From 8f7c3f5b0d2aa38cce92c4ca3086d03f2d536b7b Mon Sep 17 00:00:00 2001
From: Philippe PITTOLI <karchnu@karchnu.fr>
Date: Sat, 6 Jul 2024 19:58:40 +0200
Subject: [PATCH] Prevent authentication when: no validated email address but
 an activation key.

---
 src/requests/login.cr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/requests/login.cr b/src/requests/login.cr
index 22125d6..b7625c7 100644
--- a/src/requests/login.cr
+++ b/src/requests/login.cr
@@ -34,9 +34,9 @@ class AuthD::Request
 			# No user means DODB::MissingEntry, so it's already covered.
 			return Response::ErrorInvalidCredentials.new if user.nil?
 
-			# In case the user hasn't validated his email address,
+			# In case the user hasn't validated his email address (no email address but a token is present),
 			# authentication shouldn't be possible.
-			if user.contact.activation_key
+			if user.contact.email.nil? && user.contact.activation_key
 				return Response::ErrorEmailAddressNotValidated.new
 			end