From d60270336e05e9773ca6cdaaaaaf1d92abf4cb18 Mon Sep 17 00:00:00 2001
From: Kirill <mpak8501@yandex.ru>
Date: Fri, 22 May 2026 23:03:03 +0500
Subject: [PATCH] =?UTF-8?q?=D0=BF=D0=B2=D0=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 client/src/app/layout/MainLayout.tsx          |   9 +--
 .../me/ui/sections/AuthMethodsSection.tsx     |  69 ++++++++++++++++++
 .../__tests__/AuthMethodsSection.test.tsx     |   6 +-
 client/src/shared/model/auth.ts               |   5 ++
 .../migration.sql                             |  19 +++++
 server/prisma/prisma/dev.db                   | Bin 364544 -> 364544 bytes
 server/prisma/schema.prisma                   |  15 ++++
 server/src/routes/auth-session.js             |  52 +++++++++++++
 server/src/routes/oauth-social.js             |  12 +--
 9 files changed, 171 insertions(+), 16 deletions(-)
 create mode 100644 server/prisma/migrations/20260522175250_pending_email/migration.sql

diff --git a/client/src/app/layout/MainLayout.tsx b/client/src/app/layout/MainLayout.tsx
index 7c8aaed..d497721 100644
--- a/client/src/app/layout/MainLayout.tsx
+++ b/client/src/app/layout/MainLayout.tsx
@@ -8,8 +8,8 @@ import Stack from '@mui/material/Stack'
 import Typography from '@mui/material/Typography'
 import { Link as RouterLink } from 'react-router-dom'
 import { AppHeader } from '@/app/layout/AppHeader'
-import { STORE_EMAIL, STORE_NAME, STORE_PHONE, VK_URL } from '@/shared/config'
 import vkLogoSrc from '@/shared/assets/vk-logo.svg'
+import { STORE_EMAIL, STORE_NAME, STORE_PHONE, VK_URL } from '@/shared/config'
 import { ScrollOnNavigate } from '@/shared/ui/ScrollOnNavigate'
 import { ScrollToTop } from '@/shared/ui/ScrollToTop'
 
@@ -91,12 +91,7 @@ export function MainLayout({ children }: PropsWithChildren) {
                   color="text.secondary"
                   sx={{ display: 'inline-flex', alignItems: 'center', gap: 0.5, '&:hover': { color: '#4A76A8' } }}
                 >
-                  <Box
-                    component="img"
-                    src={vkLogoSrc}
-                    alt="VK"
-                    sx={{ width: 20, height: 20 }}
-                  />
+                  <Box component="img" src={vkLogoSrc} alt="VK" sx={{ width: 20, height: 20 }} />
                   VK
                 </Link>
               </Stack>
diff --git a/client/src/pages/me/ui/sections/AuthMethodsSection.tsx b/client/src/pages/me/ui/sections/AuthMethodsSection.tsx
index 79ae7f1..8df4011 100644
--- a/client/src/pages/me/ui/sections/AuthMethodsSection.tsx
+++ b/client/src/pages/me/ui/sections/AuthMethodsSection.tsx
@@ -9,10 +9,12 @@ import Typography from '@mui/material/Typography'
 import { useMutation } from '@tanstack/react-query'
 import { useUnit } from 'effector-react'
 import { useForm } from 'react-hook-form'
+import { useSearchParams } from 'react-router-dom'
 import {
   $user,
   changePasswordFx,
   fetchAuthMethodsFx,
+  requestEmailChangeFx,
   setPasswordFx,
   unlinkOAuthFx,
   type AuthMethod,
@@ -77,11 +79,78 @@ export function AuthMethodsSection() {
     return authMethods.filter((m) => m.active).length
   }, [authMethods])
 
+  const [searchParams] = useSearchParams()
+  const emailVerified = searchParams.get('emailVerified')
+
+  const emailForm = useForm<{ email: string }>({
+    defaultValues: { email: '' },
+  })
+  const [emailChangeError, setEmailChangeError] = useState<string | null>(null)
+  const [verificationUrl, setVerificationUrl] = useState<string | null>(null)
+
+  const emailChangeMutation = useMutation({
+    mutationFn: async (email: string) => {
+      setEmailChangeError(null)
+      const url = await requestEmailChangeFx(email)
+      return url
+    },
+    onSuccess: (url) => setVerificationUrl(url),
+    onError: (err) => setEmailChangeError(err?.message || 'Не удалось сменить email'),
+  })
+
   if (!user) return null
 
   return (
     <Box>
       <Typography variant="h6" gutterBottom>
+        Почта
+      </Typography>
+
+      {emailVerified === '1' && (
+        <Alert severity="success" sx={{ mb: 2 }}>
+          Почта успешно подтверждена
+        </Alert>
+      )}
+
+      <Typography sx={{ mb: 2 }} color="text.secondary">
+        {user.email}
+      </Typography>
+
+      {!verificationUrl && (
+        <Stack direction="row" spacing={1} sx={{ mb: 2 }}>
+          <TextField
+            label="Новая почта"
+            type="email"
+            size="small"
+            {...emailForm.register('email')}
+            error={Boolean(emailChangeError)}
+            helperText={emailChangeError}
+          />
+          <Button
+            variant="outlined"
+            disabled={!emailForm.watch('email') || emailChangeMutation.isPending}
+            onClick={() => {
+              const email = emailForm.getValues('email')
+              if (email) emailChangeMutation.mutate(email)
+            }}
+          >
+            Сменить
+          </Button>
+        </Stack>
+      )}
+
+      {verificationUrl && (
+        <Alert severity="info" sx={{ mb: 2 }}>
+          <Stack spacing={1} direction="row" sx={{ alignItems: 'center' }}>
+            <span>Ссылка подтверждения готова.</span>
+            <Button size="small" variant="contained" href={verificationUrl}>
+              Подтвердить email
+            </Button>
+          </Stack>
+        </Alert>
+      )}
+
+      <Typography variant="h6" gutterBottom sx={{ mt: 3 }}>
         Методы входа
       </Typography>
       {fetchError && (
diff --git a/client/src/pages/me/ui/sections/__tests__/AuthMethodsSection.test.tsx b/client/src/pages/me/ui/sections/__tests__/AuthMethodsSection.test.tsx
index 06c425d..693756d 100644
--- a/client/src/pages/me/ui/sections/__tests__/AuthMethodsSection.test.tsx
+++ b/client/src/pages/me/ui/sections/__tests__/AuthMethodsSection.test.tsx
@@ -1,5 +1,6 @@
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query'
 import { render, screen, waitFor } from '@testing-library/react'
+import { MemoryRouter } from 'react-router-dom'
 import { describe, expect, it, vi } from 'vitest'
 import { AuthMethodsSection } from '../AuthMethodsSection'
 
@@ -15,6 +16,7 @@ vi.mock('@/shared/model/auth', () => ({
   fetchAuthMethodsFx: vi.fn().mockResolvedValue([]),
   setPasswordFx: vi.fn(),
   unlinkOAuthFx: vi.fn(),
+  requestEmailChangeFx: vi.fn(),
 }))
 
 vi.mock('@/shared/api/client', () => ({ apiClient: { post: vi.fn() } }))
@@ -29,7 +31,9 @@ function renderSection() {
   const qc = new QueryClient({ defaultOptions: { queries: { retry: false }, mutations: { retry: false } } })
   return render(
     <QueryClientProvider client={qc}>
-      <AuthMethodsSection />
+      <MemoryRouter>
+        <AuthMethodsSection />
+      </MemoryRouter>
     </QueryClientProvider>,
   )
 }
diff --git a/client/src/shared/model/auth.ts b/client/src/shared/model/auth.ts
index bb3d6c4..2e91529 100644
--- a/client/src/shared/model/auth.ts
+++ b/client/src/shared/model/auth.ts
@@ -101,6 +101,11 @@ export const changePasswordFx = createEffect(async (params: { oldPassword: strin
   await apiClient.post('me/change-password', params)
 })
 
+export const requestEmailChangeFx = createEffect(async (email: string) => {
+  const { data } = await apiClient.patch<{ verificationUrl: string }>('me/email', { email })
+  return data.verificationUrl
+})
+
 // ----- Error stores -----
 
 export const $updateProfileError = createErrorStore(updateProfileFx).$error
diff --git a/server/prisma/migrations/20260522175250_pending_email/migration.sql b/server/prisma/migrations/20260522175250_pending_email/migration.sql
new file mode 100644
index 0000000..b6dfb3c
--- /dev/null
+++ b/server/prisma/migrations/20260522175250_pending_email/migration.sql
@@ -0,0 +1,19 @@
+-- CreateTable
+CREATE TABLE "PendingEmail" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "userId" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "expiresAt" DATETIME NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "PendingEmail_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "PendingEmail_token_key" ON "PendingEmail"("token");
+
+-- CreateIndex
+CREATE INDEX "PendingEmail_token_idx" ON "PendingEmail"("token");
+
+-- CreateIndex
+CREATE INDEX "PendingEmail_userId_idx" ON "PendingEmail"("userId");
diff --git a/server/prisma/prisma/dev.db b/server/prisma/prisma/dev.db
index d5a37a2edc479a586a6837fc378465b2b91a5f33..873e50ecbcc654766b87cbcca7b8dbc008b9a244 100644
GIT binary patch
delta 3537
zcma)9Yi!%r6&4?|MA;UlxUuInwiP$dlEqp{iVtzgCMBt{7)UJT;dMrrIuu2{-*0(X
z6k~0%Zo|69K!{;Q>ke6p1i`w*tC;}<_CSFB7>cHC1`Jy^U~Y#3aeocyfF?h(dr3K=
ztaPgcUW@mh`<?F`-t+PJ?DF8*<-s3s+cMZ^u~_E76$Y0TT;G0ql0gUiuAaUyhV5`%
zU$S{dP{;L^ot|@!J-e}4g!fav2ovSKyb_IhS(X#Lq9n0i+RriyF9;$l3p-Z+`K2cm
zr^RKlkS~ybCjSbq7gpTVPO>$QO(VIyl9iGfFAc2)h7&nX@C7SMx$<Q>pS4e7rx1AK
zl@n4fu6PS|lO-)uL8T#O3mF9(+a|CO5?3nTg48rw@f2;gvST2y6A;tm%_=54AJ3cZ
zdM2@@U%ocDRp;d61@jtlZ5cn^14D8i2BCb-sU3DAzd`!+AV09Ufrp+Icj0|f`(O<D
z`&iIVD`JA8C|@y`Y&IHlA;T~w<kj%4y9?+Oc)&`?*+K#sNfI#Pp;0p%Z?K6%LpM6V
z8bsE}QD{Ak@3j))shOvyXTClkJ}`H5YUX6yCXC=7ofEmHxtGzukm_0s88>Eb12*rG
z>g|`1-NwWlEAHScq<Zl+<XH{(pdXRi`kTnGs~rKkM!rbC2qJriTzc{yn_7AY8Erv=
zLJAP1IDf54vCU?zn3v%(nQPPcrD2RLmyf1u^=KiNFT-4qv{&gm+$-^Ps>H|2kwiQ{
zvK<R-gswnj5h9m-<zlHMmHWY7J)u7(Iq*v(Zz7+}8)Vh>06MJUzeC?9)em1n2DOhu
z=*Y4W*)>2rMyiGT=)svI2oZ1(fU|53v`KI<!!jh1Z#LPKzbw|$G~<IQ{PZ8jxM9fv
zOFy&}*;*+t74oYdbe-G^vd|5(>cVi3!EFp0bnSI)1oI#GY;Kb;hkMkILzu%s;O+rJ
z=dc<E7<!#J?~p3_Gv{`vuyV}vLqvPEi1lJS(-;vD$EIO4kRns1xCKCwN@oj9t`w;#
z>3ClKLlF!1ht53>LII=2;<%%2t74a|tu)%P+t*ALl5n>Y6S;alk>l#qz~T_3Y2ZT(
z_{3;vQA?%8D9zXOQp`)$O2V6~W-{iQ03I{>S!293g*XDV<vna{1MIPCE?<HEXx1-_
z>1?B(i)7R=VLhXL?*@JtZN&*9Ft^n*Hf(r@#ZUs~KDr>+{6$}0ipK@rdse9=^3iff
z;fiJ=CqZdTHK`&=QmLGf$_XV3AMD)=`gldQ5rI>{QJWcX<QFNbMe*?5`pT(Pl}R$X
zr_Uid9lmt@X=4o8i9qOKGGRDfwQZKFmZ5!{v`WW1XN+}#b|ch5yt^9P8R|$*hpKfG
zellev;^4a}``z`}#_rC3hctFLc$ocrdtns!*wwQb9(>I1ShtXeomZVizufo7zCFFq
zIo3hhzVB!)4(@QwF7{iez%e8~&+A2qL}^a+N5!ZVp=H0~7kG+~(lJ(+Ilm}Uob2;O
zB~D^EALr*N9^A+r@8cu|oa~6;2ejV(zL%jGp5hp08!d1QN6i<MTr`=B&+G3d-DE&}
z?oZeiA1r?{3l1g+RXSGXDy)#^)a&=LT}OdF>yK)otsvc!UqoDiy~K!R*lx!<WC^eV
zVgn&rJ`=4ZGOP|ce(Uae9rAn|vilJI3V)mQJ(3h^QrB+$RTqxCpoIRO+$SQv0S;UQ
zF+_mRg9@aIfK`m)*dmjSiN$)82U5v$kkO}KF~$d)*loKS#Bs`ap}a-DMUIhU;1S<&
zs<+PIM_Sh20C3mgO~?ap415Em8cilr%#_<fcOP>-C#*4ovN+!b1#69g(ou_68rg)H
z-+*Gl0!0@jxt5iy@hC?bk8GEYwQCwAVKbJJ13My+R!$ToDVD3WvAQb+g50BwarG>Y
zdv-g~u*LBc;uCB?`7XMGhV28kJGLdOW;;%Nhdk~47%Bw#yuNhIQ`KHy#($0DwjWqd
zsn7l#pF8;7FH~$p6BEeuK+hr>C2X9@DcCNVe;++`eCoi-DbL9R2aim7#?4Er`yxKA
z{_7d!acd=?R&q;j>!6yrfDfpX-$Dr0^;^`Yx>Cq~ReKug?=|78i?fJ~3RRU#BHO=c
zhMcF(cOhcG#SSBwE%yvT)+e+(Z{V{CazG7U!oNz_YPKP90$F@KnTsk7^Uisl(0p2H
znrDwKUG3S*nP(o_je9~fo#Bn|9@kOE_bl#+sh6)}htz$S@n0Z4TId?~3ZlAl$Tn^H
z3VsA_l^V98eSnC&n@F{+l%}Ke$!G_^6YZ={&pb8t%}%%T4|hD0ld(L$Cto*$?@#8G
zM@PTO=kfpH(?}QC@JN?N8q}L_;_PR%a37w*2V2$=EP!m3LRYzUv~sZYIrvJ<iEKHO
zUEs~F90U6sM(?8Hf>;n1k{zvFSH-kjIc>`_`Zsdvv}g3<P2AOE^h8EK1STgYaBz@7
z&tmxoxZuAbv+aBM7tWo4_drAf?XL7b{-ezxqyK+m%Y$C*2IzC)_b9;J2Qlp}sH9z;
zy4{?%t`4}zv<h2^&Q8Kcu0800nHX55pvwEBwVdpyDyFTvv`=<4|FE(~KT~ap)u7et
W(X1Zpzeyr_ISX_Lj28=5&wl~2gErLw

delta 9414
zcmeHMeQX`om4EYQ#_@X&9-Dxv2_fdgl&=|P=FaDauAMqAL14!r4cP=*GJbxxpYvXx
z?dLeQ>GG(QR;^SO+EkskYH5%Ph>EtNY5j^=iCwj*qSZnvU1@ifl}gxcB^K?ff9&ob
z)i(P(XJ%{%(!d}4XPmsbGk5Mi_nhDPxaXdE^i<EIr+Oa0`tmF8$>nkf@f*Xh9lzsW
zy4}uSanJLIzq4KLE53PhQ{T4JH}!qFc=B-HZKvP7^@egWuf37e-qzmG{`qvbd5_k-
zUA|R5C@qv53wo`*FkPQ$=$7w?j%Nzn4IO*1ycE@Dt7W59uPIpJ1CGAvFu_E7WJ{{u
zJR2PeT+<p{j*d>0myG#i`733sP|LcfYEh+1Yya?+a=1<E+@0&(4aWbnv$eZZ`WtDp
zq`j5H|88*BcDj4^4XyRocIjWX51Mn6-hyeGB4|v^PM2pEW@?QE>4~x4pU&iOPzKaO
zsWv-}L4FN`JQ`G=7+;<kcjtM~XIBTMv)Z*Zx>vbPEsPD1?z(&Qu7}2U9vm4S{dhWN
zOj7#VB<*ZYJKO3$mH$UAKHHS8N6(p@b_U%1T8qy-Cf$sVXL8yzr@IHgsl`u!TlyqA
zh-;ejPhj{5(sf;_AllFH@ADAw0qx`+uWgFwUz4tl=g%oUgUU8}KuVc51(-G)(@Pc0
zi~I?3{Md$<&OC`tFT=U8e0)*NsoSoR2jbs8CSASyD~V9tuzLK~K>j-Pypq#i0mm<C
ztylKscbr1cY)+d6Ba>P@doKS`_oH`>jqe|+>>7S((jWbpckjHpYx16<@W5!~)>p=>
zdyg-TuQaNodI{LvxZ?_3Z~xj{{N`g)?^nAd<-9c&uv3UXbuQn#+9flB>u6;Bypz-3
zX?6dta#oAq*&`Q=OTrFJ$8rL1bqsTgd9^3kVX8fyzdyaV?{TU1#GKqA$N%tvdZaA~
zp40Nh*44-4XVv)dL#h&gwXSZ9|8!X0eJjl5z_Y_ralp#`THc;hRYr8V5=4aPOcbrm
zc|j1=tK;$5LG_W=ZyuI+=Uc@k`L_}o|Gw2nWo7X4O&uq4+V0NhI}4YUHvfF{EgdHS
z)X|RCiC@aki7UzUmO;%Ws}hw-OGKd+|Kyx}(+KQ|O=l)m<a<qYPU;%Ct*|ZE+ukm3
z$$`Ov%uwe*G9Z$n=S|Iqrq3j=@BQg#6Kl-Iy~m(`r2M@mF341#6p_t)5B=3HMd^a#
zUd?H*!ZcpghC``iz{Rg%(xp9DC=}Y)A)Eq(7DHGo+jG86qHaI&dU7oSy^VH9CYdY^
z@ZU3Ybx=`ExWtch+K>6)b^!dd&iFTvDEIa&9RmYc8GpR?)QUY3tzd0?F?44a-SG*3
zIjqL@b4qVhdScIi=FcS8yWcgByx$3EUe%4Fs2tSm$ER0PG#nc*OnNalS8*4jl?ev9
zJ-OZu@i($CZMjZ`gz#*0vNB&?nV<8`<x(wv3qDu4aYrwv;kx>$qV(Nd$dBcUUoZTZ
ze5dw${&aq<eaoh|H=QipS-2Art^YlFa&O<U)|01{7Zjy%XFiNS`IK_7^@r2)8A;jS
zXuFD@_qE=BM%gb(FT{h-Dj$i*pHlX;6@QnzWyh5#yNe&{+}|kAKV;E$?9<mx#@~Hj
z9*TE-SNXp5@2x#Ql)ov(T}P#>Tc@5=?#;(rUy}bVe*FiE_%ng%UmsC=nra$mE)4m`
z2xV0XSPDXOi_Vdy;}b_WMyTU>>C(&PxvE*4slz=pbGRUqDqxYcKW-v)?$iDVkN>6I
z)jA+wHehW-*MD@AC&!1U<lfktmp{{b<6-%3_SzTn>j9vJ0ProTZE|vAeB5b0Ij*`=
zQ`m;vZ=0@V1fpaG{9vL(2*cGw!?Uw{+cKO052kJiPd7|UH+(dXZW*Sx)2DHKp~>{K
z@UsPVTPB7$_gj{^TiA<wV1#azjej5+oK5h2!*q3@nE`QO2wKB6e3u%cWmp0YkH;vF
zx~M<nj@Zr~<G=fYdPUo?NB?3-d(E1#f#G{4ObNo2mVl%}x9nt*<jMAokc5E1B(DuY
zZL|T}K*yaBx&sz<!wq%MAUHgTX$Y4Y&e%1H#gyG<;OXn!>Kl387ZNLuZ4h95FHDds
z5!wMQ&eUD3Z3!K0VnK(N4@enUH!wUx$~Qb9MO<43I7@EAjD>#7Ng?wM-@%|vL>4%E
zCfLlp#gJ`lnubqWw?o59bxBV_2~31o*VS1C$+fB*kia8rfPG+G){^|$Z`~w3GKp#5
zLAr%ibeN#)>8@crdSDtsm8BjsgF_>hODte;!?JXj^zZ6{T}nB?BlD28RRazY;5TgH
zg1^`~s2ZCQfI5!-Uc&R<{L{Zux|)~aHZMJq%Xi?C%iWLPfwZOBd-2<!K2ty4Qwaa7
z*+v;lm6rO&u72CLTnI+Ul$MhYs0$WIJ@eTRaL>=_2%BAQKe|5FFNXWYP`O&Iyo+i&
zB_o<ld4HmIT>G5b+pDwPf(14_wCuT-cT0T7u-X$pz9L`0xlx%YH}0z+J3669ad$=S
z?P3j0TY<Ugd%Mm1P4=IwN@gh%z<izE*=S+9KSsJyQ(l}wnxW0h-^g>~ad{9}!VMhH
z3O(UDt`mB3VM%^4{{DmN(avLyg?bIl>|Bf%qWSoxC3$PS?LqYh?CI~Gbqj`#FXPfb
zZ1)Fde>l9eF<mWF&%ScK^}SE11*r#HR|4#GxiU4qkihT6cdW=?S&MmF;^ybn;<dg{
zQGo?SYXq)i`?zrlQOA$FXVk4tatJ8TYghuI4i6Z}hDEW39|OZG5e<XpTCh}VOoKev
z@_3A8N50Q)mp0jwq!3&17~vU+w1TI>=7o-k0fJ4Cau8vB*GQ~AFzm>3iSOjPMoM=)
z<^aB5g6jxg4^aVL?CYM5i%lbRE3_i4%44&3jR=!P)C#}|3$>NWxW0ji4lm|)L%0}L
z2$D!zw#TEukN+?Vutb0uN-{ZUBbULXOGe++MFtO1a;Tp#YXi`c>^2B=1TWSk&rX|-
z!^rvwZofoCb!f+L>UOBR6g8kRp}U^p9U6i9m~9~t8yv`yXo!LvCV>V5E@t`I*g#B2
z@N;!6ZtIS~qwCNxumtp&A(vDWCKN3S)}$89CY!j4RYviXqyrHmPh@C_lXQX<<L2!e
zvK<13%%!ogTrDS-TB|JS<JB_!uU4Nx-_F{x>Oy6<3L~eH@n4tJt?~bks+)GyXQNVO
zA&nli6uqBFsEi1k;IYA2*nnw5Um=?oc1~<q#KAT3)8pz@O*_$;09fIW8#3A=1eidT
z_!clfQUpwygtA=#P{NiN65{j%csm&mi0lZ(WT63D3STp&v9V*rpgG(Szgs3N)oQ|X
zzb)2nX-o5>;vpAcZv3!BewO+guaFq2ooE2ULSS@ZSA;KMqh)S=Ja|yCWkI_Zsou88
zc7PQ2d-xkWo^HE|7el+c4Hv*lNQ{!Ljh6(h2`B_GPb1GKivT4?jb3|c#Mp3;r4kQx
z0iKhF4&LhyC3>8UUqPA@JHzUY6sxwz^Pg64YKBOChzZXxvGu3U2GC)hv@9$YQYC@F
zN#61m?tr%t8&`{90w#3Nvd}a0oLM;Q-7|v7qdUH^5-T(jIH7T1MR2?X6ySs%pT<%Y
z1jd+46WK%vWMB7TBQ9X{U>&-j*c_bK(|u+Ek;&ri$x7~$&=UA!$gz^pVh1oh5EY(X
z0>)%JNpMXzL6dnFtenKt$P^QoV`dOiF$GpYG!nz*t4-1iVuDi;N;hzyro5Ef@q42Q
zyGSXdsZ<6jBL_R8S%gyR7Kj_vgZQAszLHx+7wjZFkfIBxmLv!T8a7xgi@Q`!NyES+
z^+Aq7`3C(_y1xfM%0;Ngbsv5s_+@zsy*q$&;Xqm{Ij4NFNNJ5!_;9Z9VH^@(`(THJ
z1Np-DM)NpJU~bDisJ_<Lv5)EG+jIGL(D{?p^<phMZ2b2})(#sj95$9N?fppvxU~1D
z`~RiA|I*%%V0UTnzqI#bW4yHYCsmyfu=i7e{ov|h^?$Uhwx9R~Di*j>%^|P7jE^PS
z%i7EMg7S6R><hgp-6GtcU!mpdB!6+ZcD=BDq0;{9psMz@?uyipU$`8I<PGIO%1<b_
zrOd>^Nk~VMLs<;pqau{n1CcJF_GBS*Mowcm9@V96t^rXBMl~R6IlVzkS=NTSpnG0j
zuzt~LIID8?N6@i@NYN#ui%J>4qzW7#XptP-oU$Q5q*N?pn7Gd#lk8KJoJqGtwGk2j
z#gzI$6ZJJ3fhw6jl;-S|@1id~dNV<n^M0?i0VM#$874CFG!qQDMad9lLA(rfBfuep
z&Sp4ZICK(q9Rkiru@zNLhj1K3&W>^<-`hsOD$r?lOu{LK<`F9>_d#aErmCQeY9AhP
z0}X^Emf8B<l)6i50)|9<B&TkP7{T1+FiS!rwPp@+n4xvjN1QQ8PlPSXwWL{(bVx@Y
z8|NwH-DxS3s&!N~#mXp!k|m&Kk=8!BZLVv`f{3ILB;_bvz#Z5ukThFdTXpanWMN{E
zB}BoK=mk_sM9Z2)@zXvu;u9_)1ND3WftvsC5?w@~R8v%=1<Nc@Kh8$)BN5Jlu{Evk
zh@U#5ej+Z;sC`WenhZF=@k%IL*kmZA5*$8J;!O@0C@4|sS%`?dl76JHOmQf)W9a~;
zTBr@DGUyN&REtn4zzvF7G!hTz&1QFM;sv;7lnrrc1eIRF_Q&jiYDkBF7mCTaA;N!#
z7aYzqPSzR00vRiG`z~fal*z*K5P&HwY}oOuN7TFGu1GC58KWTLVm4oxeNZ%U4n^ZT
zi=oHS02vw4KqZ6C9S3JJMVJyphx0HZ7S47gW!7f28204rLl{mwi#iT(B8*T+xsD?n
zZqAQzbQ%tH2Q?xm-WjP|nnZy~TeiS-5hb<s^Q6QOik*lNC1?m11gbOug(t)X)F49=
z2!~00ZgAlHU>U$7Jdl^rD|iRKOW->J4KtFGId&dEgwi4)Bql(HwT^Q<fBQfI%M&Q-
zB~dGD*91>u4HZlL0AVg9$N(fQ1_&}BX>lszaj+$B={>?QDF;;wzaKFG8s?8FV1)I6
zszSgP1&}gZhiZ}~1byG&#VC$0UKlU3YQhIahrr*N=^$&@M4%B(u1}({ZQzpwsW8e^
zoV6Q=6Kf<2SS6!?UE?8bvT@X+lST!>{UJ_%iM63)Z3tCDe21z$@ylOOyV}a7iPHFF
z@*xULvq7O+>v=;V0v|1cnyTQ%=o1;y<}Y8k;kT&6LeYy(i3)t=+N4nIPOt|u9h%^B
zD5k<na8c`Mo@XBKV;!jBaJ<dhOh5}8lt;UP?Qw{K^&uv3mCeRZgbEE9Ll{Jz1IFM-
zA=n3x)KGj`Cqssd4l><CBNn!45(R*JPGq6(#3{(yO*V~MvR=js`-(?ilb9atf_hPf
zA}|q3+44}mOiGn-{h44<cfhnmK*D^es%b$IY{fi`3u|yJWDY_H|5R249Yl1ta|(98
pO9GLJr_Dyj5O(Q}4<}0^mO7=n@xyiXQ}`6#$)CbIpPp6w{tv?nT&e&7

diff --git a/server/prisma/schema.prisma b/server/prisma/schema.prisma
index 1a21149..dc7ffde 100644
--- a/server/prisma/schema.prisma
+++ b/server/prisma/schema.prisma
@@ -91,6 +91,7 @@ model User {
   reviews Review[]
   orderMessageReadStates UserOrderMessageReadState[]
   oauthAccounts OAuthAccount[]
+  pendingEmails PendingEmail[]
   notificationPreference NotificationPreference?
   notificationLogs NotificationLog[]
 }
@@ -261,6 +262,20 @@ model OAuthAccount {
   @@index([userId])
 }
 
+model PendingEmail {
+  id        String   @id @default(cuid())
+  userId    String
+  email     String
+  token     String   @unique
+  expiresAt DateTime
+  createdAt DateTime @default(now())
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([token])
+  @@index([userId])
+}
+
 model AuthCode {
   id        String   @id @default(cuid())
   email     String
diff --git a/server/src/routes/auth-session.js b/server/src/routes/auth-session.js
index 636f712..e12dabc 100644
--- a/server/src/routes/auth-session.js
+++ b/server/src/routes/auth-session.js
@@ -1,3 +1,5 @@
+import crypto from 'node:crypto'
+import { normalizeEmail } from '../lib/auth.js'
 import { prisma } from '../lib/prisma.js'
 import { mapUserForClient } from './auth.js'
 
@@ -26,4 +28,54 @@ export async function registerAuthSessionRoutes(fastify) {
       ],
     }
   })
+
+  fastify.patch('/api/me/email', { preHandler: [fastify.authenticate] }, async (request, reply) => {
+    const userId = request.user.sub
+    const rawEmail = typeof request.body?.email === 'string' ? request.body.email.trim() : ''
+
+    if (!rawEmail || !rawEmail.includes('@')) {
+      return reply.code(400).send({ error: 'Некорректная почта' })
+    }
+
+    const email = normalizeEmail(rawEmail)
+
+    const existing = await prisma.user.findUnique({ where: { email } })
+    if (existing && existing.id !== userId) {
+      return reply.code(409).send({ error: 'Эта почта уже используется' })
+    }
+
+    await prisma.pendingEmail.deleteMany({ where: { userId } })
+
+    const token = crypto.randomUUID()
+    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000)
+
+    await prisma.pendingEmail.create({
+      data: { userId, email, token, expiresAt },
+    })
+
+    return { verificationUrl: `/api/me/verify-email?token=${token}` }
+  })
+
+  fastify.get('/api/me/verify-email', async (request, reply) => {
+    const token = typeof request.query?.token === 'string' ? request.query.token : ''
+
+    if (!token) {
+      return reply.code(400).send({ error: 'Отсутствует токен подтверждения' })
+    }
+
+    const pending = await prisma.pendingEmail.findUnique({ where: { token } })
+    if (!pending || pending.expiresAt < new Date()) {
+      return reply.code(400).send({ error: 'Токен подтверждения недействителен или истёк' })
+    }
+
+    await prisma.user.update({
+      where: { id: pending.userId },
+      data: { email: pending.email },
+    })
+
+    await prisma.pendingEmail.delete({ where: { id: pending.id } })
+
+    const clientUrl = (process.env.CLIENT_PUBLIC_URL || 'http://127.0.0.1:5173').replace(/\/$/, '')
+    return reply.redirect(`${clientUrl}/me?emailVerified=1`)
+  })
 }
diff --git a/server/src/routes/oauth-social.js b/server/src/routes/oauth-social.js
index 5e6137e..faf74b3 100644
--- a/server/src/routes/oauth-social.js
+++ b/server/src/routes/oauth-social.js
@@ -69,7 +69,6 @@ async function findOrCreateUserFromOAuth({ provider, providerUserId, accessToken
   const norm = trimmed ? normalizeEmail(trimmed) : null
 
   if (linkToUserId) {
-    if (!norm) return null
     await prisma.oAuthAccount.create({
       data: { provider, providerUserId: String(providerUserId), userId: linkToUserId, accessToken },
     })
@@ -84,13 +83,13 @@ async function findOrCreateUserFromOAuth({ provider, providerUserId, accessToken
     return user
   }
 
-  if (!norm) return null
+  const email = norm || `${provider}_${providerUserId}@vk.local`
 
   user = await prisma.user.create({
     data: {
-      email: norm,
-      displayName: norm.split('@')[0],
-      avatar: await generateAvatar(norm),
+      email,
+      displayName: norm ? norm.split('@')[0] : 'Пользователь',
+      avatar: await generateAvatar(email),
       avatarStyle: 'avataaars',
     },
   })
@@ -206,7 +205,6 @@ export async function registerOAuthSocialRoutes(fastify) {
     const emailSuggestion = claims?.email ?? tokenBody?.email ?? null
 
     if (!vkUserId) return oauthErrorRedirect(reply, 'no_user_id')
-    if (!emailSuggestion) return oauthErrorRedirect(reply, 'no_email')
 
     const linkToUserId = pkceEntry.meta?.action === 'link' ? pkceEntry.meta.userId : undefined
 
@@ -218,8 +216,6 @@ export async function registerOAuthSocialRoutes(fastify) {
       linkToUserId,
     })
 
-    if (!user) return oauthErrorRedirect(reply, 'Не удалось получить email от VK')
-
     if (linkToUserId) {
       const base = process.env.CLIENT_PUBLIC_URL || 'http://127.0.0.1:5173'
       return reply.redirect(`${base.replace(/\/$/, '')}/me?linked=vk`)