Because:
- v1 password stretching salts using the account's original signup
email, which can differ from the user's current primary. Clients that
used the typed/current primary computed the wrong authPW on the first
try, forcing email-case retry logic and brittle lookahead in the
password-change and reauth flows.
This commit:
- Adds GET /session/original-account-email returning the account's
signup email for the authenticated session, with swagger docs.
- Adds AuthClient.fetchOriginalAccountEmail and uses it in
sessionReauth, passwordChange, and passwordChangeWithAuthPW so v1
derivations match the stored verifier on the first attempt.
- Threads originalLoginEmail through SessionReauthOptions so callers
that already fetched the email (e.g. passwordChangeWithAuthPW) avoid
a redundant round-trip.
- Updates auth-server route, password.ts, and remote tests to the new
flow; renames the sessionReauth parameter email -> primaryEmail to
disambiguate from the derivation email.
- Replaces a Sentry.captureMessage with captureException(err, { tags })
on the v2-upgrade failure path so stacks are preserved.