Add verification resend timestamp and cooldown handling for email verification

server/routes/auth.js

@@ -145,19 +145,29 @@ router.post('/resend-verification', async (req, res) => {
     }
 
     const db = getDb();
-    const user = await db.get('SELECT id, name, display_name, email_verified FROM users WHERE email = ?', [email.toLowerCase()]);
+    const user = await db.get('SELECT id, name, display_name, email_verified, verification_resend_at FROM users WHERE email = ?', [email.toLowerCase()]);
 
     if (!user || user.email_verified) {
       // Don't reveal whether account exists
       return res.json({ message: 'If an account exists, a new email has been sent.' });
     }
 
+    // Server-side 60s rate limit
+    if (user.verification_resend_at) {
+      const secondsAgo = (Date.now() - new Date(user.verification_resend_at).getTime()) / 1000;
+      if (secondsAgo < 60) {
+        const waitSeconds = Math.ceil(60 - secondsAgo);
+        return res.status(429).json({ error: `Please wait ${waitSeconds} seconds before requesting another email.`, waitSeconds });
+      }
+    }
+
     const verificationToken = uuidv4();
     const expires = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+    const now = new Date().toISOString();
 
     await db.run(
-      'UPDATE users SET verification_token = ?, verification_token_expires = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?',
-      [verificationToken, expires, user.id]
+      'UPDATE users SET verification_token = ?, verification_token_expires = ?, verification_resend_at = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?',
+      [verificationToken, expires, now, user.id]
     );
 
     const baseUrl = process.env.APP_URL || `${req.protocol}://${req.get('host')}`;