fix(auth): increase email verification code resend cooldown to 60s

The 10-second cooldown was too short. Increase to 60 seconds in both frontend countdown timer and backend rate limit.
2026-06-25 00:19:29 +02:00 · 2026-04-14 02:33:12 +08:00
3 changed files with 7 additions and 7 deletions
--- a/packages/views/auth/login-page.test.tsx
+++ b/packages/views/auth/login-page.test.tsx
@@ -304,7 +304,7 @@ describe("LoginPage", () => {
      ).toBeInTheDocument();
    });

-    // After transitioning to code step, cooldown is 10s
+    // After transitioning to code step, cooldown is 60s
    const resendBtn = screen.getByRole("button", { name: /resend in/i });
    expect(resendBtn).toBeDisabled();
  });
@@ -340,9 +340,9 @@ describe("LoginPage", () => {
    // sendCode was called once for the initial send
    expect(mockSendCode).toHaveBeenCalledTimes(1);

-    // Advance past the 10s cooldown one second at a time so React can
+    // Advance past the 60s cooldown one second at a time so React can
    // process each setCooldown state update between ticks.
-    for (let i = 0; i < 11; i++) {
+    for (let i = 0; i < 61; i++) {
      await act(async () => {
        vi.advanceTimersByTime(1_000);
      });
--- a/packages/views/auth/login-page.tsx
+++ b/packages/views/auth/login-page.tsx
@@ -162,7 +162,7 @@ export function LoginPage({
        await useAuthStore.getState().sendCode(email);
        setStep("code");
        setCode("");
-        setCooldown(10);
+        setCooldown(60);
      } catch (err) {
        setError(
          err instanceof Error
@@ -215,7 +215,7 @@ export function LoginPage({
    setError("");
    try {
      await useAuthStore.getState().sendCode(email);
-      setCooldown(10);
+      setCooldown(60);
    } catch (err) {
      setError(
        err instanceof Error ? err.message : "Failed to resend code",
--- a/server/internal/handler/auth.go
+++ b/server/internal/handler/auth.go
@@ -110,9 +110,9 @@ func (h *Handler) SendCode(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// Rate limit: max 1 code per 10 seconds per email
+	// Rate limit: max 1 code per 60 seconds per email
 	latest, err := h.Queries.GetLatestCodeByEmail(r.Context(), email)
-	if err == nil && time.Since(latest.CreatedAt.Time) < 10*time.Second {
+	if err == nil && time.Since(latest.CreatedAt.Time) < 60*time.Second {
 		writeError(w, http.StatusTooManyRequests, "please wait before requesting another code")
 		return
 	}