Forbid the authentication of a user until he validates his email address.

This commit is contained in:
Philippe Pittoli 2024-02-11 20:25:08 +01:00
parent a2f5442565
commit 4f84b4c5d6

View File

@ -19,6 +19,12 @@ class AuthD::Request
# No user means DODB::MissingEntry, so it's already covered.
return Response::ErrorInvalidCredentials.new if user.nil?
# In case the user hasn't validated his email address,
# authentication shouldn't be possible.
if user.contact.activation_key
return Response::ErrorInvalidCredentials.new
end
if user.password_hash != authd.hash_password @password
return Response::ErrorInvalidCredentials.new
end