Forbid the authentication of a user until he validates his email address.

src/requests/login.cr

@@ -19,6 +19,12 @@ class AuthD::Request
 			# No user means DODB::MissingEntry, so it's already covered.
 			return Response::ErrorInvalidCredentials.new if user.nil?
 
+			# In case the user hasn't validated his email address,
+			# authentication shouldn't be possible.
+			if user.contact.activation_key
+				return Response::ErrorInvalidCredentials.new
+			end
+
 			if user.password_hash != authd.hash_password @password
 				return Response::ErrorInvalidCredentials.new
 			end