Walkthrough

Email configuration gains a provider field and support for three modes (shared, standard/SMTP, resend). Backend sets provider: "smtp" when applying legacy email config. Dashboard emails page refactors to use the new config shape and conditional UI/validation. Shared config schema and template types updated accordingly.

Changes

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant D as Dashboard Page
  participant E as EditEmailServerDialog
  participant A as stackAdminApp
  participant B as Backend
  participant C as Config Store

  U->>D: Open Project Emails
  D->>E: Open Edit Email Server Dialog (emailConfig)
  E->>E: Select type (shared | standard | resend)

  alt shared
    E->>A: Update config { emails.server: { type: "shared" } }
    A->>B: Save project config
    B->>C: Persist config
    C-->>B: OK
    B-->>A: OK
    A-->>E: OK (toast)
  else standard (SMTP)
    E->>A: sendTestEmail({ provider:"smtp", host, port, ... })
    A->>B: Send test email
    B-->>A: Test OK
    A->>B: Save { emails.server: { provider:"smtp", ... } }
    B->>C: Persist config
    C-->>B: OK
    B-->>A: OK
    A-->>E: OK (toast)
  else resend
    E->>A: sendTestEmail({ provider:"resend", apiKey, sender... })
    A->>B: Send test email
    B-->>A: Test OK
    A->>B: Save { emails.server: { provider:"resend", ... } }
    B->>C: Persist config
    C-->>B: OK
    B-->>A: OK
    A-->>E: OK (toast)
  end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Add template support and enhanced error handling to email sending API #813 — Introduces/updates email configuration handling with providers (smtp/resend), aligning with this PR’s provider-aware UI and schema.
• Several project config improvements #811 — Adds provider field and defaults in config schema, matching this PR’s schema and backend defaulting to "smtp".

Pre-merge checks (2 passed, 1 warning)

Poem

A bunny taps keys with delight,
Teaching emails to take flight—
Shared, SMTP, or Resend,
Configs converge, flows amend.
With a hop, a toast appears,
“Test passed!” it cheers—long ears! 🐇✉️

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
stack-backend	Ready	Preview	Comment	Sep 11, 2025 9:25pm
stack-dashboard	Ready	Preview	Comment	Sep 11, 2025 9:25pm
stack-demo	Ready	Preview	Comment	Sep 11, 2025 9:25pm
stack-docs	Ready	Preview	Comment	Sep 11, 2025 9:25pm

Claude finished @BilalG1's task —— View job

PR Review: Resend API Key Configuration

Todo List:

• Analyze modified files and understand changes
• Review code quality and best practices
• Check for potential bugs and issues
• Evaluate security considerations
• Assess performance implications
• Review test coverage needs
• Provide structured feedback

Summary

This PR adds Resend email service integration to the Stack Auth platform, providing an alternative to the existing shared and custom SMTP email configurations. The changes span across backend configuration, dashboard UI, and schema updates.

Code Quality & Best Practices ✅

Positive Aspects:

1. Good separation of concerns - Email config logic is properly separated between UI and backend
2. Type safety - Proper TypeScript usage with discriminated unions for email config types
3. Consistent patterns - Follows existing codebase patterns for configuration handling
4. Clean UI implementation - Well-structured form handling with proper validation

Minor Issues:

1. packages/stack-shared/src/config/schema.ts:428 - Default provider should be 'smtp' instead of 'resend' for consistency
2. Missing JSDoc comments - Complex functions like testEmailAndUpdateConfig could benefit from documentation

Security Considerations 🔐

Concerns Identified:

1. API Key Storage - Resend API keys are stored in the same way as SMTP passwords. Consider if additional encryption is needed for API keys vs passwords.
2. Error Handling - Error messages from Resend could potentially leak sensitive information. The current implementation properly catches and sanitizes errors.

Recommendations:

• Consider adding rate limiting for test email functionality to prevent abuse
• Validate that Resend API keys follow expected format before storage

Performance Implications ⚡

Good Practices:

1. Lazy loading - Email configuration is fetched only when needed
2. Proper async handling - All database operations are properly awaited
3. Image compression - The logo upload feature includes proper image compression (1MB limit)

Potential Issues:

• apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/emails/page-client.tsx:184-192 - Hard-coded Resend SMTP settings could be moved to constants for maintainability

Bugs & Issues 🐛

Critical Issues:

1. Type inconsistency - The AdminEmailConfig type in the template doesn't match the new schema structure. This could cause runtime errors.

Minor Issues:

1. apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/emails/page-client.tsx:285 - Accessing project.config.emailConfig should be project.useConfig().emails.server for consistency
2. Hard-coded values - Resend SMTP configuration (host: 'smtp.resend.com', port: 465) should be constants

Test Coverage 📝

Missing Tests:

1. Unit tests for Resend email configuration validation
2. Integration tests for the new email config API endpoints
3. E2E tests for the Resend configuration flow in the dashboard
4. Error handling tests for invalid Resend API keys

Existing Coverage:

• Schema validation tests are automatically covered by the yup schema
• UI component rendering is likely covered by existing tests

Specific Code Issues

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/emails/page-client.tsx

Lines 184-192: Hard-coded Resend configuration

// Consider moving to constants
const RESEND_CONFIG = {
  host: 'smtp.resend.com',
  port: 465,
  username: 'resend'
} as const;

packages/template/src/lib/stack-app/project-configs/index.ts

Type mismatch issue: The AdminEmailConfig type needs updating to match the new schema structure with provider field.

Recommendations

High Priority:

1. Fix type inconsistencies between template types and schema
2. Add integration tests for Resend email functionality
3. Move hard-coded values to constants

Medium Priority:

1. Add JSDoc comments for complex functions
2. Consider API key validation before storage
3. Add rate limiting for test email functionality

Low Priority:

1. Improve error messages for better user experience
2. Consider adding email preview functionality

Overall Assessment

This is a solid implementation that follows good practices and maintains consistency with the existing codebase. The main concerns are around type safety and test coverage. The security implications are well-handled, and the performance impact is minimal.

Recommendation: Approve after addressing the type inconsistency issue and adding basic integration tests.

Claude finished @BilalG1's task —— View job

PR Review: Resend API Key Configuration

Review Checklist

• Analyze changed files and understand the scope
• Review code quality and best practices
• Check for potential bugs or issues
• Evaluate security concerns
• Assess performance considerations
• Examine test coverage needs
• Provide comprehensive feedback

Analysis

This PR adds support for Resend API key configuration in the email settings. The changes include:

• Backend support for the new Resend provider type
• Frontend UI updates to handle Resend configuration
• Schema updates to support the new provider field
• Type definition updates for email config

✅ Positive Aspects

1. Clean Type Safety: Good TypeScript integration with proper type definitions
2. Consistent Architecture: Follows existing patterns for email configuration
3. User Experience: Clear UI flow with appropriate form validation
4. Error Handling: Proper error states and user feedback

⚠️ Security Concerns

1. API Key Storage (page-client.tsx:230):

   • Resend API keys are stored as passwords but transmitted in plain text
   • Consider implementing client-side encryption or secure transmission

   { label: "Resend API Key", name: "password", type: 'password' }

2. Hardcoded Test Email (page-client.tsx:136):

   • Using a hardcoded test email address could be a security/privacy concern

   recipientEmail: '[email protected]'

🐛 Potential Bugs

1. Inconsistent Type Handling (page-client.tsx:184):

   • The function expects AdminEmailConfig & { type: "standard" | "resend" } but AdminEmailConfig already defines type differently
   • This could cause type mismatches at runtime

2. Missing Validation (page-client.tsx:186-192):

   • Resend uses hardcoded SMTP settings but there's no validation that these are correct

   host: 'smtp.resend.com',
   port: 465,
   username: 'resend',

3. Schema Migration (schema.ts:203):

   • New provider field is optional, but defaults show it as required
   • Could cause inconsistencies for existing configurations

📈 Performance Considerations

1. Redundant API Calls: The testEmailAndUpdateConfig function performs both test and update operations in sequence, which could be optimized

2. Form Re-renders: The form change handler triggers on every keystroke, potentially causing unnecessary re-renders

🧪 Test Coverage Concerns

1. Missing Tests: No visible test coverage for the new Resend provider functionality
2. Edge Cases: No validation for malformed Resend API keys
3. Integration Testing: Should test the full flow from UI → backend → email sending

📝 Code Quality Issues

1. Type Inconsistencies (projects.tsx:209):

   • Hardcoded provider: "smtp" for existing configs might not align with new schema

   provider: "smtp", // Should this be dynamic based on actual provider?

2. Magic Values (page-client.tsx:186):

   • Resend SMTP configuration is hardcoded - consider extracting to constants

3. Cleanup Needed (page-client.tsx:10):

   • Removed imports but left unused import statements

🔧 Recommendations

1. Security: Implement proper API key encryption and avoid hardcoded test emails
2. Validation: Add comprehensive validation for Resend API keys and SMTP settings
3. Testing: Add unit and integration tests for Resend functionality
4. Constants: Extract hardcoded Resend SMTP settings to configuration constants
5. Types: Resolve type inconsistencies between AdminEmailConfig and new provider types
6. Error Handling: Improve error messages for failed Resend configurations

⭐ Overall Assessment

This is a solid implementation that follows existing patterns well. The main concerns are around security (API key handling), test coverage, and some type inconsistencies. The functionality appears to work correctly but would benefit from the security improvements and additional testing mentioned above.

Recommendation: ✅ Approve with minor changes - Address the security concerns around API key handling and add proper test coverage before merging.

Claude finished @BilalG1's task —— View job

PR Review: Resend API Key Configuration

Review Checklist:

• Analyze all changed files and understand the implementation
• Review code quality and best practices
• Check for potential bugs and issues
• Evaluate security concerns
• Assess performance considerations
• Examine test coverage needs
• Provide comprehensive feedback with specific recommendations

Overall Assessment

This PR adds Resend email provider support to Stack Auth, enabling users to choose between Resend API and custom SMTP for email delivery. While the implementation follows existing patterns well, there are several critical issues that need to be addressed.

🚨 Critical Issues

1. Type System Inconsistencies

Location: packages/template/src/lib/stack-app/project-configs/index.ts:42-53

The AdminEmailConfig type defines both 'standard' and 'resend' as requiring SMTP fields (host, port, username, password), but Resend only uses API keys:

export type AdminEmailConfig = (
  {
    type: "standard" | "resend", // ❌ Both types require same SMTP fields
    senderName: string,
    senderEmail: string,
    host: string,      // ❌ Resend doesn't need this
    port: number,      // ❌ Resend doesn't need this  
    username: string,  // ❌ Resend doesn't need this
    password: string,  // This is the API key for Resend
  }
  | { type: "shared" }
);

Impact: Runtime errors when Resend configs are processed expecting different field structures.

2. Hard-coded Provider Assignment

Location: apps/backend/src/lib/projects.tsx:209

provider: "smtp", // ❌ Always SMTP, ignores actual provider type

Impact: Resend configurations get incorrectly flagged as SMTP in the database.

3. Inconsistent Data Access Patterns

Location: apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/emails/page-client.tsx:285

const emailConfig = project.config.emailConfig || throwErr("Email config is not set");

Issue: Uses legacy project.config.emailConfig instead of the new project.useConfig().emails.server pattern used elsewhere.

🛡️ Security Concerns

1. API Key Exposure

• Location: page-client.tsx:230 - API keys stored as 'password' type but transmitted in plain text
• Location: page-client.tsx:136 - Hard-coded test email recipient could be security concern
• Recommendation: Implement proper API key encryption and make test email configurable

2. Error Message Leakage

• Current error handling properly sanitizes Resend API errors, but consider additional validation

🐛 Bugs & Logic Issues

1. Default Provider Value

Location: packages/stack-shared/src/config/schema.ts:428

provider: "smtp", // ❌ Should be dynamic or default to 'resend'

2. Schema Validation Mismatch

The definedWhenNotShared function checks for 'standard' but schema accepts 'resend':

definedWhenNotShared(yup.string(), "Host is required"), // ❌ Applied to Resend too

3. Hard-coded SMTP Configuration

Location: page-client.tsx:186-192

host: 'smtp.resend.com',  // ❌ Should be constants
port: 465,
username: 'resend',

📊 Performance Implications

Good:

• ✅ Proper async/await patterns
• ✅ Efficient form state management
• ✅ Lazy loading of email configs

Concerns:

• Form change handlers trigger on every keystroke (minor)
• No caching for Resend SMTP constants

🧪 Test Coverage Issues

Missing:

• Unit tests for Resend provider validation logic
• Integration tests for Resend API configuration flow
• Error handling tests for invalid Resend API keys
• E2E tests for the dashboard Resend configuration UI

Existing:

• Schema validation automatically tested via yup
• Basic UI component coverage likely exists

🎯 Specific Recommendations

High Priority (Must Fix):

1. Fix type definitions - Separate AdminEmailConfig types for different providers
2. Dynamic provider assignment - Use actual provider type instead of hard-coding 'smtp'
3. Consistent data access - Use project.useConfig().emails.server throughout
4. Extract constants - Move hard-coded Resend SMTP values to configuration constants

Medium Priority:

1. Add comprehensive tests - Especially integration tests for new provider
2. Improve validation - Add Resend-specific API key format validation
3. Security hardening - Implement API key encryption
4. Error handling - Add better error messages for configuration failures

Low Priority:

1. Code organization - Consider extracting Resend logic to separate utility functions
2. Documentation - Add JSDoc comments for complex functions like testEmailAndUpdateConfig

🔧 Suggested Code Changes

// Fix AdminEmailConfig type
export type AdminEmailConfig = 
  | {
      type: "standard",
      senderName: string,
      senderEmail: string,
      host: string,
      port: number,
      username: string,
      password: string,
    }
  | {
      type: "resend",
      senderName: string,
      senderEmail: string,
      password: string, // API key
    }
  | {
      type: "shared",
    };

// Fix provider assignment
provider: dataOptions.email_config.type === 'resend' ? 'resend' : 'smtp',

// Extract constants
const RESEND_CONFIG = {
  host: 'smtp.resend.com',
  port: 465,
  username: 'resend'
} as const;

⚡ Final Verdict

Status: ⚠️ Needs Major Revision

While the implementation demonstrates good understanding of the existing architecture, the type system inconsistencies and hard-coded provider assignments create significant bugs that will cause runtime failures. The security and test coverage concerns are also important but not blocking.

Recommended Actions:

1. Address the 3 critical type/logic issues identified above
2. Add basic integration tests for Resend functionality
3. Extract hard-coded values to constants
4. Consider implementing the medium priority security improvements

Once these issues are resolved, this will be a solid addition that properly extends Stack Auth's email capabilities.

Review by RecurseML

🔍 Review performed on e5eb478..d5fa738

✨ No bugs found, your code is sparkling clean

Claude finished @BilalG1's task —— View job

PR Review: Resend Email Provider Support

Review Checklist

• Analyze all changed files and understand the implementation
• Review code quality and best practices
• Check for potential bugs and issues
• Evaluate security concerns
• Assess performance considerations
• Examine test coverage needs
• Provide comprehensive feedback and recommendations

Summary

This PR adds support for Resend email provider to Stack Auth, enabling users to choose between Resend API and custom SMTP for email delivery. The implementation spans across backend configuration, schema updates, dashboard UI, and template types.

🚨 Critical Issues

1. Type System Inconsistencies

Location: packages/template/src/lib/stack-app/project-configs/index.ts:42-53

The AdminEmailConfig type treats both 'standard' and 'resend' identically, requiring SMTP fields that Resend doesn't use:

export type AdminEmailConfig = (
  {
    type: "standard" | "resend", // ❌ Both require same SMTP fields
    senderName: string,
    senderEmail: string,
    host: string,      // ❌ Resend doesn't need this
    port: number,      // ❌ Resend doesn't need this  
    username: string,  // ❌ Resend doesn't need this
    password: string,  // This is the API key for Resend
  }
  | { type: "shared" }
);

Impact: This will cause runtime errors when Resend configurations are processed expecting different field structures.

2. Hard-coded Provider Assignment

Location: apps/backend/src/lib/projects.tsx:209

provider: "smtp", // ❌ Always SMTP, ignores actual provider type

Impact: All email configurations, including Resend, get incorrectly stored as 'smtp' in the database.

3. Data Access Pattern Inconsistency

Location: apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/emails/page-client.tsx:285

const emailConfig = project.config.emailConfig || throwErr("Email config is not set");

Issue: Uses legacy project.config.emailConfig instead of the new project.useConfig().emails.server pattern used elsewhere in the same file (line 25).

🛡️ Security Concerns

1. API Key Storage & Transmission

• Line 230: Resend API keys are stored as 'password' type but may need additional security considerations
• Line 136: Hard-coded test email recipient '[email protected]' could be a privacy concern
• Recommendation: Consider encrypting API keys differently than passwords, make test email configurable

2. Error Message Exposure

• Current error handling appears to properly sanitize Resend API errors
• No obvious information leakage detected

🐛 Bugs & Logic Issues

1. Schema Default Provider

Location: packages/stack-shared/src/config/schema.ts:428

provider: "smtp", // ❌ Should be dynamic based on actual configuration

2. Hard-coded SMTP Configuration

Location: page-client.tsx:186-192

host: 'smtp.resend.com',  // ❌ Should be constants
port: 465,
username: 'resend',

Issue: These values are hard-coded and should be moved to configuration constants.

3. Schema Validation Mismatch

The schema validation at line 203 allows 'resend' provider but the validation functions may still require SMTP fields.

📊 Performance & Code Quality

Positive Aspects:

• ✅ Proper async/await patterns
• ✅ Efficient form state management
• ✅ Good separation of concerns

Areas for Improvement:

• Form change handlers trigger on every keystroke (minor performance impact)
• No caching for Resend SMTP constants
• Missing JSDoc comments for complex functions

🧪 Test Coverage

Missing:

• Unit tests for Resend provider validation logic
• Integration tests for Resend configuration flow
• Error handling tests for invalid Resend API keys
• E2E tests for dashboard Resend configuration

Existing:

• Schema validation is automatically covered by yup
• Basic UI component coverage likely exists

🎯 Specific Recommendations

High Priority (Must Fix):

1. Fix type definitions - Create separate types for different email provider configurations
2. Dynamic provider assignment - Use actual provider type instead of hard-coding 'smtp'
3. Consistent data access - Use project.useConfig().emails.server throughout
4. Extract constants - Move hard-coded Resend SMTP values to configuration constants

Medium Priority:

1. Add comprehensive tests - Especially integration tests for new provider
2. Security hardening - Consider API key encryption, configurable test emails
3. Error handling - Improve error messages for configuration failures

Low Priority:

1. Code organization - Extract Resend logic to utility functions
2. Performance - Minor optimizations for form handling

🔧 Suggested Code Changes

// Fix AdminEmailConfig type
export type AdminEmailConfig = 
  | {
      type: "standard",
      senderName: string,
      senderEmail: string,
      host: string,
      port: number,
      username: string,
      password: string,
    }
  | {
      type: "resend",
      senderName: string,
      senderEmail: string,
      password: string, // API key
    }
  | {
      type: "shared",
    };

// Fix provider assignment
provider: dataOptions.email_config.type === 'resend' ? 'resend' : 'smtp',

// Extract constants
const RESEND_CONFIG = {
  host: 'smtp.resend.com',
  port: 465,
  username: 'resend'
} as const;

⚡ Final Assessment

Status: ⚠️ Needs Major Revision

While the implementation demonstrates good understanding of the existing architecture, the type system inconsistencies and hard-coded provider assignments create critical bugs that will cause runtime failures. The security considerations and test coverage gaps are important but not immediately blocking.

Recommended Actions:

1. Address the 3 critical type/logic issues identified above
2. Add basic integration tests for Resend functionality
3. Extract hard-coded values to constants
4. Consider implementing the security improvements

Once these issues are resolved, this will be a solid addition to Stack Auth's email capabilities.

Claude encountered an error —— View job

PR Review: Resend Email Provider Support

Review Checklist:

• Analyze all changed files and understand the implementation
• Review code quality and best practices
• Check for potential bugs and issues
• Evaluate security concerns
• Assess performance considerations
• Examine test coverage needs
• Provide comprehensive feedback and recommendations

Starting analysis of the PR changes...

wait, where do you actually send the emails with resend?

I'm still sending through smtp, just using resend option to prefill smtp properties