From b2bf3aaf669429d916e62824f2aa922a3ecca78c Mon Sep 17 00:00:00 2001
From: Eliezer Steinbock <3090527+elie222@users.noreply.github.com>
Date: Fri, 2 Jan 2026 00:43:41 +0200
Subject: [PATCH 1/3] feat: handle invalid_grant errors with reconnection
 emails

---
 .../migration.sql                             |   2 +
 apps/web/prisma/schema.prisma                 |   1 +
 apps/web/utils/auth.test.ts                   |  91 ++++++++++-
 apps/web/utils/auth.ts                        |  37 +++--
 .../utils/auth/cleanup-invalid-tokens.test.ts | 104 +++++++++++++
 apps/web/utils/auth/cleanup-invalid-tokens.ts |  60 +++++++-
 apps/web/utils/email/reply-all.test.ts        |   6 +-
 apps/web/utils/email/reply-all.ts             |   4 +-
 apps/web/utils/email/watch-manager.ts         |   2 +
 apps/web/utils/error-messages/index.ts        |   1 +
 .../webhook/validate-webhook-account.test.ts  |  26 +++-
 .../utils/webhook/validate-webhook-account.ts |   6 +
 packages/resend/emails/reconnection.tsx       | 145 ++++++++++++++++++
 packages/resend/src/send.tsx                  |  30 ++++
 14 files changed, 496 insertions(+), 19 deletions(-)
 create mode 100644 apps/web/prisma/migrations/20260101221942_account_disconnected_at/migration.sql
 create mode 100644 apps/web/utils/auth/cleanup-invalid-tokens.test.ts
 create mode 100644 packages/resend/emails/reconnection.tsx

diff --git a/apps/web/prisma/migrations/20260101221942_account_disconnected_at/migration.sql b/apps/web/prisma/migrations/20260101221942_account_disconnected_at/migration.sql
new file mode 100644
index 0000000000..8b56b76964
--- /dev/null
+++ b/apps/web/prisma/migrations/20260101221942_account_disconnected_at/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Account" ADD COLUMN     "disconnectedAt" TIMESTAMP(3);
diff --git a/apps/web/prisma/schema.prisma b/apps/web/prisma/schema.prisma
index f5047bcea3..3cd1d88e14 100644
--- a/apps/web/prisma/schema.prisma
+++ b/apps/web/prisma/schema.prisma
@@ -25,6 +25,7 @@ model Account {
   refreshTokenExpiresAt DateTime?
   access_token          String?       @db.Text
   expires_at            DateTime?     @default(now())
+  disconnectedAt        DateTime? // When OAuth tokens were invalidated (password change, revoked access)
   token_type            String?
   scope                 String?
   id_token              String?       @db.Text
diff --git a/apps/web/utils/auth.test.ts b/apps/web/utils/auth.test.ts
index f8dc2ac0cc..09dd49754a 100644
--- a/apps/web/utils/auth.test.ts
+++ b/apps/web/utils/auth.test.ts
@@ -2,10 +2,30 @@ import { describe, it, expect, vi, beforeEach } from "vitest";
 import { cookies } from "next/headers";
 import { createReferral } from "@/utils/referral/referral-code";
 import { captureException } from "@/utils/error";
-import { handleReferralOnSignUp } from "@/utils/auth";
+import { handleReferralOnSignUp, saveTokens } from "@/utils/auth";
+import prisma from "@/utils/__mocks__/prisma";
+import { clearUserErrorMessages } from "@/utils/error-messages";
 
-// Mock the dependencies
 vi.mock("server-only", () => ({}));
+vi.mock("@/utils/prisma");
+vi.mock("@/utils/error-messages", () => ({
+  addUserErrorMessage: vi.fn(),
+  clearUserErrorMessages: vi.fn(),
+  ErrorType: {
+    ACCOUNT_DISCONNECTED: "Account disconnected",
+  },
+}));
+vi.mock("@googleapis/people", () => ({
+  people: vi.fn(),
+}));
+vi.mock("@googleapis/gmail", () => ({
+  auth: {
+    OAuth2: vi.fn(),
+  },
+}));
+vi.mock("@/utils/encryption", () => ({
+  encryptToken: vi.fn((t) => t),
+}));
 
 vi.mock("next/headers", () => ({
   cookies: vi.fn(),
@@ -19,8 +39,6 @@ vi.mock("@/utils/error", () => ({
   captureException: vi.fn(),
 }));
 
-// Import the real function from auth.ts for testing
-
 describe("handleReferralOnSignUp", () => {
   const mockCookies = vi.mocked(cookies);
   const mockCreateReferral = vi.mocked(createReferral);
@@ -94,3 +112,68 @@ describe("handleReferralOnSignUp", () => {
     expect(mockCreateReferral).not.toHaveBeenCalled();
   });
 });
+
+describe("saveTokens", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("clears disconnectedAt and error messages when saving tokens via emailAccountId", async () => {
+    prisma.emailAccount.update.mockResolvedValue({ userId: "user_1" } as any);
+
+    await saveTokens({
+      emailAccountId: "ea_1",
+      tokens: {
+        access_token: "new-access",
+        refresh_token: "new-refresh",
+        expires_at: 123_456_789,
+      },
+      accountRefreshToken: null,
+      provider: "google",
+    });
+
+    expect(prisma.emailAccount.update).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { id: "ea_1" },
+        data: expect.objectContaining({
+          account: {
+            update: expect.objectContaining({
+              disconnectedAt: null,
+            }),
+          },
+        }),
+      }),
+    );
+    expect(clearUserErrorMessages).toHaveBeenCalledWith({ userId: "user_1" });
+  });
+
+  it("clears disconnectedAt and error messages when saving tokens via providerAccountId", async () => {
+    prisma.account.update.mockResolvedValue({ userId: "user_1" } as any);
+
+    await saveTokens({
+      providerAccountId: "pa_1",
+      tokens: {
+        access_token: "new-access",
+        refresh_token: "new-refresh",
+        expires_at: 123_456_789,
+      },
+      accountRefreshToken: null,
+      provider: "google",
+    });
+
+    expect(prisma.account.update).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: expect.objectContaining({
+          provider_providerAccountId: {
+            provider: "google",
+            providerAccountId: "pa_1",
+          },
+        }),
+        data: expect.objectContaining({
+          disconnectedAt: null,
+        }),
+      }),
+    );
+    expect(clearUserErrorMessages).toHaveBeenCalledWith({ userId: "user_1" });
+  });
+});
diff --git a/apps/web/utils/auth.ts b/apps/web/utils/auth.ts
index 8295e6b544..c7c3ab0ebe 100644
--- a/apps/web/utils/auth.ts
+++ b/apps/web/utils/auth.ts
@@ -25,6 +25,7 @@ import {
   claimPendingPremiumInvite,
   updateAccountSeats,
 } from "@/utils/premium/server";
+import { clearUserErrorMessages } from "@/utils/error-messages";
 import prisma from "@/utils/prisma";
 
 const logger = createScopedLogger("auth");
@@ -402,14 +403,22 @@ async function handleLinkAccount(account: Account) {
       image: primaryPhotoUrl,
     };
 
-    await prisma.emailAccount.upsert({
-      where: { email: profileData?.email },
-      update: data,
-      create: {
-        ...data,
-        email: primaryEmail,
-      },
-    });
+    await prisma.$transaction([
+      prisma.emailAccount.upsert({
+        where: { email: profileData?.email },
+        update: data,
+        create: {
+          ...data,
+          email: primaryEmail,
+        },
+      }),
+      prisma.account.update({
+        where: { id: account.id },
+        data: { disconnectedAt: null },
+      }),
+    ]);
+
+    await clearUserErrorMessages({ userId: account.userId });
 
     // Handle premium account seats
     await updateAccountSeats({ userId: account.userId }).catch((error) => {
@@ -475,6 +484,7 @@ export async function saveTokens({
     access_token: tokens.access_token,
     expires_at: tokens.expires_at ? new Date(tokens.expires_at * 1000) : null,
     refresh_token: refreshToken,
+    disconnectedAt: null,
   };
 
   if (emailAccountId) {
@@ -486,10 +496,13 @@ export async function saveTokens({
     if (data.refresh_token)
       data.refresh_token = encryptToken(data.refresh_token) || "";
 
-    await prisma.emailAccount.update({
+    const emailAccount = await prisma.emailAccount.update({
       where: { id: emailAccountId },
       data: { account: { update: data } },
+      select: { userId: true },
     });
+
+    await clearUserErrorMessages({ userId: emailAccount.userId });
   } else {
     if (!providerAccountId) {
       logger.error("No providerAccountId found in database", {
@@ -501,7 +514,7 @@ export async function saveTokens({
       return;
     }
 
-    return await prisma.account.update({
+    const account = await prisma.account.update({
       where: {
         provider_providerAccountId: {
           provider,
@@ -510,6 +523,10 @@ export async function saveTokens({
       },
       data,
     });
+
+    await clearUserErrorMessages({ userId: account.userId });
+
+    return account;
   }
 }
 
diff --git a/apps/web/utils/auth/cleanup-invalid-tokens.test.ts b/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
new file mode 100644
index 0000000000..752b3a28f7
--- /dev/null
+++ b/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
@@ -0,0 +1,104 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import prisma from "@/utils/__mocks__/prisma";
+import { cleanupInvalidTokens } from "./cleanup-invalid-tokens";
+import { sendReconnectionEmail } from "@inboxzero/resend";
+import { createScopedLogger } from "@/utils/logger";
+import { addUserErrorMessage } from "@/utils/error-messages";
+
+vi.mock("@/utils/prisma");
+vi.mock("@inboxzero/resend", () => ({
+  sendReconnectionEmail: vi.fn(),
+}));
+vi.mock("@/utils/error-messages", () => ({
+  addUserErrorMessage: vi.fn(),
+  ErrorType: {
+    ACCOUNT_DISCONNECTED: "Account disconnected",
+  },
+}));
+vi.mock("@/utils/unsubscribe", () => ({
+  createUnsubscribeToken: vi.fn().mockResolvedValue("mock-token"),
+}));
+
+describe("cleanupInvalidTokens", () => {
+  const logger = createScopedLogger("test");
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  const mockEmailAccount = {
+    id: "ea_1",
+    email: "test@example.com",
+    accountId: "acc_1",
+    account: { disconnectedAt: null },
+    watchEmailsExpirationDate: new Date(Date.now() + 1000 * 60 * 60), // Valid expiration
+  };
+
+  it("marks account as disconnected and sends email on invalid_grant when account is watched", async () => {
+    prisma.emailAccount.findUnique.mockResolvedValue(mockEmailAccount as any);
+
+    await cleanupInvalidTokens({
+      emailAccountId: "ea_1",
+      reason: "invalid_grant",
+      logger,
+    });
+
+    expect(prisma.account.update).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { id: "acc_1" },
+        data: expect.objectContaining({
+          disconnectedAt: expect.any(Date),
+        }),
+      }),
+    );
+    expect(sendReconnectionEmail).toHaveBeenCalled();
+    expect(addUserErrorMessage).toHaveBeenCalled();
+  });
+
+  it("marks as disconnected but skips email if account is not watched", async () => {
+    prisma.emailAccount.findUnique.mockResolvedValue({
+      ...mockEmailAccount,
+      watchEmailsExpirationDate: null,
+    } as any);
+
+    await cleanupInvalidTokens({
+      emailAccountId: "ea_1",
+      reason: "invalid_grant",
+      logger,
+    });
+
+    expect(prisma.account.update).toHaveBeenCalled();
+    expect(sendReconnectionEmail).not.toHaveBeenCalled();
+    expect(addUserErrorMessage).toHaveBeenCalled();
+  });
+
+  it("returns early if account is already disconnected", async () => {
+    prisma.emailAccount.findUnique.mockResolvedValue({
+      ...mockEmailAccount,
+      account: { disconnectedAt: new Date() },
+    } as any);
+
+    await cleanupInvalidTokens({
+      emailAccountId: "ea_1",
+      reason: "invalid_grant",
+      logger,
+    });
+
+    expect(prisma.account.update).not.toHaveBeenCalled();
+    expect(sendReconnectionEmail).not.toHaveBeenCalled();
+  });
+
+  it("does not send email for insufficient_permissions", async () => {
+    prisma.emailAccount.findUnique.mockResolvedValue(mockEmailAccount as any);
+
+    await cleanupInvalidTokens({
+      emailAccountId: "ea_1",
+      reason: "insufficient_permissions",
+      logger,
+    });
+
+    expect(prisma.account.update).toHaveBeenCalled();
+    expect(sendReconnectionEmail).not.toHaveBeenCalled();
+    expect(addUserErrorMessage).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/web/utils/auth/cleanup-invalid-tokens.ts b/apps/web/utils/auth/cleanup-invalid-tokens.ts
index 67360b36af..d18289764d 100644
--- a/apps/web/utils/auth/cleanup-invalid-tokens.ts
+++ b/apps/web/utils/auth/cleanup-invalid-tokens.ts
@@ -1,5 +1,9 @@
 import prisma from "@/utils/prisma";
 import type { Logger } from "@/utils/logger";
+import { sendReconnectionEmail } from "@inboxzero/resend";
+import { env } from "@/env";
+import { addUserErrorMessage, ErrorType } from "@/utils/error-messages";
+import { createUnsubscribeToken } from "@/utils/unsubscribe";
 
 /**
  * Cleans up invalid tokens when authentication fails permanently.
@@ -20,7 +24,17 @@ export async function cleanupInvalidTokens({
 
   const emailAccount = await prisma.emailAccount.findUnique({
     where: { id: emailAccountId },
-    select: { accountId: true },
+    select: {
+      id: true,
+      email: true,
+      accountId: true,
+      watchEmailsExpirationDate: true,
+      account: {
+        select: {
+          disconnectedAt: true,
+        },
+      },
+    },
   });
 
   if (!emailAccount) {
@@ -28,14 +42,58 @@ export async function cleanupInvalidTokens({
     return;
   }
 
+  if (emailAccount.account?.disconnectedAt) {
+    logger.info("Account already marked as disconnected");
+    return;
+  }
+
   await prisma.account.update({
     where: { id: emailAccount.accountId },
     data: {
       access_token: null,
       refresh_token: null,
       expires_at: null,
+      disconnectedAt: new Date(),
     },
   });
 
+  if (reason === "invalid_grant") {
+    const isWatched = !!emailAccount.watchEmailsExpirationDate;
+
+    if (isWatched) {
+      try {
+        const unsubscribeToken = await createUnsubscribeToken({
+          emailAccountId: emailAccount.id,
+        });
+
+        await sendReconnectionEmail({
+          from: env.RESEND_FROM_EMAIL,
+          to: emailAccount.email,
+          emailProps: {
+            baseUrl: env.NEXT_PUBLIC_BASE_URL,
+            email: emailAccount.email,
+            unsubscribeToken,
+          },
+        });
+        logger.info("Reconnection email sent", { email: emailAccount.email });
+      } catch (error) {
+        logger.error("Failed to send reconnection email", {
+          email: emailAccount.email,
+          error,
+        });
+      }
+    } else {
+      logger.info(
+        "Skipping reconnection email - account not currently watched",
+      );
+    }
+
+    await addUserErrorMessage(
+      emailAccount.email,
+      ErrorType.ACCOUNT_DISCONNECTED,
+      `The connection for ${emailAccount.email} was disconnected. Please reconnect your account to resume automation.`,
+    );
+  }
+
   logger.info("Tokens cleared - user must re-authenticate", { reason });
 }
diff --git a/apps/web/utils/email/reply-all.test.ts b/apps/web/utils/email/reply-all.test.ts
index 73327c73f5..75029fdf01 100644
--- a/apps/web/utils/email/reply-all.test.ts
+++ b/apps/web/utils/email/reply-all.test.ts
@@ -1,5 +1,9 @@
 import { describe, it, expect } from "vitest";
-import { buildReplyAllRecipients, formatCcList, mergeAndDedupeRecipients } from "./reply-all";
+import {
+  buildReplyAllRecipients,
+  formatCcList,
+  mergeAndDedupeRecipients,
+} from "./reply-all";
 import type { ParsedMessageHeaders } from "@/utils/types";
 
 describe("buildReplyAllRecipients", () => {
diff --git a/apps/web/utils/email/reply-all.ts b/apps/web/utils/email/reply-all.ts
index ee2db64f4f..6c70caf734 100644
--- a/apps/web/utils/email/reply-all.ts
+++ b/apps/web/utils/email/reply-all.ts
@@ -96,7 +96,9 @@ export function mergeAndDedupeRecipients(
   manual: string | undefined,
 ): string[] {
   const result = [...existing];
-  const seen = new Set(existing.map((e) => extractEmailAddress(e).toLowerCase()));
+  const seen = new Set(
+    existing.map((e) => extractEmailAddress(e).toLowerCase()),
+  );
 
   if (manual) {
     const manualEntries = manual
diff --git a/apps/web/utils/email/watch-manager.ts b/apps/web/utils/email/watch-manager.ts
index 606772b350..118ab9589d 100644
--- a/apps/web/utils/email/watch-manager.ts
+++ b/apps/web/utils/email/watch-manager.ts
@@ -37,6 +37,7 @@ async function getEmailAccountsToWatch(userIds: string[] | null) {
     where: {
       ...(userIds ? { userId: { in: userIds } } : {}),
       ...getPremiumUserFilter(),
+      account: { disconnectedAt: null },
     },
     select: {
       id: true,
@@ -49,6 +50,7 @@ async function getEmailAccountsToWatch(userIds: string[] | null) {
           access_token: true,
           refresh_token: true,
           expires_at: true,
+          disconnectedAt: true,
         },
       },
       user: {
diff --git a/apps/web/utils/error-messages/index.ts b/apps/web/utils/error-messages/index.ts
index 8dd0bf2865..5933fa70cc 100644
--- a/apps/web/utils/error-messages/index.ts
+++ b/apps/web/utils/error-messages/index.ts
@@ -66,4 +66,5 @@ export const ErrorType = {
   OPENAI_API_KEY_DEACTIVATED: "OpenAI API key deactivated",
   OPENAI_RETRY_ERROR: "OpenAI retry error",
   ANTHROPIC_INSUFFICIENT_BALANCE: "Anthropic insufficient balance",
+  ACCOUNT_DISCONNECTED: "Account disconnected",
 };
diff --git a/apps/web/utils/webhook/validate-webhook-account.test.ts b/apps/web/utils/webhook/validate-webhook-account.test.ts
index 7649e6c51c..6d1a282d48 100644
--- a/apps/web/utils/webhook/validate-webhook-account.test.ts
+++ b/apps/web/utils/webhook/validate-webhook-account.test.ts
@@ -6,7 +6,6 @@ import { createScopedLogger } from "@/utils/logger";
 
 const logger = createScopedLogger("test");
 
-// Mock dependencies
 vi.mock("@/utils/premium");
 vi.mock("@/app/api/watch/controller");
 vi.mock("@/utils/email/provider");
@@ -14,7 +13,6 @@ vi.mock("@/utils/email/watch-manager");
 vi.mock("@/utils/prisma");
 vi.mock("server-only", () => ({}));
 
-// Import mocked functions
 import { isPremium, hasAiAccess } from "@/utils/premium";
 import { unwatchEmails } from "@/utils/email/watch-manager";
 import { createEmailProvider } from "@/utils/email/provider";
@@ -48,6 +46,7 @@ describe("validateWebhookAccount", () => {
         access_token: "access-token",
         refresh_token: "refresh-token",
         expires_at: new Date(),
+        disconnectedAt: null,
       },
       rules: [
         {
@@ -97,6 +96,27 @@ describe("validateWebhookAccount", () => {
     });
   });
 
+  describe("when account is disconnected", () => {
+    it("should return failure with 200 OK early", async () => {
+      const emailAccount = createMockEmailAccount({
+        account: {
+          provider: "google",
+          access_token: "access-token",
+          refresh_token: "refresh-token",
+          expires_at: new Date(),
+          disconnectedAt: new Date(),
+        },
+      });
+
+      const result = await validateWebhookAccount(emailAccount, logger);
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        expect(await result.response.json()).toEqual({ ok: true });
+      }
+    });
+  });
+
   describe("when account is not premium", () => {
     it("should unwatch emails and return failure", async () => {
       const emailAccount = createMockEmailAccount({
@@ -181,6 +201,7 @@ describe("validateWebhookAccount", () => {
           access_token: null,
           refresh_token: "refresh-token",
           expires_at: new Date(),
+          disconnectedAt: null,
         },
       });
 
@@ -204,6 +225,7 @@ describe("validateWebhookAccount", () => {
           access_token: "access-token",
           refresh_token: null,
           expires_at: new Date(),
+          disconnectedAt: null,
         },
       });
 
diff --git a/apps/web/utils/webhook/validate-webhook-account.ts b/apps/web/utils/webhook/validate-webhook-account.ts
index f21d9ec3e4..7c2fe24223 100644
--- a/apps/web/utils/webhook/validate-webhook-account.ts
+++ b/apps/web/utils/webhook/validate-webhook-account.ts
@@ -29,6 +29,7 @@ export async function getWebhookEmailAccount(
           access_token: true,
           refresh_token: true,
           expires_at: true,
+          disconnectedAt: true,
         },
       },
       rules: {
@@ -123,6 +124,11 @@ export async function validateWebhookAccount(
     return { success: false, response: NextResponse.json({ ok: true }) };
   }
 
+  if (emailAccount.account?.disconnectedAt) {
+    logger.info("Skipping disconnected account");
+    return { success: false, response: NextResponse.json({ ok: true }) };
+  }
+
   const premium = env.NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS
     ? { tier: "BUSINESS_PLUS_ANNUALLY" as const }
     : isPremium(
diff --git a/packages/resend/emails/reconnection.tsx b/packages/resend/emails/reconnection.tsx
new file mode 100644
index 0000000000..9df8be649c
--- /dev/null
+++ b/packages/resend/emails/reconnection.tsx
@@ -0,0 +1,145 @@
+import {
+  Body,
+  Button,
+  Container,
+  Head,
+  Hr,
+  Html,
+  Img,
+  Link,
+  Section,
+  Tailwind,
+  Text,
+} from "@react-email/components";
+import type { FC } from "react";
+
+export type ReconnectionEmailProps = {
+  baseUrl: string;
+  email: string;
+  unsubscribeToken: string;
+};
+
+type ReconnectionEmailComponent = FC<ReconnectionEmailProps> & {
+  PreviewProps: ReconnectionEmailProps;
+};
+
+const ReconnectionEmail: ReconnectionEmailComponent = ({
+  baseUrl = "https://www.getinboxzero.com",
+  email,
+  unsubscribeToken,
+}: ReconnectionEmailProps) => {
+  const reconnectUrl = `${baseUrl}/accounts`;
+
+  return (
+    <Html>
+      <Head />
+      <Tailwind>
+        <Body className="bg-white font-sans">
+          <Container className="mx-auto w-full max-w-[600px] p-0">
+            {/* Header */}
+            <Section className="p-4 text-center">
+              <Link href={baseUrl} className="text-[15px]">
+                <Img
+                  src={"https://www.getinboxzero.com/icon.png"}
+                  width="40"
+                  height="40"
+                  alt="Inbox Zero"
+                  className="mx-auto my-0"
+                />
+              </Link>
+
+              <Text className="mx-0 mb-8 mt-4 p-0 text-center text-2xl font-normal">
+                <span className="font-semibold tracking-tighter">
+                  Inbox Zero
+                </span>
+              </Text>
+
+              <Text className="mx-0 mb-8 mt-0 p-0 text-center text-2xl font-normal text-gray-900">
+                Action Required: Your email account was disconnected
+              </Text>
+            </Section>
+
+            {/* Main Content */}
+            <Section className="px-4 pb-4">
+              <Text className="text-[16px] text-gray-700 mb-6 mt-0">Hi,</Text>
+
+              <Text className="text-[16px] text-gray-700 mb-6 mt-0">
+                The connection for <strong>{email}</strong> to Inbox Zero was
+                disconnected. This usually happens after a password change, if
+                access was revoked, or if your 6-month approval period has
+                expired.
+              </Text>
+
+              <Text className="text-[16px] text-gray-700 mb-8 mt-0">
+                Please reconnect your account to resume your automated email
+                rules and AI assistant features.
+              </Text>
+
+              {/* CTA Button */}
+              <Section className="text-center mb-8">
+                <Button
+                  href={reconnectUrl}
+                  className="bg-blue-600 text-white px-8 py-4 rounded-[8px] text-[16px] font-semibold no-underline box-border inline-block"
+                >
+                  Reconnect Now
+                </Button>
+              </Section>
+
+              <Text className="text-[14px] text-gray-500 mb-8 mt-0">
+                If you didn't expect this, it's likely a security measure from
+                your email provider. Reconnecting is safe and only takes a few
+                seconds.
+              </Text>
+            </Section>
+
+            {/* Footer */}
+            <Hr className="border-solid border-gray-200 my-6" />
+            <Footer baseUrl={baseUrl} unsubscribeToken={unsubscribeToken} />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default ReconnectionEmail;
+
+function Footer({
+  baseUrl,
+  unsubscribeToken,
+}: {
+  baseUrl: string;
+  unsubscribeToken: string;
+}) {
+  return (
+    <Section className="mt-8 text-center text-sm text-gray-500">
+      <Text className="m-0">
+        You're receiving this email because your email account is connected to
+        Inbox Zero.
+      </Text>
+      <div className="mt-2">
+        <Link
+          href={`${baseUrl}/api/unsubscribe?token=${unsubscribeToken}`}
+          className="text-gray-500 underline mr-4"
+        >
+          Unsubscribe
+        </Link>
+        <Link
+          href={`${baseUrl}/support`}
+          className="text-gray-500 underline mr-4"
+        >
+          Support
+        </Link>
+        <Link href={`${baseUrl}/privacy`} className="text-gray-500 underline">
+          Privacy Policy
+        </Link>
+      </div>
+    </Section>
+  );
+}
+
+ReconnectionEmail.PreviewProps = {
+  baseUrl: "https://www.getinboxzero.com",
+  email: "user@example.com",
+  unsubscribeToken: "preview-token-123",
+};
diff --git a/packages/resend/src/send.tsx b/packages/resend/src/send.tsx
index 1ed5dd369e..954f9a473b 100644
--- a/packages/resend/src/send.tsx
+++ b/packages/resend/src/send.tsx
@@ -10,6 +10,9 @@ import DigestEmail, {
 import InvitationEmail, {
   type InvitationEmailProps,
 } from "../emails/invitation";
+import ReconnectionEmail, {
+  type ReconnectionEmailProps,
+} from "../emails/reconnection";
 import MeetingBriefingEmail, {
   type MeetingBriefingEmailProps,
   generateMeetingBriefingSubject,
@@ -176,6 +179,33 @@ export const sendInvitationEmail = async ({
   });
 };
 
+export const sendReconnectionEmail = async ({
+  from,
+  to,
+  test,
+  emailProps,
+}: {
+  from: string;
+  to: string;
+  test?: boolean;
+  emailProps: ReconnectionEmailProps;
+}) => {
+  return sendEmail({
+    from,
+    to,
+    subject: `Reconnect your email account: ${emailProps.email}`,
+    react: <ReconnectionEmail {...emailProps} />,
+    test,
+    unsubscribeToken: emailProps.unsubscribeToken,
+    tags: [
+      {
+        name: "category",
+        value: "reconnection",
+      },
+    ],
+  });
+};
+
 export const sendMeetingBriefingEmail = async ({
   from,
   to,

From ebd93e7a6daa1f5e5e1020e0b247c7116c271ed5 Mon Sep 17 00:00:00 2001
From: Eliezer Steinbock <3090527+elie222@users.noreply.github.com>
Date: Fri, 2 Jan 2026 00:57:34 +0200
Subject: [PATCH 2/3] fixes

---
 .../meeting-briefs/generate-briefing.test.ts  |  6 +++++
 apps/web/utils/auth.test.ts                   |  4 ++--
 .../utils/auth/cleanup-invalid-tokens.test.ts | 15 +++++++++---
 apps/web/utils/auth/cleanup-invalid-tokens.ts |  3 ++-
 apps/web/utils/error-messages/index.ts        | 23 ++++++++++++------
 apps/web/utils/llms/index.ts                  | 19 +++++++++------
 .../meeting-briefs/recipient-context.test.ts  | 24 +++++++++----------
 packages/resend/emails/reconnection.tsx       |  2 +-
 8 files changed, 63 insertions(+), 33 deletions(-)

diff --git a/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts b/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts
index 19c3a299dc..5b803d1adc 100644
--- a/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts
+++ b/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts
@@ -2,6 +2,12 @@ import { describe, it, expect, vi } from "vitest";
 import type { MeetingBriefingData } from "@/utils/meeting-briefs/gather-context";
 
 vi.mock("server-only", () => ({}));
+vi.mock("@/env", () => ({
+  env: {
+    PERPLEXITY_API_KEY: "test-key",
+    DEFAULT_LLM_PROVIDER: "openai",
+  },
+}));
 vi.mock("@/utils/llms/model", () => ({ getModel: vi.fn() }));
 vi.mock("@/utils/llms", () => ({ createGenerateObject: vi.fn() }));
 vi.mock("@/utils/stringify-email", () => ({
diff --git a/apps/web/utils/auth.test.ts b/apps/web/utils/auth.test.ts
index 09dd49754a..cbd8bdefd1 100644
--- a/apps/web/utils/auth.test.ts
+++ b/apps/web/utils/auth.test.ts
@@ -9,8 +9,8 @@ import { clearUserErrorMessages } from "@/utils/error-messages";
 vi.mock("server-only", () => ({}));
 vi.mock("@/utils/prisma");
 vi.mock("@/utils/error-messages", () => ({
-  addUserErrorMessage: vi.fn(),
-  clearUserErrorMessages: vi.fn(),
+  addUserErrorMessage: vi.fn().mockResolvedValue(undefined),
+  clearUserErrorMessages: vi.fn().mockResolvedValue(undefined),
   ErrorType: {
     ACCOUNT_DISCONNECTED: "Account disconnected",
   },
diff --git a/apps/web/utils/auth/cleanup-invalid-tokens.test.ts b/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
index 752b3a28f7..0403a804cf 100644
--- a/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
+++ b/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
@@ -10,7 +10,7 @@ vi.mock("@inboxzero/resend", () => ({
   sendReconnectionEmail: vi.fn(),
 }));
 vi.mock("@/utils/error-messages", () => ({
-  addUserErrorMessage: vi.fn(),
+  addUserErrorMessage: vi.fn().mockResolvedValue(undefined),
   ErrorType: {
     ACCOUNT_DISCONNECTED: "Account disconnected",
   },
@@ -30,6 +30,7 @@ describe("cleanupInvalidTokens", () => {
     id: "ea_1",
     email: "test@example.com",
     accountId: "acc_1",
+    userId: "user_1",
     account: { disconnectedAt: null },
     watchEmailsExpirationDate: new Date(Date.now() + 1000 * 60 * 60), // Valid expiration
   };
@@ -52,7 +53,11 @@ describe("cleanupInvalidTokens", () => {
       }),
     );
     expect(sendReconnectionEmail).toHaveBeenCalled();
-    expect(addUserErrorMessage).toHaveBeenCalled();
+    expect(addUserErrorMessage).toHaveBeenCalledWith(
+      "user_1",
+      "Account disconnected",
+      expect.stringContaining("test@example.com"),
+    );
   });
 
   it("marks as disconnected but skips email if account is not watched", async () => {
@@ -69,7 +74,11 @@ describe("cleanupInvalidTokens", () => {
 
     expect(prisma.account.update).toHaveBeenCalled();
     expect(sendReconnectionEmail).not.toHaveBeenCalled();
-    expect(addUserErrorMessage).toHaveBeenCalled();
+    expect(addUserErrorMessage).toHaveBeenCalledWith(
+      "user_1",
+      "Account disconnected",
+      expect.stringContaining("test@example.com"),
+    );
   });
 
   it("returns early if account is already disconnected", async () => {
diff --git a/apps/web/utils/auth/cleanup-invalid-tokens.ts b/apps/web/utils/auth/cleanup-invalid-tokens.ts
index d18289764d..0940d00bcc 100644
--- a/apps/web/utils/auth/cleanup-invalid-tokens.ts
+++ b/apps/web/utils/auth/cleanup-invalid-tokens.ts
@@ -28,6 +28,7 @@ export async function cleanupInvalidTokens({
       id: true,
       email: true,
       accountId: true,
+      userId: true,
       watchEmailsExpirationDate: true,
       account: {
         select: {
@@ -89,7 +90,7 @@ export async function cleanupInvalidTokens({
     }
 
     await addUserErrorMessage(
-      emailAccount.email,
+      emailAccount.userId,
       ErrorType.ACCOUNT_DISCONNECTED,
       `The connection for ${emailAccount.email} was disconnected. Please reconnect your account to resume automation.`,
     );
diff --git a/apps/web/utils/error-messages/index.ts b/apps/web/utils/error-messages/index.ts
index 5933fa70cc..4b373e1eea 100644
--- a/apps/web/utils/error-messages/index.ts
+++ b/apps/web/utils/error-messages/index.ts
@@ -1,5 +1,6 @@
 import prisma from "@/utils/prisma";
 import { createScopedLogger } from "@/utils/logger";
+import { captureException } from "@/utils/error";
 
 const logger = createScopedLogger("error-messages");
 
@@ -23,13 +24,13 @@ export async function getUserErrorMessages(
 }
 
 export async function addUserErrorMessage(
-  userEmail: string,
+  userId: string,
   errorType: (typeof ErrorType)[keyof typeof ErrorType],
   errorMessage: string,
 ): Promise<void> {
-  const user = await prisma.user.findUnique({ where: { email: userEmail } });
+  const user = await prisma.user.findUnique({ where: { id: userId } });
   if (!user) {
-    logger.warn("User not found", { userEmail });
+    logger.warn("User not found", { userId });
     return;
   }
 
@@ -54,10 +55,18 @@ export async function clearUserErrorMessages({
 }: {
   userId: string;
 }): Promise<void> {
-  await prisma.user.update({
-    where: { id: userId },
-    data: { errorMessages: {} },
-  });
+  try {
+    await prisma.user.update({
+      where: { id: userId },
+      data: { errorMessages: {} },
+    });
+  } catch (error) {
+    logger.error("Error clearing user error messages:", {
+      userId,
+      error,
+    });
+    captureException(error, { extra: { userId } });
+  }
 }
 
 export const ErrorType = {
diff --git a/apps/web/utils/llms/index.ts b/apps/web/utils/llms/index.ts
index 4bd1f765ed..06ea254c7b 100644
--- a/apps/web/utils/llms/index.ts
+++ b/apps/web/utils/llms/index.ts
@@ -48,7 +48,7 @@ export function createGenerateText({
   label,
   modelOptions,
 }: {
-  emailAccount: Pick<EmailAccountWithAI, "email" | "id">;
+  emailAccount: Pick<EmailAccountWithAI, "email" | "id" | "userId">;
   label: string;
   modelOptions: ReturnType<typeof getModel>;
 }): typeof generateText {
@@ -115,6 +115,7 @@ export function createGenerateText({
         } catch (backupError) {
           await handleError(
             backupError,
+            emailAccount.userId,
             emailAccount.email,
             emailAccount.id,
             label,
@@ -126,6 +127,7 @@ export function createGenerateText({
 
       await handleError(
         error,
+        emailAccount.userId,
         emailAccount.email,
         emailAccount.id,
         label,
@@ -141,7 +143,7 @@ export function createGenerateObject({
   label,
   modelOptions,
 }: {
-  emailAccount: Pick<EmailAccountWithAI, "email" | "id">;
+  emailAccount: Pick<EmailAccountWithAI, "email" | "id" | "userId">;
   label: string;
   modelOptions: ReturnType<typeof getModel>;
 }): typeof generateObject {
@@ -206,6 +208,7 @@ export function createGenerateObject({
     } catch (error) {
       await handleError(
         error,
+        emailAccount.userId,
         emailAccount.email,
         emailAccount.id,
         label,
@@ -295,6 +298,7 @@ export async function chatCompletionStream({
 
 async function handleError(
   error: unknown,
+  userId: string,
   userEmail: string,
   emailAccountId: string,
   label: string,
@@ -302,6 +306,7 @@ async function handleError(
 ) {
   logger.error("Error in LLM call", {
     error,
+    userId,
     userEmail,
     emailAccountId,
     label,
@@ -311,7 +316,7 @@ async function handleError(
   if (APICallError.isInstance(error)) {
     if (isIncorrectOpenAIAPIKeyError(error)) {
       return await addUserErrorMessage(
-        userEmail,
+        userId,
         ErrorType.INCORRECT_OPENAI_API_KEY,
         error.message,
       );
@@ -319,7 +324,7 @@ async function handleError(
 
     if (isInvalidOpenAIModelError(error)) {
       return await addUserErrorMessage(
-        userEmail,
+        userId,
         ErrorType.INVALID_OPENAI_MODEL,
         error.message,
       );
@@ -327,7 +332,7 @@ async function handleError(
 
     if (isOpenAIAPIKeyDeactivatedError(error)) {
       return await addUserErrorMessage(
-        userEmail,
+        userId,
         ErrorType.OPENAI_API_KEY_DEACTIVATED,
         error.message,
       );
@@ -335,7 +340,7 @@ async function handleError(
 
     if (RetryError.isInstance(error) && isOpenAIRetryError(error)) {
       return await addUserErrorMessage(
-        userEmail,
+        userId,
         ErrorType.OPENAI_RETRY_ERROR,
         error.message,
       );
@@ -343,7 +348,7 @@ async function handleError(
 
     if (isAnthropicInsufficientBalanceError(error)) {
       return await addUserErrorMessage(
-        userEmail,
+        userId,
         ErrorType.ANTHROPIC_INSUFFICIENT_BALANCE,
         error.message,
       );
diff --git a/apps/web/utils/meeting-briefs/recipient-context.test.ts b/apps/web/utils/meeting-briefs/recipient-context.test.ts
index 3200e5384b..5c8a688060 100644
--- a/apps/web/utils/meeting-briefs/recipient-context.test.ts
+++ b/apps/web/utils/meeting-briefs/recipient-context.test.ts
@@ -12,7 +12,7 @@ import type { Logger } from "@/utils/logger";
 vi.mock("@/utils/calendar/event-provider");
 vi.mock("@/utils/date", () => ({
   formatInUserTimezone: vi.fn((date: Date) => {
-    // Simple mock that returns a predictable format for testing
+    // Simple mock that returns a predictable format for testing in UTC
     const d = new Date(date);
     const dayNames = [
       "Sunday",
@@ -37,11 +37,11 @@ vi.mock("@/utils/date", () => ({
       "November",
       "December",
     ];
-    const dayName = dayNames[d.getDay()];
-    const month = monthNames[d.getMonth()];
-    const day = d.getDate();
-    const hours = d.getHours();
-    const minutes = d.getMinutes();
+    const dayName = dayNames[d.getUTCDay()];
+    const month = monthNames[d.getUTCMonth()];
+    const day = d.getUTCDate();
+    const hours = d.getUTCHours();
+    const minutes = d.getUTCMinutes();
     const ampm = hours >= 12 ? "PM" : "AM";
     const displayHours = hours % 12 || 12;
     const displayMinutes = minutes.toString().padStart(2, "0");
@@ -100,9 +100,9 @@ describe("recipient-context", () => {
       expect(result).toBe(`You have meeting history with this person:
 
 <recent_meetings>
-- "Q1 Planning Meeting" on Monday, January 15 at 12:00 PM (Conference Room A)
+- "Q1 Planning Meeting" on Monday, January 15 at 10:00 AM (Conference Room A)
   Description: Discuss Q1 goals and objectives
-- "Team Standup" on Wednesday, January 10 at 11:00 AM
+- "Team Standup" on Wednesday, January 10 at 9:00 AM
 </recent_meetings>
 
 Use this context naturally if relevant. For past meetings, you might reference topics discussed.`);
@@ -128,7 +128,7 @@ Use this context naturally if relevant. For past meetings, you might reference t
       expect(result).toBe(`You have meeting history with this person:
 
 <upcoming_meetings>
-- "Product Review" on Thursday, February 1 at 4:00 PM (Zoom)
+- "Product Review" on Thursday, February 1 at 2:00 PM (Zoom)
   Description: Review product roadmap and features
 </upcoming_meetings>
 
@@ -160,12 +160,12 @@ Use this context naturally if relevant. For upcoming meetings, you might say "Lo
       expect(result).toBe(`You have meeting history with this person:
 
 <recent_meetings>
-- "Past Meeting" on Monday, January 15 at 12:00 PM
+- "Past Meeting" on Monday, January 15 at 10:00 AM
   Description: This is a past meeting description
 </recent_meetings>
 
 <upcoming_meetings>
-- "Upcoming Meeting" on Thursday, February 1 at 4:00 PM (Office)
+- "Upcoming Meeting" on Thursday, February 1 at 2:00 PM (Office)
   Description: This is an upcoming meeting description
 </upcoming_meetings>
 
@@ -231,7 +231,7 @@ Use this context naturally if relevant. For past meetings, you might reference t
       expect(result).toBe(`You have meeting history with this person:
 
 <recent_meetings>
-- "Simple Meeting" on Monday, January 15 at 12:00 PM
+- "Simple Meeting" on Monday, January 15 at 10:00 AM
 </recent_meetings>
 
 Use this context naturally if relevant. For past meetings, you might reference topics discussed.`);
diff --git a/packages/resend/emails/reconnection.tsx b/packages/resend/emails/reconnection.tsx
index 9df8be649c..44b29e81f1 100644
--- a/packages/resend/emails/reconnection.tsx
+++ b/packages/resend/emails/reconnection.tsx
@@ -119,7 +119,7 @@ function Footer({
       </Text>
       <div className="mt-2">
         <Link
-          href={`${baseUrl}/api/unsubscribe?token=${unsubscribeToken}`}
+          href={`${baseUrl}/api/unsubscribe?token=${encodeURIComponent(unsubscribeToken)}`}
           className="text-gray-500 underline mr-4"
         >
           Unsubscribe

From 289fceb02e80e3eb80fce8d561e9399ee8943eb7 Mon Sep 17 00:00:00 2001
From: Eliezer Steinbock <3090527+elie222@users.noreply.github.com>
Date: Fri, 2 Jan 2026 01:18:30 +0200
Subject: [PATCH 3/3] fixes

---
 .../ai/meeting-briefs/generate-briefing.test.ts   |  6 +++++-
 .../web/utils/auth/cleanup-invalid-tokens.test.ts | 13 ++++++++-----
 apps/web/utils/auth/cleanup-invalid-tokens.ts     | 15 ++++++++++++---
 3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts b/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts
index 5b803d1adc..3415af4a36 100644
--- a/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts
+++ b/apps/web/utils/ai/meeting-briefs/generate-briefing.test.ts
@@ -1,4 +1,4 @@
-import { describe, it, expect, vi } from "vitest";
+import { describe, it, expect, vi, beforeEach } from "vitest";
 import type { MeetingBriefingData } from "@/utils/meeting-briefs/gather-context";
 
 vi.mock("server-only", () => ({}));
@@ -28,6 +28,10 @@ vi.doUnmock("@/utils/date");
 
 import { buildPrompt } from "./generate-briefing";
 
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
 describe("buildPrompt timezone handling", () => {
   it("formats past meeting times in the user's timezone (not UTC)", () => {
     // This test documents the timezone bug fix:
diff --git a/apps/web/utils/auth/cleanup-invalid-tokens.test.ts b/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
index 0403a804cf..ef8a1b8aa2 100644
--- a/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
+++ b/apps/web/utils/auth/cleanup-invalid-tokens.test.ts
@@ -37,6 +37,7 @@ describe("cleanupInvalidTokens", () => {
 
   it("marks account as disconnected and sends email on invalid_grant when account is watched", async () => {
     prisma.emailAccount.findUnique.mockResolvedValue(mockEmailAccount as any);
+    prisma.account.updateMany.mockResolvedValue({ count: 1 });
 
     await cleanupInvalidTokens({
       emailAccountId: "ea_1",
@@ -44,9 +45,9 @@ describe("cleanupInvalidTokens", () => {
       logger,
     });
 
-    expect(prisma.account.update).toHaveBeenCalledWith(
+    expect(prisma.account.updateMany).toHaveBeenCalledWith(
       expect.objectContaining({
-        where: { id: "acc_1" },
+        where: { id: "acc_1", disconnectedAt: null },
         data: expect.objectContaining({
           disconnectedAt: expect.any(Date),
         }),
@@ -65,6 +66,7 @@ describe("cleanupInvalidTokens", () => {
       ...mockEmailAccount,
       watchEmailsExpirationDate: null,
     } as any);
+    prisma.account.updateMany.mockResolvedValue({ count: 1 });
 
     await cleanupInvalidTokens({
       emailAccountId: "ea_1",
@@ -72,7 +74,7 @@ describe("cleanupInvalidTokens", () => {
       logger,
     });
 
-    expect(prisma.account.update).toHaveBeenCalled();
+    expect(prisma.account.updateMany).toHaveBeenCalled();
     expect(sendReconnectionEmail).not.toHaveBeenCalled();
     expect(addUserErrorMessage).toHaveBeenCalledWith(
       "user_1",
@@ -93,12 +95,13 @@ describe("cleanupInvalidTokens", () => {
       logger,
     });
 
-    expect(prisma.account.update).not.toHaveBeenCalled();
+    expect(prisma.account.updateMany).not.toHaveBeenCalled();
     expect(sendReconnectionEmail).not.toHaveBeenCalled();
   });
 
   it("does not send email for insufficient_permissions", async () => {
     prisma.emailAccount.findUnique.mockResolvedValue(mockEmailAccount as any);
+    prisma.account.updateMany.mockResolvedValue({ count: 1 });
 
     await cleanupInvalidTokens({
       emailAccountId: "ea_1",
@@ -106,7 +109,7 @@ describe("cleanupInvalidTokens", () => {
       logger,
     });
 
-    expect(prisma.account.update).toHaveBeenCalled();
+    expect(prisma.account.updateMany).toHaveBeenCalled();
     expect(sendReconnectionEmail).not.toHaveBeenCalled();
     expect(addUserErrorMessage).not.toHaveBeenCalled();
   });
diff --git a/apps/web/utils/auth/cleanup-invalid-tokens.ts b/apps/web/utils/auth/cleanup-invalid-tokens.ts
index 0940d00bcc..f14c739dd0 100644
--- a/apps/web/utils/auth/cleanup-invalid-tokens.ts
+++ b/apps/web/utils/auth/cleanup-invalid-tokens.ts
@@ -48,8 +48,8 @@ export async function cleanupInvalidTokens({
     return;
   }
 
-  await prisma.account.update({
-    where: { id: emailAccount.accountId },
+  const updated = await prisma.account.updateMany({
+    where: { id: emailAccount.accountId, disconnectedAt: null },
     data: {
       access_token: null,
       refresh_token: null,
@@ -58,8 +58,17 @@ export async function cleanupInvalidTokens({
     },
   });
 
+  if (updated.count === 0) {
+    logger.info(
+      "Account already marked as disconnected (via concurrent update)",
+    );
+    return;
+  }
+
   if (reason === "invalid_grant") {
-    const isWatched = !!emailAccount.watchEmailsExpirationDate;
+    const isWatched =
+      !!emailAccount.watchEmailsExpirationDate &&
+      emailAccount.watchEmailsExpirationDate > new Date();
 
     if (isWatched) {
       try {