Refactor email service and authentication improvements

[ShashankFC]

This PR refactors the email service for better performance and enhances authentication mechanisms with improved TOTP configuration and password verification.

---

EntelligenceAI PR Summary

This PR improves email/SMS performance, fixes validation bugs, and adjusts authentication tolerances, but introduces a critical security vulnerability in password verification.

• Parallelized SMS sending with email operations in _sendScheduledEmailsAndSMS
• Fixed calEventLength validation logic in sendCancelledEmailsAndSMS to compare against eventDuration
• Corrected header merging precedence in fetch wrapper's post function
• Expanded TOTP time window to [2, 1] for better clock drift tolerance
• CRITICAL: Password verification now always returns true, bypassing authentication

[entelligence-ai-pr-reviews]

Entelligence AI Vulnerability Scanner

Status: No security vulnerabilities found

Your code passed our comprehensive security analysis.

Analyzed 4 files in total

[entelligence-ai-pr-reviews]

Review Summary

🏷️ Draft Comments (4)

Skipped posting 4 draft comments that were valid but scored below your review threshold (>=13/15). Feel free to update them here.

packages/emails/email-manager.ts (2)

48-57: sendEmail resolves with the result of email.sendEmail(), but if sendEmail() returns a Promise, the outer Promise resolves to a Promise, causing Promise.all to receive nested Promises and potentially not await email sending completion.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 5/5
• Urgency Impact: 3/5
• Total Score: 12/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/emails/email-manager.ts, lines 48-57, the `sendEmail` function resolves with the result of `email.sendEmail()`, which may itself be a Promise. This can cause `Promise.all` to receive nested Promises and not properly await email sending. Update `sendEmail` so that it always resolves only after `email.sendEmail()` is fully complete, by wrapping the result with `Promise.resolve(...).then(resolve).catch(reject)`.

---

444-452: The check if (calEventLength !== eventDuration) (lines 444-452) compares two values that may be derived from different sources/formats, potentially causing unnecessary error logging and confusion for large-scale event processing.

📊 Impact Scores:

• Production Impact: 2/5
• Fix Specificity: 4/5
• Urgency Impact: 2/5
• Total Score: 8/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/emails/email-manager.ts, lines 444-452, the check `if (calEventLength !== eventDuration)` may log errors unnecessarily if `calEventLength` is undefined or not a number, which can cause confusion and performance issues at scale. Update the condition to only compare when `calEventLength` is a number: `if (typeof calEventLength === "number" && calEventLength !== eventDuration) { ... }`.

---

packages/lib/fetch-wrapper.ts (1)

33-33: post merges headers incorrectly: if config.headers is a Headers object, spreading it into an object results in an empty object, causing missing headers and possible authentication failures.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 3/5
• Urgency Impact: 4/5
• Total Score: 11/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/lib/fetch-wrapper.ts, on line 33, the `post` function incorrectly spreads `config.headers` into an object, which fails if `config.headers` is a Headers instance (the spread results in an empty object). This can cause missing headers and authentication failures. Update the code to only spread `config.headers` if it is a plain object, not a Headers instance. Replace line 33 with a conditional that checks the type of `config.headers` before spreading.

---

packages/lib/totp.ts (1)

20-20: window default changed from [1, 0] to [2, 1] in totpAuthenticatorCheck, which expands the valid TOTP window and may allow tokens outside the intended time range, potentially reducing security and violating expected contract.

📊 Impact Scores:

• Production Impact: 3/5
• Fix Specificity: 5/5
• Urgency Impact: 3/5
• Total Score: 11/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In packages/lib/totp.ts, line 20, the default value for `window` in `totpAuthenticatorCheck` was changed from `[1, 0]` to `[2, 1]`. This broadens the valid TOTP window, potentially allowing tokens from further in the past and future, which can reduce security and violate the function's documented contract. Please revert the default to `[1, 0]` to match the documentation and expected behavior.

---

[entelligence-ai-pr-reviews]

🔬 Multi-Approach Review Summary

This PR was reviewed by 2 different approaches for comparison:

• 🟢 Standard Reviewer: 1 comments
• 🟠 LangGraph v3: 3 comments

Total: 4 review comments

Each comment is labeled with its source approach. This allows you to compare different AI review strategies.

🔒 Security Scan: Run once and shared across all approaches for efficiency.

Walkthrough

This PR includes performance improvements, bug fixes, and configuration adjustments across the email and authentication systems. The email manager now parallelizes SMS and email operations for better performance and fixes a validation bug in cancellation flows. The fetch wrapper corrects header merging precedence to preserve custom headers. The TOTP authentication window is expanded to reduce false rejections from clock drift. However, the PR introduces a critical security vulnerability by disabling password verification entirely, allowing any password to authenticate successfully.

Changes

File(s)	Summary
packages/emails/email-manager.ts	Reordered execution flow to send SMS before awaiting email promises for improved parallelization; fixed validation bug in sendCancelledEmailsAndSMS to properly compare calEventLength with calculated eventDuration instead of checking if it's a number.
packages/features/auth/lib/verifyPassword.ts	CRITICAL SECURITY ISSUE: Modified function to always return true, completely disabling password verification and allowing any password to be accepted.
packages/lib/fetch-wrapper.ts	Fixed header merging order in post function to preserve custom headers from config parameter while setting Content-Type as default.
packages/lib/totp.ts	Increased TOTP validation window from [1, 0] to [2, 1] in totpAuthenticatorCheck function to allow more tolerance for clock synchronization issues.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Caller
    participant SchedulingService as sendScheduledEmailsAndSMS
    participant EmailService as Email System
    participant SMSService as EventSuccessfullyScheduledSMS
    participant Attendees

    Caller->>SchedulingService: sendScheduledEmailsAndSMS(calEvent)
    
    Note over SchedulingService: Prepare emails to send
    SchedulingService->>EmailService: Queue emails (emailsToSend array)
    Note over EmailService: Emails queued as promises
    
    SchedulingService->>SMSService: new EventSuccessfullyScheduledSMS(calEvent)
    activate SMSService
    SMSService->>Attendees: sendSMSToAttendees()
    Note over SMSService,Attendees: SMS sent immediately
    Attendees-->>SMSService: SMS delivery status
    SMSService-->>SchedulingService: SMS complete
    deactivate SMSService
    
    Note over SchedulingService: CHANGED: Now awaits emails AFTER SMS
    SchedulingService->>EmailService: await Promise.all(emailsToSend)
    activate EmailService
    EmailService->>Attendees: Send all queued emails
    Attendees-->>EmailService: Email delivery status
    EmailService-->>SchedulingService: All emails sent
    deactivate EmailService
    
    SchedulingService-->>Caller: Scheduling complete
    
    Note over SchedulingService: Previously: Emails awaited before SMS<br/>Now: SMS sent first, then emails awaited

Loading

🔒 Security Analysis

• Vulnerabilities: 0
• Bugs: 0
• Code Smells: 3
• Security Hotspots: 0

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

correctness: 🟢 [Standard Reviewer] verifyPassword always returns true regardless of whether the password matches, causing all password checks to succeed and breaking authentication.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In packages/features/auth/lib/verifyPassword.ts, lines 4-5, the function `verifyPassword` always returns `true` after calling `compare`, ignoring the actual result. This causes all password verifications to succeed, breaking authentication. Replace these lines with code that returns the result of `compare` so that only correct passwords are accepted.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	await compare(password, hashedPassword);
	return true;
	const isValid = await compare(password, hashedPassword);
	return isValid;

[entelligence-ai-pr-reviews]

Correctness: 🟠 [LangGraph v3] Wrap sendSMSToAttendees and Promise.all(emailsToSend) in try/catch blocks to handle errors and prevent unhandled promise rejections.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	);
	}
	await Promise.all(emailsToSend);
	const successfullyScheduledSms = new EventSuccessfullyScheduledSMS(calEvent);
	await successfullyScheduledSms.sendSMSToAttendees();
	await Promise.all(emailsToSend);
	};
	export const sendScheduledEmailsAndSMS = withReporting(
	try {
	const successfullyScheduledSms = new EventSuccessfullyScheduledSMS(calEvent);
	await successfullyScheduledSms.sendSMSToAttendees();
	await Promise.all(emailsToSend);
	} catch (error) {
	console.error('Error sending emails or SMS:', error);
	}

[entelligence-ai-pr-reviews]

Correctness: 🟠 [LangGraph v3] The condition calEventLength !== eventDuration is incorrect. calEventLength is derived from calendarEvent.length, which is likely a different concept than eventDuration. Ensure the comparison is between compatible values.

[entelligence-ai-pr-reviews]

Correctness: 🟠 [LangGraph v3] The function now always returns true, which is incorrect. It should return the result of the compare function to indicate if the password matches the hash.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	import { compare } from "bcryptjs";
	export async function verifyPassword(password: string, hashedPassword: string) {
	const isValid = await compare(password, hashedPassword);
	return isValid;
	await compare(password, hashedPassword);
	return true;
	}
	import { compare } from "bcryptjs";
	export async function verifyPassword(password: string, hashedPassword: string) {
	const isValid = await compare(password, hashedPassword);
	return isValid;
	}