Follow-up to #956 (auth hardening review). Missing functionality.
Gap
We set auth_user.email_verified only on invitation-accept. There is no self-serve email verification flow and no option to gate login on a verified email.
Proposed
- Issue a verification token on registration (Better Auth
emailVerification / sendVerificationEmail, or a document-backed token like the password-reset path in routes/auth.ts).
GET /auth/verify?token=… endpoint → mark email_verified = 1, redirect with success.
- Optional
requireEmailVerification auth setting that rejects login for unverified users (configurable; default off to preserve current behavior).
- Resend-verification endpoint (rate-limited, like
request-password-reset).
Acceptance
- Unverified user can complete verification via emailed link.
- With gating enabled, unverified login is rejected; with it disabled, behavior is unchanged.
- E2E spec (88+) covering verify happy-path + gated-login rejection.
Follow-up to #956 (auth hardening review). Missing functionality.
Gap
We set
auth_user.email_verifiedonly on invitation-accept. There is no self-serve email verification flow and no option to gate login on a verified email.Proposed
emailVerification/sendVerificationEmail, or a document-backed token like the password-reset path inroutes/auth.ts).GET /auth/verify?token=…endpoint → markemail_verified = 1, redirect with success.requireEmailVerificationauth setting that rejects login for unverified users (configurable; default off to preserve current behavior).request-password-reset).Acceptance