From 4f84b4c5d63ceb4fe474cc64896e52551a4a3358 Mon Sep 17 00:00:00 2001
From: Philippe Pittoli <karchnu@karchnu.fr>
Date: Sun, 11 Feb 2024 20:25:08 +0100
Subject: [PATCH] Forbid the authentication of a user until he validates his
 email address.

---
 src/requests/login.cr | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/requests/login.cr b/src/requests/login.cr
index 3e84884..0fcd150 100644
--- a/src/requests/login.cr
+++ b/src/requests/login.cr
@@ -19,6 +19,12 @@ class AuthD::Request
 			# No user means DODB::MissingEntry, so it's already covered.
 			return Response::ErrorInvalidCredentials.new if user.nil?
 
+			# In case the user hasn't validated his email address,
+			# authentication shouldn't be possible.
+			if user.contact.activation_key
+				return Response::ErrorInvalidCredentials.new
+			end
+
 			if user.password_hash != authd.hash_password @password
 				return Response::ErrorInvalidCredentials.new
 			end