6 +11,8 @@
 	let message: string = $state('')
 	let submitted = $state(false)
 	let loading = $state(false)
+	let turnstileToken = $state('')
+	let turnstile: Turnstile | undefined = $state()
 
 	onMount(() => {
 		focusedField?.focus()
@@ -31,6 +34,9 @@
 			if (email.toLowerCase().includes('gmail.com')) {
 				return (message = 'Gmail passwords must be reset on Manage Your Google Account.')
 			}
+			if (!turnstileToken) {
+				return (message = 'Please complete the security challenge.')
+			}
 			loading = true
 			try {
 				const url = `/auth/forgot`
@@ -39,7 +45,7 @@
 					headers: {
 						'Content-Type': 'application/json'
 					},
-					body: JSON.stringify({ email })
+					body: JSON.stringify({ email, turnstileToken })
 				})
 
 				if (res.ok) {
@@ -97,6 +103,8 @@
 		<p class="tw:text-red-600">{message}</p>
 	{/if}
 
+	<Turnstile bind:this={turnstile} bind:token={turnstileToken} />
+
 	<button type="submit" class="btn-primary" disabled={loading}>
 		{loading ? 'Sending...' : 'Send Email'}
 	</button>

package/src/routes/login/+page.svelte

@@ -4,6 +4,7 @@
 	import { focusOnFirstError } from '$lib/focus'
 	import { initializeGoogleAccounts, renderGoogleButton } from '$lib/google'
 	import { redirectAfterLogin } from '$lib/auth-redirect'
+	import Turnstile from '$lib/Turnstile.svelte'
 
 	let focusedField: HTMLInputElement | undefined = $state()
 	let formEl: HTMLFormElement | undefined = $state()
@@ -14,6 +15,10 @@
 	let loading = $state(false)
 	let mfaRequired = $state(false)
 	let mfaCode = $state('')
+	let turnstileToken = $state('')
+	let mfaTurnstileToken = $state('')
+	let turnstile: Turnstile | undefined = $state()
+	let mfaTurnstile: Turnstile | undefined = $state()
 	const credentials: Credentials = $state({
 		email: '',
 		password: ''
@@ -29,12 +34,17 @@
 		const form = formEl!
 
 		if (form.checkValidity()) {
+			if (!turnstileToken) {
+				message = 'Please complete the security challenge.'
+				return
+			}
 			try {
 				await loginLocal(credentials)
 			} catch (err) {
 				if (err instanceof Error) {
 					console.error('Login error', err.message)
 					message = err.message
+					turnstile?.reset()
 				}
 			}
 		} else {
@@ -63,7 +73,7 @@
 		try {
 			const res = await fetch('/auth/login', {
 				method: 'POST',
-				body: JSON.stringify(credentials),
+				body: JSON.stringify({ ...credentials, turnstileToken }),
 				headers: {
 					'Content-Type': 'application/json'
 				}
@@ -99,11 +109,15 @@
 	async function verifyMfa() {
 		message = ''
 		mfaSubmitted = false
-		const form = mfaFormEl!
 
-		if (!form.checkValidity()) {
+		if (!/^[0-9]{6}$/.test(mfaCode)) {
 			mfaSubmitted = true
-			focusOnFirstError(form)
+			mfaFormEl?.querySelector<HTMLInputElement>('#mfaCode')?.focus()
+			return
+		}
+
+		if (!mfaTurnstileToken) {
+			message = 'Please complete the security challenge.'
 			return
 		}
 
@@ -111,7 +125,7 @@
 		try {
 			const res = await fetch('/auth/mfa', {
 				method: 'POST',
-				body: JSON.stringify({ email: credentials.email, code: mfaCode }),
+				body: JSON.stringify({ email: credentials.email, code: mfaCode, turnstileToken: mfaTurnstileToken }),
 				headers: { 'Content-Type': 'application/json' }
 			})
 			const fromEndpoint = await res.json()
@@ -125,6 +139,7 @@
 			if (err instanceof Error) {
 				console.error('MFA error', err)
 				message = err.message
+				mfaTurnstile?.reset()
 			}
 		} finally {
 			loading = false
@@ -194,6 +209,8 @@
 			</button>
 		</p>
 	</form>
+
+	<Turnstile bind:this={mfaTurnstile} bind:token={mfaTurnstileToken} />
 {:else}
 	<form
 		bind:this={formEl}
@@ -288,6 +305,8 @@
 			<p class="tw:text-red-600">{message}</p>
 		{/if}
 
+		<Turnstile bind:this={turnstile} bind:token={turnstileToken} />
+
 		<button type="submit" class="btn-primary" disabled={loading}>
 			{loading ? 'Signing in...' : 'Sign In'}
 		</button>

package/src/routes/register/+page.svelte

@@ -2,6 +2,7 @@
 	import { onMount } from 'svelte'
 	import { focusOnFirstError } from '$lib/focus'
 	import { initializeGoogleAccounts, renderGoogleButton } from '$lib/google'
+	import Turnstile from '$lib/Turnstile.svelte'
 
 	let focusedField: HTMLInputElement | undefined = $state()
 	// Pattern stored as a variable to avoid Svelte parsing `{8,}` as a template expression
@@ -24,6 +25,8 @@
 	let emailVerificationSent = $state(false)
 
 	let formEl: HTMLFormElement | undefined = $state()
+	let turnstileToken = $state('')
+	let turnstile: Turnstile | undefined = $state()
 
 	/**
 	 * Validates the registration form and, if valid, delegates to {@link registerLocal}.
@@ -41,12 +44,17 @@
 		}
 
 		if (form.checkValidity()) {
+			if (!turnstileToken) {
+				message = 'Please complete the security challenge.'
+				return
+			}
 			try {
 				await registerLocal(user)
 			} catch (err) {
 				if (err instanceof Error) {
 					message = err.message
 					console.log('Login error', message)
+					turnstile?.reset()
 				}
 			}
 		} else {
@@ -76,7 +84,7 @@
 		try {
 			const res = await fetch('/auth/register', {
 				method: 'POST',
-				body: JSON.stringify(user), // server ignores user.role - always set it to 'student' (lowest priv)
+				body: JSON.stringify({ ...user, turnstileToken }), // server ignores user.role - always set it to 'student' (lowest priv)
 				headers: {
 					'Content-Type': 'application/json'
 				}
@@ -269,6 +277,8 @@
 			<p class="tw:text-red-600">{message}</p>
 		{/if}
 
+		<Turnstile bind:this={turnstile} bind:token={turnstileToken} />
+
 		<button type="submit" class="btn-primary" disabled={loading}>
 			{loading ? 'Creating account...' : 'Register'}
 		</button>

package/svelte.config.js

@@ -8,7 +8,8 @@ const baseCsp = [
 	'https://www.gstatic.com/recaptcha/', // recaptcha
 	'https://accounts.google.com/gsi/', // sign-in w/google
 	'https://www.google.com/recaptcha/', // recapatcha
-	'https://fonts.gstatic.com/' // recaptcha fonts
+	'https://fonts.gstatic.com/', // recaptcha fonts
+	'https://challenges.cloudflare.com/' // turnstile
 ]
 
 if (!production) baseCsp.push('ws://localhost:3000')
@@ -41,7 +42,8 @@ const config = {
 				'img-src': ['data:', 'blob:', ...baseCsp],
 				'style-src': ['unsafe-inline', ...baseCsp],
 				'object-src': ['none'],
-				'base-uri': ['self']
+				'base-uri': ['self'],
+				'frame-src': ['https://challenges.cloudflare.com/', 'https://accounts.google.com/']
 			}
 		},
 		files: {

package/vite.config.ts

@@ -1,18 +1,13 @@
-import { sveltekit } from '@sveltejs/kit/vite'
-import { defineConfig } from 'vite'
-import tailwindcss from '@tailwindcss/vite'
+import devtoolsJson from 'vite-plugin-devtools-json';
+import { sveltekit } from '@sveltejs/kit/vite';
+import { defineConfig } from 'vite';
+import tailwindcss from '@tailwindcss/vite';
 
 export default defineConfig({
-	build: {
-		sourcemap: process.env.NODE_ENV !== 'production'
-	},
-	plugins: [sveltekit(), tailwindcss()],
+	build: { sourcemap: process.env.NODE_ENV !== 'production' },
+	plugins: [sveltekit(), tailwindcss(), devtoolsJson()],
 	test: {
 		include: ['src/**/*.unit.test.ts', 'tests/**/*.unit.test.ts']
 	},
-	server: {
-		host: 'localhost',
-		port: 3000,
-		open: 'http://localhost:3000'
-	}
-})
+	server: { host: 'localhost', port: 3000, open: 'http://localhost:3000' }
+});

package/src/lib/server/sendgrid.ts

@@ -1,22 +0,0 @@
-import type { MailDataRequired } from '@sendgrid/mail'
-import sgMail from '@sendgrid/mail'
-import { env } from '$env/dynamic/private'
-
-/**
- * Sends a transactional email via the SendGrid API.
- *
- * Merges the provided message with the default sender configured in the environment.
- * Any field in `message` (including `from`) will override the default.
- *
- * @param message - Partial SendGrid mail data. Must include at minimum `to`, `subject`, and `html` or `text`.
- * @throws {Error} If the SendGrid API key is missing or the API request fails.
- */
-export const sendMessage = async (message: Partial<MailDataRequired>) => {
-	const { SENDGRID_SENDER, SENDGRID_KEY } = env
-	sgMail.setApiKey(SENDGRID_KEY)
-	const completeMessage = <MailDataRequired>{
-		from: SENDGRID_SENDER, // default sender can be altered
-		...message
-	}
-	await sgMail.send(completeMessage)
-}