API: Magic Link Emails and Unsubscribe Verification
all
Persona: devops
Touchpoint: /api/email/*, magic links, unsubscribe endpoints
Preconditions
- Email service configured (SendGrid, Mailgun, etc.)
- Magic link generation implemented
Steps
| # | Action | Expected Result |
|---|---|---|
| 1 | Trigger email with magic link (e.g., password reset) | Email sent within 5 seconds. Email received with valid magic link. |
| 2 | Click magic link in email | Link works. Redirects to authenticated state. Expires after 24 hours. |
| 3 | Try to reuse expired magic link | Returns 401 or 'link expired'. Doesn't grant access. |
| 4 | Send email with unsubscribe link | Email includes List-Unsubscribe header and unsubscribe link. |
| 5 | Click unsubscribe link | User unsubscribed. Future emails don't send to this address. |
| 6 | Test deliverability (check spam folder) | Email arrives in inbox, not spam folder. SPF/DKIM configured. |
| 7 | Verify email sending rate limits | Can send up to 100 emails/min without throttling. Rate limit enforced beyond that. |
| 8 | Check for PII in emails | No passwords, API keys, or sensitive data in email body. |
Known Failure Modes
- Magic links don't work — password resets fail
- Magic links never expire — security risk
- Unsubscribe doesn't work — GDPR violation
- Emails marked as spam — poor deliverability
- PII in emails — privacy breach
References
- Playwright spec:
e2e (email validation) - Code files:
Notes
Tests email deliverability and magic link security. Emails are critical for password resets, onboarding, and notifications. Bad email infrastructure means users locked out and poor onboarding. Must verify deliverability, link expiry, unsubscribe compliance, and no PII leaks.