juljanblischke · juljanblischke · Jan 20, 2026 · Jan 20, 2026
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -2,12 +2,12 @@ name: Backend CI
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main]
     paths:
       - 'backend/**'
       - '.github/workflows/backend.yml'
   pull_request:
-    branches: [main, develop]
+    branches: [main]
     paths:
       - 'backend/**'
       - '.github/workflows/backend.yml'

diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -2,12 +2,12 @@ name: Frontend CI
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main]
     paths:
       - 'frontend/**'
       - '.github/workflows/frontend.yml'
   pull_request:
-    branches: [main, develop]
+    branches: [main]
     paths:
       - 'frontend/**'
       - '.github/workflows/frontend.yml'

diff --git a/backend/src/ExoAuth.Api/Controllers/AuthController.cs b/backend/src/ExoAuth.Api/Controllers/AuthController.cs
@@ -17,8 +17,6 @@
 using ExoAuth.Application.Features.Auth.Commands.DenyDevice;
 using ExoAuth.Application.Features.Auth.Commands.ResendDeviceApproval;
 using ExoAuth.Application.Features.Auth.Commands.ResendPasswordReset;
-using ExoAuth.Application.Features.Auth.Commands.RequestMagicLink;
-using ExoAuth.Application.Features.Auth.Commands.LoginWithMagicLink;
 using ExoAuth.Application.Features.Auth.Models;
 using ExoAuth.Application.Features.Auth.Queries.GetCurrentUser;
 using ExoAuth.Application.Features.Auth.Queries.GetDevices;
@@ -314,55 +312,6 @@ public async Task<IActionResult> ResetPassword(ResetPasswordRequest request, Can
         return ApiOk(result);
     }
 
-    /// <summary>
-    /// Request a magic link email for passwordless login.
-    /// </summary>
-    [HttpPost("magic-link/request")]
-    [RateLimit("forgot-password")]
-    [ProducesResponseType(typeof(RequestMagicLinkResponse), StatusCodes.Status200OK)]
-    public async Task<IActionResult> RequestMagicLink(RequestMagicLinkRequest request, CancellationToken ct)
-    {
-        var command = new RequestMagicLinkCommand(
-            request.Email,
-            request.CaptchaToken,
-            HttpContext.Connection.RemoteIpAddress?.ToString()
-        );
-
-        var result = await Mediator.Send(command, ct);
-
-        return ApiOk(result);
-    }
-
-    /// <summary>
-    /// Login with magic link token.
-    /// </summary>
-    [HttpPost("magic-link/login")]
-    [RateLimit("sensitive")]
-    [ProducesResponseType(typeof(AuthResponse), StatusCodes.Status200OK)]
-    [ProducesResponseType(StatusCodes.Status400BadRequest)]
-    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
-    public async Task<IActionResult> MagicLinkLogin(MagicLinkLoginRequest request, CancellationToken ct)
-    {
-        var command = new LoginWithMagicLinkCommand(
-            request.Token,
-            request.DeviceId,
-            request.DeviceFingerprint,
-            Request.Headers.UserAgent.ToString(),
-            HttpContext.Connection.RemoteIpAddress?.ToString(),
-            request.RememberMe
-        );
-
-        var result = await Mediator.Send(command, ct);
-
-        // Only set cookies when login is complete (not during MFA or device approval flow)
-        if (!result.MfaRequired && !result.MfaSetupRequired && !result.DeviceApprovalRequired)
-        {
-            SetAuthCookies(result.AccessToken!, result.RefreshToken!);
-        }
-
-        return ApiOk(result);
-    }
-
     #region Devices
 
     /// <summary>
@@ -864,18 +813,6 @@ public sealed record ResetPasswordRequest(
     string NewPassword
 );
 
-public sealed record RequestMagicLinkRequest(
-    string Email,
-    string? CaptchaToken = null
-);
-
-public sealed record MagicLinkLoginRequest(
-    string Token,
-    string? DeviceId = null,
-    string? DeviceFingerprint = null,
-    bool RememberMe = false
-);
-
 public sealed record MfaSetupRequest(
     string? SetupToken = null
 );

diff --git a/backend/src/ExoAuth.Api/ExoAuth.Api.csproj b/backend/src/ExoAuth.Api/ExoAuth.Api.csproj
@@ -4,8 +4,6 @@
     <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
-    <GenerateDocumentationFile>true</GenerateDocumentationFile>
-    <NoWarn>$(NoWarn);1591</NoWarn>
   </PropertyGroup>
 
   <ItemGroup>

diff --git a/backend/src/ExoAuth.Api/Extensions/ServiceCollectionExtensions.cs b/backend/src/ExoAuth.Api/Extensions/ServiceCollectionExtensions.cs
@@ -1,4 +1,3 @@
-using System.Reflection;
 using System.Text;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.IdentityModel.Tokens;
@@ -19,11 +18,6 @@ public static IServiceCollection AddSwaggerConfiguration(this IServiceCollection
                 Description = "Authentication and Authorization API"
             });
 
-            // Include XML documentation
-            var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
-            var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
-            options.IncludeXmlComments(xmlPath, includeControllerXmlComments: true);
-
             options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
             {
                 Name = "Authorization",

diff --git a/backend/src/ExoAuth.Api/appsettings.Development.json b/backend/src/ExoAuth.Api/appsettings.Development.json
@@ -17,7 +17,7 @@
     "Secure": false
   },
   "Captcha": {
-    "Enabled": false
+    "Enabled": true
   },
   "Serilog": {
     "MinimumLevel": {

diff --git a/backend/src/ExoAuth.Api/appsettings.json b/backend/src/ExoAuth.Api/appsettings.json
@@ -19,6 +19,16 @@
     "RefreshTokenExpirationDays": 7,
     "RememberMeExpirationDays": 30
   },
+  "Email": {
+    "Provider": "SMTP",
+    "SmtpHost": "smtp.example.com",
+    "SmtpPort": 587,
+    "SmtpUsername": "",
+    "SmtpPassword": "",
+    "SmtpUseSsl": true,
+    "FromEmail": "noreply@exoauth.com",
+    "FromName": "ExoAuth"
+  },
   "SystemInvite": {
     "ExpirationHours": 24,
     "BaseUrl": "http://localhost:5173"

diff --git a/backend/src/ExoAuth.Application/Common/Exceptions/AuthException.cs b/backend/src/ExoAuth.Application/Common/Exceptions/AuthException.cs
@@ -494,14 +494,3 @@ public CaptchaExpiredException()
     {
     }
 }
-
-/// <summary>
-/// Exception when magic link token is invalid.
-/// </summary>
-public sealed class MagicLinkTokenInvalidException : AuthException
-{
-    public MagicLinkTokenInvalidException()
-        : base("MAGIC_LINK_TOKEN_INVALID", "Invalid or expired magic link token", 400)
-    {
-    }
-}
diff --git a/backend/src/ExoAuth.Application/Common/Interfaces/IAppDbContext.cs b/backend/src/ExoAuth.Application/Common/Interfaces/IAppDbContext.cs
@@ -15,7 +15,6 @@ public interface IAppDbContext
     DbSet<SystemInvite> SystemInvites { get; }
     DbSet<RefreshToken> RefreshTokens { get; }
     DbSet<PasswordResetToken> PasswordResetTokens { get; }
-    DbSet<MagicLinkToken> MagicLinkTokens { get; }
     DbSet<MfaBackupCode> MfaBackupCodes { get; }
     DbSet<LoginPattern> LoginPatterns { get; }
     DbSet<Device> Devices { get; }

diff --git a/backend/src/ExoAuth.Application/Common/Interfaces/IAuditService.cs b/backend/src/ExoAuth.Application/Common/Interfaces/IAuditService.cs
@@ -79,11 +79,6 @@ public static class AuditActions
     public const string PasswordResetCompleted = "system.password.reset_completed";
     public const string PasswordChanged = "system.password.changed";
 
-    // Magic link actions
-    public const string MagicLinkRequested = "system.magic_link.requested";
-    public const string MagicLinkLogin = "system.magic_link.login";
-    public const string MagicLinkLoginFailed = "system.magic_link.login_failed";
-
     // Session actions
     public const string SessionCreated = "system.session.created";
     public const string SessionRevoked = "system.session.revoked";

diff --git a/backend/src/ExoAuth.Application/Common/Interfaces/IEmailService.cs b/backend/src/ExoAuth.Application/Common/Interfaces/IEmailService.cs
@@ -58,23 +58,6 @@ Task SendPasswordResetAsync(
         string language = "en-US",
         CancellationToken cancellationToken = default);
 
-    /// <summary>
-    /// Sends a magic link email for passwordless login.
-    /// </summary>
-    /// <param name="email">The recipient email address.</param>
-    /// <param name="firstName">The recipient's first name.</param>
-    /// <param name="magicLinkToken">The magic link token for authentication.</param>
-    /// <param name="userId">The user ID for tracking.</param>
-    /// <param name="language">The language for the template (default: "en-US").</param>
-    /// <param name="cancellationToken">Cancellation token.</param>
-    Task SendMagicLinkAsync(
-        string email,
-        string firstName,
-        string magicLinkToken,
-        Guid userId,
-        string language = "en-US",
-        CancellationToken cancellationToken = default);
-
     /// <summary>
     /// Sends a password changed confirmation email.
     /// </summary>

diff --git a/backend/src/ExoAuth.Application/Common/Interfaces/IMagicLinkService.cs b/backend/src/ExoAuth.Application/Common/Interfaces/IMagicLinkService.cs
diff --git a/...xoAuth.Application/Features/Auth/Commands/LoginWithMagicLink/LoginWithMagicLinkCommand.cs b/...xoAuth.Application/Features/Auth/Commands/LoginWithMagicLink/LoginWithMagicLinkCommand.cs