storacha · travis · Jan 27, 2023 · Jan 27, 2023 · Jan 27, 2023 · Jan 27, 2023
diff --git a/packages/access-api/postmark/welcome.html b/packages/access-api/postmark/welcome.html
@@ -1,5 +1,6 @@
 
 <p>Hi {{email}}! To complete your {{product_name}} registration, we just need to verify your email address.</p>
+<p>Before clicking the button below, please confirm the app you are trying to register is showing this phrase: <code>{{match_phrase}}</code></p>
 <!-- Action -->
 <table class="body-action" align="center" width="100%" cellpadding="0" cellspacing="0">
   <tr>

diff --git a/packages/access-api/postmark/welcome.txt b/packages/access-api/postmark/welcome.txt
@@ -1,7 +1,11 @@
 Hi {{email}}! To complete your {{product_name}} registration,
 we just need to verify your email address.
 
-Please visit the following link in your web browser:
+Please confirm the app you are trying to register is showing this phrase:
+
+{{match_phrase}}
+
+If it is, please visit the following link in your web browser:
 
 {{action_url}}
 

diff --git a/packages/access-api/src/service/index.js b/packages/access-api/src/service/index.js
@@ -14,6 +14,7 @@ import { voucherClaimProvider } from './voucher-claim.js'
 import { voucherRedeemProvider } from './voucher-redeem.js'
 import * as uploadApi from './upload-api-proxy.js'
 import { accessAuthorizeProvider } from './access-authorize.js'
+import { generateNoncePhrase } from '../utils/phrase.js'
 import { accessDelegateProvider } from './access-delegate.js'
 import { accessClaimProvider } from './access-claim.js'
 import { providerAddProvider } from './provider-add.js'
@@ -195,6 +196,7 @@ export function service(ctx) {
 
           const encoded = delegationToString(inv)
           const url = `${ctx.url.protocol}//${ctx.url.host}/validate-email?ucan=${encoded}&mode=recover`
+          const nonce = generateNoncePhrase()
 
           // For testing
           if (ctx.config.ENV === 'test') {
@@ -204,7 +206,9 @@ export function service(ctx) {
           await ctx.email.sendValidation({
             to: capability.nb.identity.replace('mailto:', ''),
             url,
+            nonce,
           })
+          return { matchPhrase: nonce }
         }
       ),
     },

diff --git a/packages/access-api/src/service/voucher-claim.js b/packages/access-api/src/service/voucher-claim.js
@@ -1,6 +1,7 @@
 import * as Server from '@ucanto/server'
 import * as Voucher from '@web3-storage/capabilities/voucher'
 import { delegationToString } from '@web3-storage/access/encoding'
+import { generateNoncePhrase } from '../utils/phrase.js'
 
 /**
  * @param {import('../bindings').RouteContext} ctx
@@ -41,10 +42,13 @@ export function voucherClaimProvider(ctx) {
     }
 
     const url = `${ctx.url.protocol}//${ctx.url.host}/validate-email?ucan=${encoded}`
+    const nonce = generateNoncePhrase()
 
     await ctx.email.sendValidation({
       to: capability.nb.identity.replace('mailto:', ''),
       url,
+      nonce,
     })
+    return { matchPhrase: nonce }
   })
 }
diff --git a/packages/access-api/src/utils/email.js b/packages/access-api/src/utils/email.js
@@ -4,6 +4,7 @@ export const debug = () => new DebugEmail()
  * @typedef ValidationEmailSend
  * @property {string} to
  * @property {string} url
+ * @property {string} nonce
  */
 
 /**
@@ -44,6 +45,7 @@ export class Email {
           product_name: 'Web3 Storage',
           email: opts.to,
           action_url: opts.url,
+          match_phrase: opts.nonce,
         },
       }),
     })