Prevent authentication when: no validated email address but an activation key.

2024-07-06 19:58:40 +02:00 · 2024-07-06 19:58:40 +02:00 · 8f7c3f5b0d
parent d24cb5d94e
commit 8f7c3f5b0d
1 changed files with 2 additions and 2 deletions
--- a/src/requests/login.cr
+++ b/src/requests/login.cr
@ -34,9 +34,9 @@ class AuthD::Request
 			# No user means DODB::MissingEntry, so it's already covered.
 			return Response::ErrorInvalidCredentials.new if user.nil?

-			# In case the user hasn't validated his email address,
+			# In case the user hasn't validated his email address (no email address but a token is present),
 			# authentication shouldn't be possible.
-			if user.contact.activation_key
+			if user.contact.email.nil? && user.contact.activation_key
 				return Response::ErrorEmailAddressNotValidated.new
 			end