feat: Implement email change functionality

This commit introduces the following changes: - Added new API endpoints for email change requests and verification. - Updated the backend code to support email change workflow, including validation, code generation, and email sending. - Updated the frontend to include components for initiating and verifying email changes. - Added new dependencies to support email change functionality. - Updated the existing components to include email change functionality. https://codeberg.org/mapleopentech/monorepo/issues/1
2025-12-05 15:29:26 -05:00 · 2025-12-05 15:29:26 -05:00 · 598a7d3fad
commit 598a7d3fad
parent 480a2b557d
19 changed files with 1213 additions and 65 deletions
--- a/cloud/maplefile-backend/internal/service/me/change_email_request.go
+++ b/cloud/maplefile-backend/internal/service/me/change_email_request.go
@ -0,0 +1,304 @@
+// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/me/change_email_request.go
+package me
+
+import (
+	"context"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"html"
+	"net/mail"
+	"strings"
+	"time"
+
+	"github.com/awnumar/memguard"
+	"github.com/gocql/gocql"
+	"go.uber.org/zap"
+
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config/constants"
+	uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
+)
+
+type ChangeEmailRequestDTO struct {
+	NewEmail string `json:"new_email"`
+}
+
+type ChangeEmailRequestResponseDTO struct {
+	Message string `json:"message"`
+	Success bool   `json:"success"`
+}
+
+type ChangeEmailRequestService interface {
+	Execute(ctx context.Context, req *ChangeEmailRequestDTO) (*ChangeEmailRequestResponseDTO, error)
+}
+
+type changeEmailRequestServiceImpl struct {
+	config                *config.Configuration
+	logger                *zap.Logger
+	auditLogger           auditlog.AuditLogger
+	userGetByIDUseCase    uc_user.UserGetByIDUseCase
+	userGetByEmailUseCase uc_user.UserGetByEmailUseCase
+	userUpdateUseCase     uc_user.UserUpdateUseCase
+	emailer               mailgun.Emailer
+}
+
+func NewChangeEmailRequestService(
+	config *config.Configuration,
+	logger *zap.Logger,
+	auditLogger auditlog.AuditLogger,
+	userGetByIDUseCase uc_user.UserGetByIDUseCase,
+	userGetByEmailUseCase uc_user.UserGetByEmailUseCase,
+	userUpdateUseCase uc_user.UserUpdateUseCase,
+	emailer mailgun.Emailer,
+) ChangeEmailRequestService {
+	logger = logger.Named("ChangeEmailRequestService")
+
+	return &changeEmailRequestServiceImpl{
+		config:                config,
+		logger:                logger,
+		auditLogger:           auditLogger,
+		userGetByIDUseCase:    userGetByIDUseCase,
+		userGetByEmailUseCase: userGetByEmailUseCase,
+		userUpdateUseCase:     userUpdateUseCase,
+		emailer:               emailer,
+	}
+}
+
+func (svc *changeEmailRequestServiceImpl) Execute(ctx context.Context, req *ChangeEmailRequestDTO) (*ChangeEmailRequestResponseDTO, error) {
+	//
+	// Get user from context
+	//
+
+	userID, ok := ctx.Value(constants.SessionUserID).(gocql.UUID)
+	if !ok {
+		svc.logger.Error("Failed getting user id from context")
+		return nil, errors.New("user id not found in context")
+	}
+
+	//
+	// Validation
+	//
+
+	if req == nil {
+		svc.logger.Warn("Request is nil")
+		return nil, httperror.NewForBadRequestWithSingleField("non_field_error", "Request is required")
+	}
+
+	// Sanitize and validate new email
+	req.NewEmail = strings.ToLower(strings.TrimSpace(req.NewEmail))
+
+	e := make(map[string]string)
+	if req.NewEmail == "" {
+		e["new_email"] = "New email address is required"
+	} else {
+		// Validate email format
+		if _, err := mail.ParseAddress(req.NewEmail); err != nil {
+			e["new_email"] = "Please enter a valid email address"
+		}
+	}
+
+	if len(e) != 0 {
+		svc.logger.Warn("Validation failed", zap.Any("errors", e))
+		return nil, httperror.NewForBadRequest(&e)
+	}
+
+	//
+	// Get current user
+	//
+
+	user, err := svc.userGetByIDUseCase.Execute(ctx, userID)
+	if err != nil {
+		svc.logger.Error("Failed getting user by ID", zap.Error(err))
+		return nil, err
+	}
+	if user == nil {
+		err := fmt.Errorf("user is nil after lookup for id: %v", userID.String())
+		svc.logger.Error("User not found", zap.Error(err))
+		return nil, err
+	}
+
+	//
+	// Check if new email is same as current
+	//
+
+	if req.NewEmail == user.Email {
+		e["new_email"] = "New email is the same as your current email"
+		return nil, httperror.NewForBadRequest(&e)
+	}
+
+	//
+	// Check if new email is already in use
+	//
+
+	existingUser, err := svc.userGetByEmailUseCase.Execute(ctx, req.NewEmail)
+	if err != nil {
+		svc.logger.Error("Failed checking if email exists",
+			zap.String("email", validation.MaskEmail(req.NewEmail)),
+			zap.Error(err))
+		return nil, err
+	}
+	if existingUser != nil {
+		svc.logger.Warn("Attempted to change to email already in use",
+			zap.String("user_id", userID.String()),
+			zap.String("existing_user_id", existingUser.ID.String()),
+			zap.String("new_email", validation.MaskEmail(req.NewEmail)))
+		e["new_email"] = "This email address is already in use"
+		return nil, httperror.NewForBadRequest(&e)
+	}
+
+	//
+	// Generate verification code
+	//
+
+	verificationCode := svc.generateVerificationCode()
+	verificationExpiry := time.Now().Add(24 * time.Hour)
+
+	svc.logger.Debug("Generated verification code",
+		zap.String("user_id", user.ID.String()),
+		zap.String("code", verificationCode),
+		zap.Int("code_length", len(verificationCode)),
+		zap.String("code_bytes", fmt.Sprintf("%v", []byte(verificationCode))))
+
+	//
+	// Store pending email change
+	//
+
+	user.SecurityData.PendingEmail = req.NewEmail
+	user.SecurityData.PendingEmailCode = verificationCode
+	user.SecurityData.PendingEmailExpiry = verificationExpiry
+	user.ModifiedAt = time.Now()
+
+	if err := svc.userUpdateUseCase.Execute(ctx, user); err != nil {
+		svc.logger.Error("Failed to update user with pending email",
+			zap.String("user_id", user.ID.String()),
+			zap.Error(err))
+		return nil, httperror.NewInternalServerError("Failed to initiate email change. Please try again.")
+	}
+
+	// Verify code was saved correctly by reading it back
+	verifyUser, err := svc.userGetByIDUseCase.Execute(ctx, userID)
+	if err == nil && verifyUser != nil {
+		svc.logger.Debug("Verified stored code after save",
+			zap.String("user_id", userID.String()),
+			zap.String("stored_code", verifyUser.SecurityData.PendingEmailCode),
+			zap.String("original_code", verificationCode),
+			zap.Bool("codes_match", verifyUser.SecurityData.PendingEmailCode == verificationCode))
+	}
+
+	//
+	// Send verification email to NEW address
+	//
+
+	if err := svc.sendVerificationEmail(ctx, req.NewEmail, user.FirstName, verificationCode); err != nil {
+		svc.logger.Error("Failed to send verification email to new address",
+			zap.String("email", validation.MaskEmail(req.NewEmail)),
+			zap.Error(err))
+
+		// Rollback: Clear pending email change
+		user.SecurityData.PendingEmail = ""
+		user.SecurityData.PendingEmailCode = ""
+		user.SecurityData.PendingEmailExpiry = time.Time{}
+		svc.userUpdateUseCase.Execute(ctx, user)
+
+		return nil, httperror.NewInternalServerError("Failed to send verification email. Please try again.")
+	}
+
+	//
+	// Send notification to OLD address
+	//
+
+	if err := svc.sendChangeNotificationEmail(ctx, user.Email, user.FirstName, req.NewEmail); err != nil {
+		// Log error but don't fail the request - notification is informational
+		svc.logger.Warn("Failed to send change notification to old email",
+			zap.String("email", validation.MaskEmail(user.Email)),
+			zap.Error(err))
+	}
+
+	//
+	// Audit log
+	//
+
+	svc.auditLogger.LogAuth(ctx, "email_change_requested", auditlog.OutcomeSuccess,
+		validation.MaskEmail(user.Email), "", map[string]string{
+			"user_id":   user.ID.String(),
+			"new_email": validation.MaskEmail(req.NewEmail),
+		})
+
+	svc.logger.Info("Email change requested successfully",
+		zap.String("user_id", user.ID.String()),
+		zap.String("old_email", validation.MaskEmail(user.Email)),
+		zap.String("new_email", validation.MaskEmail(req.NewEmail)))
+
+	return &ChangeEmailRequestResponseDTO{
+		Message: fmt.Sprintf("Verification code sent to %s. Please check your email and verify within 24 hours.", req.NewEmail),
+		Success: true,
+	}, nil
+}
+
+func (svc *changeEmailRequestServiceImpl) generateVerificationCode() string {
+	// Generate random 8-digit code for increased entropy
+	// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
+	b := make([]byte, 4)
+	rand.Read(b)
+	defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
+	code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
+	code = (code % 90000000) + 10000000
+	return fmt.Sprintf("%d", code)
+}
+
+func (svc *changeEmailRequestServiceImpl) sendVerificationEmail(ctx context.Context, email, firstName, code string) error {
+	subject := "Verify Your New Email Address"
+	sender := svc.emailer.GetSenderEmail()
+
+	// Escape user input to prevent HTML injection
+	safeFirstName := html.EscapeString(firstName)
+
+	htmlContent := fmt.Sprintf(`
+		<html>
+			<body>
+				<h2>Hi %s,</h2>
+				<p>You requested to change your email address on MapleFile. Please verify your new email address by entering this code:</p>
+				<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
+				<p>This code will expire in 24 hours.</p>
+				<p><strong>If you didn't request this change, please ignore this email and contact support immediately.</strong></p>
+				<p>Your account email will not be changed until you verify this code.</p>
+			</body>
+		</html>
+	`, safeFirstName, code)
+
+	return svc.emailer.Send(ctx, sender, subject, email, htmlContent)
+}
+
+func (svc *changeEmailRequestServiceImpl) sendChangeNotificationEmail(ctx context.Context, oldEmail, firstName, newEmail string) error {
+	subject := "Email Change Request - Action Required"
+	sender := svc.emailer.GetSenderEmail()
+
+	// Escape user input to prevent HTML injection
+	safeFirstName := html.EscapeString(firstName)
+	safeNewEmail := html.EscapeString(newEmail) // Show full new email so user knows what email is being requested
+
+	htmlContent := fmt.Sprintf(`
+		<html>
+			<body>
+				<h2>Hi %s,</h2>
+				<p><strong>Important Security Notice:</strong> A request was made to change your MapleFile account email address.</p>
+				<p><strong>New email address:</strong> %s</p>
+				<p>If you made this request, you can safely ignore this email. The new email address must be verified before the change takes effect.</p>
+				<p><strong>If you did NOT request this change:</strong></p>
+				<ul>
+					<li>Your account may be compromised</li>
+					<li>Change your password immediately</li>
+					<li>Contact support at support@maplefile.com</li>
+				</ul>
+				<p>This email change request will expire in 24 hours if not verified.</p>
+			</body>
+		</html>
+	`, safeFirstName, safeNewEmail)
+
+	return svc.emailer.Send(ctx, sender, subject, oldEmail, htmlContent)
+}
--- a/cloud/maplefile-backend/internal/service/me/change_email_verify.go
+++ b/cloud/maplefile-backend/internal/service/me/change_email_verify.go
@ -0,0 +1,314 @@
+// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/me/change_email_verify.go
+package me
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"html"
+	"strings"
+	"time"
+
+	"github.com/gocql/gocql"
+	"go.uber.org/zap"
+
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config/constants"
+	uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
+)
+
+type ChangeEmailVerifyRequestDTO struct {
+	VerificationCode string `json:"verification_code"`
+}
+
+type ChangeEmailVerifyResponseDTO struct {
+	Message  string `json:"message"`
+	Success  bool   `json:"success"`
+	NewEmail string `json:"new_email"`
+}
+
+type ChangeEmailVerifyService interface {
+	Execute(ctx context.Context, req *ChangeEmailVerifyRequestDTO) (*ChangeEmailVerifyResponseDTO, error)
+}
+
+type changeEmailVerifyServiceImpl struct {
+	config             *config.Configuration
+	logger             *zap.Logger
+	auditLogger        auditlog.AuditLogger
+	userGetByIDUseCase uc_user.UserGetByIDUseCase
+	userUpdateUseCase  uc_user.UserUpdateUseCase
+	emailer            mailgun.Emailer
+}
+
+func NewChangeEmailVerifyService(
+	config *config.Configuration,
+	logger *zap.Logger,
+	auditLogger auditlog.AuditLogger,
+	userGetByIDUseCase uc_user.UserGetByIDUseCase,
+	userUpdateUseCase uc_user.UserUpdateUseCase,
+	emailer mailgun.Emailer,
+) ChangeEmailVerifyService {
+	logger = logger.Named("ChangeEmailVerifyService")
+
+	return &changeEmailVerifyServiceImpl{
+		config:             config,
+		logger:             logger,
+		auditLogger:        auditLogger,
+		userGetByIDUseCase: userGetByIDUseCase,
+		userUpdateUseCase:  userUpdateUseCase,
+		emailer:            emailer,
+	}
+}
+
+func (svc *changeEmailVerifyServiceImpl) Execute(ctx context.Context, req *ChangeEmailVerifyRequestDTO) (*ChangeEmailVerifyResponseDTO, error) {
+	//
+	// Get user from context
+	//
+
+	userID, ok := ctx.Value(constants.SessionUserID).(gocql.UUID)
+	if !ok {
+		svc.logger.Error("Failed getting user id from context")
+		return nil, errors.New("user id not found in context")
+	}
+
+	//
+	// Validation
+	//
+
+	if req == nil {
+		svc.logger.Warn("Request is nil")
+		return nil, httperror.NewForBadRequestWithSingleField("non_field_error", "Request is required")
+	}
+
+	req.VerificationCode = strings.TrimSpace(req.VerificationCode)
+
+	e := make(map[string]string)
+	if req.VerificationCode == "" {
+		e["verification_code"] = "Verification code is required"
+	} else if len(req.VerificationCode) != 8 {
+		e["verification_code"] = "Verification code must be 8 digits"
+	} else {
+		// Validate that code is numeric
+		for _, c := range req.VerificationCode {
+			if c < '0' || c > '9' {
+				e["verification_code"] = "Verification code must contain only numbers"
+				break
+			}
+		}
+	}
+
+	if len(e) != 0 {
+		svc.logger.Warn("Validation failed", zap.Any("errors", e))
+		return nil, httperror.NewForBadRequest(&e)
+	}
+
+	//
+	// Get current user
+	//
+
+	user, err := svc.userGetByIDUseCase.Execute(ctx, userID)
+	if err != nil {
+		svc.logger.Error("Failed getting user by ID", zap.Error(err))
+		return nil, err
+	}
+	if user == nil {
+		err := fmt.Errorf("user is nil after lookup for id: %v", userID.String())
+		svc.logger.Error("User not found", zap.Error(err))
+		return nil, err
+	}
+
+	//
+	// Check if there's a pending email change
+	//
+
+	if user.SecurityData.PendingEmail == "" {
+		svc.logger.Warn("No pending email change found",
+			zap.String("user_id", user.ID.String()))
+		return nil, httperror.NewBadRequestError("No pending email change request found")
+	}
+
+	//
+	// Check if verification code matches
+	//
+
+	svc.logger.Debug("Comparing verification codes",
+		zap.String("user_id", user.ID.String()),
+		zap.String("pending_email", validation.MaskEmail(user.SecurityData.PendingEmail)),
+		zap.String("expected_code", user.SecurityData.PendingEmailCode),
+		zap.String("provided_code", req.VerificationCode),
+		zap.Int("expected_length", len(user.SecurityData.PendingEmailCode)),
+		zap.Int("provided_length", len(req.VerificationCode)),
+		zap.String("expected_bytes", fmt.Sprintf("%v", []byte(user.SecurityData.PendingEmailCode))),
+		zap.String("provided_bytes", fmt.Sprintf("%v", []byte(req.VerificationCode))))
+
+	if user.SecurityData.PendingEmailCode != req.VerificationCode {
+		svc.logger.Warn("Invalid verification code provided",
+			zap.String("user_id", user.ID.String()),
+			zap.String("pending_email", validation.MaskEmail(user.SecurityData.PendingEmail)),
+			zap.String("expected_code", user.SecurityData.PendingEmailCode),
+			zap.String("provided_code", req.VerificationCode),
+			zap.Int("expected_length", len(user.SecurityData.PendingEmailCode)),
+			zap.Int("provided_length", len(req.VerificationCode)))
+
+		// Audit log failed attempt
+		svc.auditLogger.LogAuth(ctx, "email_change_verify_failed", auditlog.OutcomeFailure,
+			validation.MaskEmail(user.Email), "", map[string]string{
+				"user_id": user.ID.String(),
+				"reason":  "invalid_code",
+			})
+
+		return nil, httperror.NewBadRequestError("Invalid verification code")
+	}
+
+	//
+	// Check if verification code has expired
+	//
+
+	if time.Now().After(user.SecurityData.PendingEmailExpiry) {
+		svc.logger.Warn("Verification code expired",
+			zap.String("user_id", user.ID.String()),
+			zap.Time("expiry", user.SecurityData.PendingEmailExpiry))
+
+		// Audit log expired attempt
+		svc.auditLogger.LogAuth(ctx, "email_change_verify_failed", auditlog.OutcomeFailure,
+			validation.MaskEmail(user.Email), "", map[string]string{
+				"user_id": user.ID.String(),
+				"reason":  "code_expired",
+			})
+
+		// Clear expired pending email change
+		user.SecurityData.PendingEmail = ""
+		user.SecurityData.PendingEmailCode = ""
+		user.SecurityData.PendingEmailExpiry = time.Time{}
+		svc.userUpdateUseCase.Execute(ctx, user)
+
+		return nil, httperror.NewBadRequestError("Verification code has expired. Please request a new email change.")
+	}
+
+	//
+	// Perform the email change
+	//
+
+	oldEmail := user.Email
+	newEmail := user.SecurityData.PendingEmail
+
+	user.Email = newEmail
+	user.SecurityData.PendingEmail = ""
+	user.SecurityData.PendingEmailCode = ""
+	user.SecurityData.PendingEmailExpiry = time.Time{}
+	user.ModifiedAt = time.Now()
+
+	// IMPORTANT: Email is still verified - don't reset WasEmailVerified flag
+	// The user has proven ownership of the new email by verifying the code
+
+	if err := svc.userUpdateUseCase.Execute(ctx, user); err != nil {
+		svc.logger.Error("Failed to update user email",
+			zap.String("user_id", user.ID.String()),
+			zap.Error(err))
+		return nil, httperror.NewInternalServerError("Failed to complete email change. Please try again.")
+	}
+
+	//
+	// Send confirmation emails
+	//
+
+	// Send confirmation to NEW email
+	if err := svc.sendConfirmationEmail(ctx, newEmail, user.FirstName, oldEmail); err != nil {
+		// Log error but don't fail the request - email change succeeded
+		svc.logger.Warn("Failed to send confirmation email to new address",
+			zap.String("email", validation.MaskEmail(newEmail)),
+			zap.Error(err))
+	}
+
+	// Send notification to OLD email
+	if err := svc.sendOldEmailNotification(ctx, oldEmail, user.FirstName, newEmail); err != nil {
+		// Log error but don't fail the request - email change succeeded
+		svc.logger.Warn("Failed to send notification to old email",
+			zap.String("email", validation.MaskEmail(oldEmail)),
+			zap.Error(err))
+	}
+
+	//
+	// Audit log
+	//
+
+	svc.auditLogger.LogAuth(ctx, "email_changed", auditlog.OutcomeSuccess,
+		validation.MaskEmail(newEmail), "", map[string]string{
+			"user_id":   user.ID.String(),
+			"old_email": validation.MaskEmail(oldEmail),
+			"new_email": validation.MaskEmail(newEmail),
+		})
+
+	svc.logger.Info("Email changed successfully",
+		zap.String("user_id", user.ID.String()),
+		zap.String("old_email", validation.MaskEmail(oldEmail)),
+		zap.String("new_email", validation.MaskEmail(newEmail)))
+
+	return &ChangeEmailVerifyResponseDTO{
+		Message:  "Email address changed successfully. You can now log in with your new email address.",
+		Success:  true,
+		NewEmail: newEmail,
+	}, nil
+}
+
+func (svc *changeEmailVerifyServiceImpl) sendConfirmationEmail(ctx context.Context, newEmail, firstName, oldEmail string) error {
+	subject := "Email Address Changed Successfully"
+	sender := svc.emailer.GetSenderEmail()
+
+	// Escape user input to prevent HTML injection
+	safeFirstName := html.EscapeString(firstName)
+	maskedOldEmail := validation.MaskEmail(oldEmail)
+
+	htmlContent := fmt.Sprintf(`
+		<html>
+			<body>
+				<h2>Hi %s,</h2>
+				<p><strong>Your email address has been changed successfully!</strong></p>
+				<p><strong>Previous email:</strong> %s</p>
+				<p><strong>New email:</strong> %s</p>
+				<p>You can now log in to MapleFile using your new email address.</p>
+				<p><strong>If you did NOT make this change:</strong></p>
+				<ul>
+					<li>Your account may be compromised</li>
+					<li>Contact support immediately at support@maplefile.com</li>
+				</ul>
+			</body>
+		</html>
+	`, safeFirstName, maskedOldEmail, newEmail)
+
+	return svc.emailer.Send(ctx, sender, subject, newEmail, htmlContent)
+}
+
+func (svc *changeEmailVerifyServiceImpl) sendOldEmailNotification(ctx context.Context, oldEmail, firstName, newEmail string) error {
+	subject := "Your MapleFile Email Address Was Changed"
+	sender := svc.emailer.GetSenderEmail()
+
+	// Escape user input to prevent HTML injection
+	safeFirstName := html.EscapeString(firstName)
+	safeNewEmail := html.EscapeString(newEmail) // Show full new email so user knows where their account was moved
+
+	htmlContent := fmt.Sprintf(`
+		<html>
+			<body>
+				<h2>Hi %s,</h2>
+				<p><strong>This is a notification that your MapleFile account email address has been changed.</strong></p>
+				<p><strong>New email address:</strong> %s</p>
+				<p>This change was completed at %s.</p>
+				<p><strong>If you made this change, you can ignore this email.</strong></p>
+				<p><strong>If you did NOT make this change:</strong></p>
+				<ul>
+					<li>Your account has been compromised</li>
+					<li>Contact support immediately at support@maplefile.com</li>
+					<li>Provide your user ID and details of the unauthorized change</li>
+				</ul>
+				<p>This email was sent to your previous email address for security purposes.</p>
+			</body>
+		</html>
+	`, safeFirstName, safeNewEmail, time.Now().Format("January 2, 2006 at 3:04 PM MST"))
+
+	return svc.emailer.Send(ctx, sender, subject, oldEmail, htmlContent)
+}
--- a/cloud/maplefile-backend/internal/service/me/provider.go
+++ b/cloud/maplefile-backend/internal/service/me/provider.go
@ -6,6 +6,8 @@ import (
 	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
 	uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
 	svc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/user"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
 )

 // Wire providers for me services
@ -50,3 +52,26 @@ func ProvideVerifyProfileService(
 ) VerifyProfileService {
 	return NewVerifyProfileService(cfg, logger, userGetByIDUseCase, userUpdateUseCase)
 }
+
+func ProvideChangeEmailRequestService(
+	cfg *config.Configuration,
+	logger *zap.Logger,
+	auditLogger auditlog.AuditLogger,
+	userGetByIDUseCase uc_user.UserGetByIDUseCase,
+	userGetByEmailUseCase uc_user.UserGetByEmailUseCase,
+	userUpdateUseCase uc_user.UserUpdateUseCase,
+	emailer mailgun.Emailer,
+) ChangeEmailRequestService {
+	return NewChangeEmailRequestService(cfg, logger, auditLogger, userGetByIDUseCase, userGetByEmailUseCase, userUpdateUseCase, emailer)
+}
+
+func ProvideChangeEmailVerifyService(
+	cfg *config.Configuration,
+	logger *zap.Logger,
+	auditLogger auditlog.AuditLogger,
+	userGetByIDUseCase uc_user.UserGetByIDUseCase,
+	userUpdateUseCase uc_user.UserUpdateUseCase,
+	emailer mailgun.Emailer,
+) ChangeEmailVerifyService {
+	return NewChangeEmailVerifyService(cfg, logger, auditLogger, userGetByIDUseCase, userUpdateUseCase, emailer)
+}
--- a/cloud/maplefile-backend/internal/service/me/update.go
+++ b/cloud/maplefile-backend/internal/service/me/update.go
@ -132,24 +132,16 @@ func (svc *updateMeServiceImpl) Execute(sessCtx context.Context, req *UpdateMeRe
 	}

 	//
-	// Check if the requested email is already taken by another user.
+	// Block email changes - must use dedicated email change endpoint
+	// Note: Both emails are already lowercase (req.Email was lowercased in validation, user.Email is stored lowercase)
 	//
-	if req.Email != user.Email {
-		existingUser, err := svc.userGetByEmailUseCase.Execute(sessCtx, req.Email)
-		if err != nil {
-			svc.logger.Error("Failed checking existing email", zap.String("email", validation.MaskEmail(req.Email)), zap.Any("error", err))
-			return nil, err // Internal Server Error
-		}
-		if existingUser != nil {
-			// Email exists and belongs to another user.
-			svc.logger.Warn("Attempted to update to an email already in use",
-				zap.String("user_id", userID.String()),
-				zap.String("existing_user_id", existingUser.ID.String()),
-				zap.String("email", validation.MaskEmail(req.Email)))
-			e["email"] = "This email address is already in use."
-			return nil, httperror.NewForBadRequest(&e)
-		}
-		// If err is mongo.ErrNoDocuments or existingUser is nil, the email is available.
+	if strings.ToLower(req.Email) != strings.ToLower(user.Email) {
+		svc.logger.Warn("Attempted to change email via profile update",
+			zap.String("user_id", userID.String()),
+			zap.String("old_email", validation.MaskEmail(user.Email)),
+			zap.String("new_email", validation.MaskEmail(req.Email)))
+		e["email"] = "Email changes are not allowed through this endpoint. Please use the email change feature in your account settings."
+		return nil, httperror.NewForBadRequest(&e)
 	}

 	//
@ -157,7 +149,7 @@ func (svc *updateMeServiceImpl) Execute(sessCtx context.Context, req *UpdateMeRe
 	//

 	// Apply changes from request DTO to the user object
-	user.Email = req.Email
+	// NOTE: Email is NOT updated here - blocked above
 	user.FirstName = req.FirstName
 	user.LastName = req.LastName
 	user.Name = fmt.Sprintf("%s %s", req.FirstName, req.LastName)