regstack 0.5.6__tar.gz → 0.5.9__tar.gz

{regstack-0.5.6 → regstack-0.5.9}/CHANGELOG.md

@@ -5,6 +5,118 @@ authoritative copy lives at
 [`docs/changelog.md`](docs/changelog.md) and is rendered into the
 Sphinx docs.
 
+## 0.5.9 — 2026-05-13
+
+**`OAuthConfig.enforce_mfa_on_oauth_signin` is now wired.** The flag
+has been on the config since the OAuth router shipped (0.3.0) and the
+wizard surfaced it, but the callback never read it — operators who
+flipped it on still got OAuth sign-ins that bypassed the SMS second
+factor. The High #1 finding from the post-0.5.6 consistency audit.
+
+Now, when the flag is `true` and the resolved user has SMS MFA set
+up (`is_mfa_enabled=True` plus a `phone_number`):
+
+- The OAuth callback sends the SMS code and stashes a short-lived
+  `login_mfa` pending JWT in the state row (instead of a session
+  token).
+- `POST /oauth/exchange` returns `mfa_required=True` and
+  `mfa_pending_token=...` (with no `access_token`) so the SPA knows
+  to redirect to `/account/mfa-confirm`.
+- The SPA's bundled `regstack.js` `oauth-complete` handler stashes
+  the pending token under `regstack.mfa_pending` (same key the
+  password-login MFA flow uses) and redirects.
+- The user enters the SMS code and hits the existing
+  `POST /login/mfa-confirm` endpoint — same downstream path as the
+  password-login second factor.
+
+Link flows (`mode="link"`) are exempt: the user was already
+authenticated when they kicked off the link, so adding SMS friction
+on top of an already-authenticated link operation has no
+threat-model win.
+
+The `ExchangeResponse` model grew two optional fields
+(`mfa_required: bool = False`, `mfa_pending_token: str | None = None`)
+and `access_token` is now defaulted to `""` so the MFA branch can
+return cleanly. Existing handlers reading `access_token` keep
+working — they just need to check `mfa_required` first.
+
+## 0.5.8 — 2026-05-13
+
+Audit-driven consistency cleanup — small fixes across the API surface
+flagged by the post-0.5.6 consistency review.
+
+**Security**
+
+- **`oauth.completion_ttl_seconds` is finally enforced.** The flag has
+  been on `OAuthConfig` since the OAuth router shipped, but the
+  callback never used it: a state row stayed valid for the full
+  `state_ttl_seconds` (300s default) between callback completion and
+  `/oauth/exchange`. Now `set_result_token(...)` bumps the row's
+  expiry down to `now + completion_ttl_seconds` (30s default), so the
+  blast radius of a stolen state_id post-callback is the documented
+  30-second window. `OAuthStateRepoProtocol.set_result_token` grew an
+  optional `new_expires_at=` kwarg to make this atomic with the
+  token write.
+
+**Changed (UserPublic surface)**
+
+- `UserPublic` now serialises `updated_at` and
+  `tokens_invalidated_after`. SPAs comparing the latter against their
+  cached session JWT's `iat` can detect a forced sign-out after a
+  password / email change without an extra round-trip.
+
+**Changed (hook payloads)**
+
+- `oauth_signin_started` in `mode="link"` now carries the
+  authenticated `user=` kwarg, matching `oauth_signin_completed` and
+  `oauth_account_linked`. The `mode="signin"` call site stays without
+  `user=` (there isn't one yet — sign-in is what produces it).
+
+**Internal**
+
+- `OAuthConfig.completion_ttl_seconds` config field is now load-bearing
+  (was previously declared-but-unread).
+- `MessageResponse` in `routers/oauth.py` deleted; the router now uses
+  the shared one from `routers/_schemas.py`. OpenAPI no longer carries
+  two identically-named schemas.
+- `MongoOAuthStateRepo` / `SqlOAuthStateRepo` `set_result_token` grew
+  a `new_expires_at` parameter (default `None`, so existing callers
+  see no change).
+- `MongoBlacklistRepo.purge_expired` switched from `$lte` to `$lt` to
+  match the rest of the `purge_expired` family across both backends.
+  Edge-instant tokens get one more microsecond of life — the
+  bulk-revoke check (which DOES use `<=`) is unchanged.
+- Dead `create()` and `delete_by_id()` methods removed from
+  `MongoPendingRepo` — neither was in the protocol or the SQL impl,
+  and nothing in src or tests called them.
+- OAuth `start` and `callback` endpoints now declare
+  `response_class=RedirectResponse` and `status_code=302`. OpenAPI
+  surfaces the redirect intent properly.
+- Custom-claim JWT encoder in `routers/account.py` (email-change
+  token) now emits `iat` as a float instead of `int`, matching the
+  three other custom-claim encoders and the bulk-revoke contract.
+- `routers/verify.py` `created_at` for resent pending registrations
+  now goes through `rs.clock.now()` instead of wall-clock
+  `datetime.now(UTC)` — keeps `FrozenClock`-driven tests
+  deterministic.
+- `BaseUser.model_config = ConfigDict(extra="allow")` got a
+  comment explaining why it's the only model in the package that
+  doesn't `extra="forbid"`.
+
+## 0.5.7 — 2026-05-13
+
+Documentation-only follow-up to 0.5.6.
+
+- `docs/configuration.md` now documents the per-route `*_rate_limit`
+  family (added in 0.5.4) instead of pointing at
+  `login_max_per_minute` / `login_max_per_hour` as reserved future
+  fields.
+- `docs/security.md` no longer references
+  `PasswordHasher.needs_rehash` (removed in 0.5.6). Replacement
+  guidance points hosts at `pwdlib.PasswordHash.verify_and_update`.
+- Root `CHANGELOG.md` backfilled with 0.4.0 and 0.5.0 entries so it
+  matches `docs/changelog.md`.
+
 ## 0.5.6 — 2026-05-13
 
 Eleven days of security-review remediation, supply-chain hardening,
@@ -86,6 +198,42 @@ to use it, call `pwdlib.PasswordHash.verify_and_update` directly.
 `routers/logout.py` (was listed in `KNOWN_EVENTS` but no router
 emitted it).
 
+## 0.5.0 — 2026-05-02
+
+**Theme designer.** `regstack theme design` opens a native pywebview
+window with controls for every `--rs-*` CSS custom property and a
+real-time preview of the bundled SSR widgets (sign-in form, success /
+error banners, danger-zone button). Saving writes `regstack-theme.css`;
+the designer round-trips values back into the form on next launch so
+iteration is non-destructive. `--print-only` mode takes repeatable
+`--var NAME=VALUE` pairs (with a `dark:` prefix for dark-scheme
+overrides) and writes the file headlessly. Lives in
+`regstack.wizard.theme_designer`; registered as a lazy Click subgroup
+so `regstack init` / `doctor` don't pay the pywebview/uvicorn import
+cost.
+
+**Docs.** New "About the examples" convention block at the top of
+`docs/index.md`. Every URL, email, smtp host, and admin command across
+the docs now extrapolates from the same fictional app at
+`app.example.com` with `<username>` / `<password>` placeholders.
+
+## 0.4.0 — 2026-05-02
+
+**OAuth setup wizard.** `regstack oauth setup` opens a native webview
+window that walks an operator through registering a Google OAuth 2.0
+client and merges the credentials into `regstack.toml` +
+`regstack.secrets.env` non-destructively (preserves comments, other
+tables, unrelated keys). 12-step SPA inside a local-only 127.0.0.1
+FastAPI server, gated by a per-launch random token. Each "Next" click
+hits a server-side validator so the Write step can never be reached
+with bad data. `--print-only` mode skips the GUI for headless / CI
+use.
+
+Three new base dependencies — `pywebview>=5.0`, `tomlkit>=0.13`,
+`uvicorn[standard]>=0.29` — for the wizard's local server.
+`pytest-playwright` added to the `dev` extra; new `inv test-e2e` task
+chained into `inv test-all`.
+
 ## 0.3.0 — 2026-04-30
 
 **OAuth — Sign in with Google.** Opt-in via the new `oauth` extra

{regstack-0.5.6 → regstack-0.5.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: regstack
-Version: 0.5.6
+Version: 0.5.9
 Summary: Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB.
 Project-URL: Homepage, https://github.com/jdrumgoole/regstack
 Project-URL: Repository, https://github.com/jdrumgoole/regstack

{regstack-0.5.6 → regstack-0.5.9}/docs/changelog.md

@@ -3,6 +3,118 @@
 All notable changes to this project are documented here. Versions follow
 [Semantic Versioning](https://semver.org/) once `1.0.0` ships.
 
+## 0.5.9 — 2026-05-13
+
+### Security
+
+- **`OAuthConfig.enforce_mfa_on_oauth_signin` is now wired.** The flag
+  has been on the config since 0.3.0 and surfaced through the OAuth
+  setup wizard, but the callback never read it — operators who
+  enabled it still got OAuth sign-ins that bypassed the SMS second
+  factor. The High #1 finding from the post-0.5.6 consistency audit.
+
+  When the flag is `true` and the resolved user has SMS MFA set up
+  (`is_mfa_enabled=True` plus a `phone_number`), the OAuth callback
+  now sends the SMS code, stashes a short-lived `login_mfa` pending
+  JWT in the state row instead of a session token, and the SPA's
+  `regstack.js` `oauth-complete` handler reroutes through the
+  existing `/account/mfa-confirm` page → `POST /login/mfa-confirm`
+  flow.
+
+  Link flows (`mode="link"`) are intentionally exempt: the user was
+  already authenticated when they kicked off the link, so re-MFAing
+  is friction without a threat-model win.
+
+### Changed
+
+- `ExchangeResponse` gained two optional fields:
+  - `mfa_required: bool = False`
+  - `mfa_pending_token: str | None = None`
+
+  `access_token` defaults to `""` (instead of being required) so the
+  MFA branch can return without one. Existing SPAs that read
+  `access_token` keep working — they just need to branch on
+  `mfa_required` first.
+
+- `oauth_signin_completed` hook now carries `mfa_required=<bool>`
+  alongside the existing `user`, `provider`, `mode`, `was_new` kwargs
+  so observability handlers can distinguish "session minted" from
+  "MFA second-step in progress" outcomes.
+
+## 0.5.8 — 2026-05-13
+
+Audit-driven consistency cleanup — small fixes across the API surface
+flagged by the post-0.5.6 consistency review.
+
+### Security
+
+- **`oauth.completion_ttl_seconds` is now enforced.** This flag has
+  been on `OAuthConfig` since the OAuth router shipped, but the
+  callback never used it. A state row stayed valid for the full
+  `state_ttl_seconds` (300s default) between callback completion and
+  the SPA's `/oauth/exchange` call. The callback now shortens the
+  row's `expires_at` to `now + completion_ttl_seconds` (30s default)
+  when it stashes the result token, so the blast radius of a stolen
+  state_id post-callback is the documented 30-second window.
+
+### Changed (UserPublic surface)
+
+- `UserPublic` now serialises `updated_at` and
+  `tokens_invalidated_after`. SPAs comparing the latter against their
+  cached session JWT's `iat` can detect a forced sign-out after a
+  password / email change without an extra round-trip.
+
+### Changed (hook payloads)
+
+- `oauth_signin_started` in `mode="link"` now carries the
+  authenticated `user=` kwarg, matching `oauth_signin_completed` and
+  `oauth_account_linked`. The `mode="signin"` call site stays
+  user-less (there isn't one yet — sign-in is what produces it).
+
+### Internal
+
+- `OAuthStateRepoProtocol.set_result_token` grew an optional
+  `new_expires_at=` kwarg so the callback can re-set the row's
+  expiry atomically with the token write. Both Mongo and SQL impls
+  updated.
+- `MessageResponse` in `routers/oauth.py` deleted; the router now
+  uses the shared one from `routers/_schemas.py`. OpenAPI no longer
+  carries two identically-named schemas.
+- `MongoBlacklistRepo.purge_expired` switched from `$lte` to `$lt`
+  to match the rest of the `purge_expired` family. Bulk-revoke
+  (which DOES use `<=` for the conservative same-instant
+  interpretation) is unchanged.
+- Dead `create()` / `delete_by_id()` methods removed from
+  `MongoPendingRepo` — neither was in the protocol or the SQL impl.
+- OAuth `start` and `callback` endpoints now declare
+  `response_class=RedirectResponse` and `status_code=302`.
+- Custom-claim JWT encoder in `routers/account.py` (email-change
+  token) now emits `iat` as a float instead of `int`, matching the
+  three other custom-claim encoders.
+- `routers/verify.py` `created_at` for resent pending registrations
+  now goes through `rs.clock.now()` instead of wall-clock
+  `datetime.now(UTC)`.
+- `BaseUser.model_config = ConfigDict(extra="allow")` is now
+  documented inline (it's the only model in the package that
+  doesn't `extra="forbid"`, on purpose).
+
+## 0.5.7 — 2026-05-13
+
+Documentation-only follow-up to 0.5.6 — no runtime code changes.
+
+### Docs
+
+- `docs/configuration.md` now documents the per-route `*_rate_limit`
+  family (added in 0.5.4) instead of pointing at
+  `login_max_per_minute` / `login_max_per_hour` as reserved future
+  fields.
+- `docs/security.md` no longer references
+  `PasswordHasher.needs_rehash` (removed in 0.5.6). Replacement
+  guidance points hosts at `pwdlib.PasswordHash.verify_and_update`
+  inside a `user_logged_in` hook.
+- Root `CHANGELOG.md` backfilled with 0.4.0 and 0.5.0 entries so it
+  matches this file. The two changelogs are now in sync.
+
 ## 0.5.6 — 2026-05-13
 
 A rollup release that consolidates 11 days of security-review

{regstack-0.5.6 → regstack-0.5.9}/docs/configuration.md

@@ -234,12 +234,74 @@ with no `mkdir` or `touch` step.
   - Sliding window for failures, also TTL on the `login_attempts` collection.
 * - `login_max_per_minute`
   - `5`
-  - Reserved for a future route-level rate limiter.
+  - Deprecated since 0.5.4; kept for back-compat but no longer
+    wired. Use `login_rate_limit` (see "Per-route rate limits" below).
 * - `login_max_per_hour`
   - `20`
-  - Same reservation.
+  - Same as above. Use a slowapi-syntax limit string on
+    `login_rate_limit` like `"5/minute;20/hour"`.
 ```
 
+## Per-route rate limits
+
+New in 0.5.4. Opt-in: install the `rate_limit` extra (`pip install
+'regstack[rate_limit]'` — pulls in `slowapi`) or pass your own
+`slowapi.Limiter` instance as `RegStack(rate_limiter=...)`.
+
+Each field is a slowapi-syntax string. Empty / unset = no limit on
+that route. The per-account `LockoutService` (see "Lockout (login)"
+above) is unchanged and stacks on top of `login_rate_limit` — they
+defend different axes: lockout defends one account against
+credential-stuffing; the IP rate limits defend each endpoint
+against one IP spamming requests across many accounts.
+
+```{list-table}
+:header-rows: 1
+:widths: 35 15 50
+
+* - Field
+  - Default
+  - Notes
+
+* - `login_rate_limit`
+  - `""`
+  - Per-IP on `POST /login` (and the MFA confirm step).
+* - `register_rate_limit`
+  - `""`
+  - Per-IP on `POST /register`.
+* - `forgot_password_rate_limit`
+  - `""`
+  - Per-IP on `POST /forgot-password`.
+* - `reset_password_rate_limit`
+  - `""`
+  - Per-IP on `POST /reset-password`.
+* - `verify_rate_limit`
+  - `""`
+  - Per-IP on `POST /verify`.
+* - `resend_verification_rate_limit`
+  - `""`
+  - Per-IP on `POST /resend-verification`.
+* - `change_password_rate_limit`
+  - `""`
+  - Per-IP on `POST /change-password`.
+* - `change_email_rate_limit`
+  - `""`
+  - Per-IP on `POST /change-email`.
+* - `confirm_email_change_rate_limit`
+  - `""`
+  - Per-IP on `POST /confirm-email-change`.
+* - `delete_account_rate_limit`
+  - `""`
+  - Per-IP on `DELETE /account`.
+```
+
+If any `*_rate_limit` is set but neither a `rate_limiter=` argument
+nor the `rate_limit` extra is available, `RegStack.router` raises
+`RuntimeError` on first access — failing closed beats silently
+disabling the protection. The host owns `app.state.limiter` and
+the `RateLimitExceeded` exception handler; slowapi itself defines
+the 429 response shape.
+
 ## SMS / 2FA
 
 ```{list-table}

{regstack-0.5.6 → regstack-0.5.9}/docs/security.md

@@ -10,10 +10,13 @@ are tradeoffs, they're documented here rather than buried in code.
 
 ## Passwords
 
-- **Hashing.** Argon2id with library defaults.
-  `PasswordHasher.needs_rehash(...)` is available so a future
-  parameter bump can quietly upgrade existing hashes on a user's next
-  successful login.
+- **Hashing.** Argon2id with library defaults via `pwdlib`.
+  regstack does not expose a standalone "needs rehash?" method —
+  if the Argon2 parameters change later and you want existing
+  hashes upgraded on next login, call
+  `pwdlib.PasswordHash.verify_and_update(password, hashed)`
+  directly inside a host-side `user_logged_in` hook (it returns
+  both `(verified, new_hash_or_None)` in one pass).
 - **Length.** Minimum 8, maximum 128 (UTF-8). Validated by the
   pydantic input model on every create / change endpoint.
 - **Storage.** Plaintext is never logged or returned. The

{regstack-0.5.6 → regstack-0.5.9}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "regstack"
-version = "0.5.6"
+version = "0.5.9"
 description = "Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB."
 readme = "README.md"
 requires-python = ">=3.11"

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/backends/mongo/repositories/blacklist_repo.py

@@ -36,5 +36,8 @@ class BlacklistRepo:
         # sweep — useful in tests and on Mongos where the TTL monitor's 60-second
         # cycle hasn't fired yet.
         reference = now or datetime.now(UTC)
-        result = await self._collection.delete_many({"exp": {"$lte": reference}})
+        # Strict `<` matches the rest of the purge_expired family across both
+        # backends — a token whose exp is the reference instant is still
+        # nominally valid for one more microsecond.
+        result = await self._collection.delete_many({"exp": {"$lt": reference}})
         return int(result.deleted_count)

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/backends/mongo/repositories/oauth_state_repo.py

@@ -25,10 +25,19 @@ class MongoOAuthStateRepo:
         doc = await self._collection.find_one({"_id": state_id})
         return self._hydrate(doc)
 
-    async def set_result_token(self, state_id: str, token: str) -> None:
+    async def set_result_token(
+        self,
+        state_id: str,
+        token: str,
+        *,
+        new_expires_at: datetime | None = None,
+    ) -> None:
+        updates: dict[str, Any] = {"result_token": token}
+        if new_expires_at is not None:
+            updates["expires_at"] = new_expires_at
         await self._collection.update_one(
             {"_id": state_id},
-            {"$set": {"result_token": token}},
+            {"$set": updates},
         )
 
     async def consume(self, state_id: str) -> OAuthState | None:

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/backends/mongo/repositories/pending_repo.py

@@ -4,9 +4,7 @@ from datetime import UTC, datetime
 from typing import TYPE_CHECKING, Any
 
 from bson import ObjectId
-from pymongo.errors import DuplicateKeyError
 
-from regstack.backends.protocols import PendingAlreadyExistsError
 from regstack.models.pending_registration import PendingRegistration
 
 if TYPE_CHECKING:
@@ -36,14 +34,6 @@ class PendingRepo:
             pending.id = str(result["_id"])
         return pending
 
-    async def create(self, pending: PendingRegistration) -> PendingRegistration:
-        try:
-            result = await self._collection.insert_one(pending.to_mongo())
-        except DuplicateKeyError as exc:
-            raise PendingAlreadyExistsError(pending.email) from exc
-        pending.id = str(result.inserted_id)
-        return pending
-
     async def find_by_token_hash(self, token_hash: str) -> PendingRegistration | None:
         doc = await self._collection.find_one({"token_hash": token_hash})
         return self._hydrate(doc)
@@ -52,11 +42,6 @@ class PendingRepo:
         doc = await self._collection.find_one({"email": email})
         return self._hydrate(doc)
 
-    async def delete_by_id(self, pending_id: str) -> None:
-        if not ObjectId.is_valid(pending_id):
-            return
-        await self._collection.delete_one({"_id": ObjectId(pending_id)})
-
     async def delete_by_email(self, email: str) -> None:
         await self._collection.delete_one({"email": email})
 

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/backends/protocols.py

@@ -289,9 +289,22 @@ class OAuthStateRepoProtocol(Protocol):
 
     async def find(self, state_id: str) -> OAuthState | None: ...
 
-    async def set_result_token(self, state_id: str, token: str) -> None:
+    async def set_result_token(
+        self,
+        state_id: str,
+        token: str,
+        *,
+        new_expires_at: datetime | None = None,
+    ) -> None:
         """Stash the session JWT after a successful callback so the
         SPA can pick it up via :meth:`consume`.
+
+        If ``new_expires_at`` is given, the row's ``expires_at`` is
+        bumped to that timestamp at the same time — this is how
+        callers shorten the redemption window from
+        ``oauth.state_ttl_seconds`` (covering the round-trip with
+        the provider) to ``oauth.completion_ttl_seconds`` (covering
+        only the SPA's exchange call after the callback lands).
         """
         ...
 

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/backends/sql/repositories/oauth_state_repo.py

@@ -44,8 +44,17 @@ class SqlOAuthStateRepo:
             row = (await conn.execute(stmt)).first()
         return _row_to_state(row) if row else None
 
-    async def set_result_token(self, state_id: str, token: str) -> None:
-        stmt = update(self._t).where(self._t.c.id == state_id).values(result_token=token)
+    async def set_result_token(
+        self,
+        state_id: str,
+        token: str,
+        *,
+        new_expires_at: datetime | None = None,
+    ) -> None:
+        values: dict[str, Any] = {"result_token": token}
+        if new_expires_at is not None:
+            values["expires_at"] = new_expires_at
+        stmt = update(self._t).where(self._t.c.id == state_id).values(**values)
         async with self._engine.begin() as conn:
             await conn.execute(stmt)
 

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/models/user.py

@@ -23,6 +23,12 @@ class BaseUser(BaseModel):
     mixin via ``RegStack.extend_user_model``.
     """
 
+    # `extra="allow"` here (and only here) is deliberate: hosts that
+    # add their own user fields via subclassing or
+    # `RegStack.extend_user_model` need those fields to round-trip
+    # through the DB cleanly. Every request/response model
+    # (UserCreate, UserUpdate, UserPublic) uses `extra="forbid"`
+    # because those are the external API contract.
     model_config = ConfigDict(populate_by_name=True, extra="allow")
 
     id: IdStr | None = Field(default=None, alias="_id")
@@ -88,7 +94,12 @@ class UserPublic(BaseModel):
     phone_number: str | None = None
     is_mfa_enabled: bool = False
     created_at: datetime
+    updated_at: datetime
     last_login: datetime | None = None
+    tokens_invalidated_after: datetime | None = None
+    """Bulk-revoke cutoff. SPAs comparing this to their session JWT's
+    `iat` can tell when the token they hold has been invalidated by a
+    password change / email change without making another request."""
 
     @classmethod
     def from_user(cls, user: BaseUser) -> UserPublic:
@@ -104,5 +115,7 @@ class UserPublic(BaseModel):
             phone_number=user.phone_number,
             is_mfa_enabled=user.is_mfa_enabled,
             created_at=user.created_at,
+            updated_at=user.updated_at,
             last_login=user.last_login,
+            tokens_invalidated_after=user.tokens_invalidated_after,
         )

{regstack-0.5.6 → regstack-0.5.9}/src/regstack/routers/account.py

@@ -237,7 +237,7 @@ def _encode_email_change_token(rs: RegStack, user_id: str, new_email: str, ttl:
     payload: dict[str, Any] = {
         "sub": user_id,
         "jti": _secrets.token_urlsafe(16),
-        "iat": int(now.timestamp()),
+        "iat": now.timestamp(),
         "exp": int((now + timedelta(seconds=ttl)).timestamp()),
         "purpose": _EMAIL_CHANGE_PURPOSE,
         _NEW_EMAIL_CLAIM: new_email,