fix: fallback identity email

[Jorgagu]

This pull request introduces a fallback mechanism in the extractSession function within src/routes/consent.ts. The change ensures that if no email is found in the session's id_token, the email from identity.traits is used as a backup, with email_verified explicitly set to false when the email's verification status cannot be guaranteed.

Key change:

• src/routes/consent.ts: Added a fallback to populate session.id_token.email with the email from identity.traits if no email is found, and set email_verified to false in such cases.

Related Issue or Design Document

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Further comments

[Jorgagu]

@aeneasr @vinckr could you please review ? 😄

[jonas-jonas]

Apologies for the late review. What's the use case here? To me, this seems like an unlikely use case. This would catch situations where the identity schema doesn't define any verifiable addresses. Is that correct?

If so, what's the reason for configuring it that way?

[Jorgagu]

Hi @jonas-jonas,
currently only the verified email(s) are added to the ID token. If the user hasn’t verified their email address, no email is included in the ID token.

This PR ensures that when the email scope is requested, at least one email is transmitted — even if it isn’t verified.

[jonas-jonas]

verifiable_addresses should also include emails, that aren't verified: https://github.com/ory/kratos-selfservice-ui-node/pull/377/files#diff-f55c47595a4b4dc1dc448defc15f0157e124c1f8241c25474835948ca51be903R30

e.g.:

    "verifiable_addresses": [
      {
        "id": "66cdce7c-32c8-2399-991b-539e1e4d0da7",
        "value": "******@ory.sh",
        "verified": false,
        "via": "email",
        "status": "sent",
        "created_at": "2025-09-23T18:29:19.776434Z",
        "updated_at": "2025-09-23T18:29:19.776434Z"
      }
    ],

[aeneasr]

I agree with @jonas-jonas and it would definitely be better to use verified addresses here per default, since this is a example / reference implementation. If you have custom needs for your use case you can always fork it / use it as the baseline or go with https://github.com/ory/elements :)