Skip to content

Email verification flow (verify endpoint + login gating) #957

Description

@lane711

Follow-up to #956 (auth hardening review). Missing functionality.

Gap

We set auth_user.email_verified only on invitation-accept. There is no self-serve email verification flow and no option to gate login on a verified email.

Proposed

  • Issue a verification token on registration (Better Auth emailVerification / sendVerificationEmail, or a document-backed token like the password-reset path in routes/auth.ts).
  • GET /auth/verify?token=… endpoint → mark email_verified = 1, redirect with success.
  • Optional requireEmailVerification auth setting that rejects login for unverified users (configurable; default off to preserve current behavior).
  • Resend-verification endpoint (rate-limited, like request-password-reset).

Acceptance

  • Unverified user can complete verification via emailed link.
  • With gating enabled, unverified login is rejected; with it disabled, behavior is unchanged.
  • E2E spec (88+) covering verify happy-path + gated-login rejection.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity vulnerabilities

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions