From 8f7c3f5b0d2aa38cce92c4ca3086d03f2d536b7b Mon Sep 17 00:00:00 2001 From: Philippe PITTOLI Date: Sat, 6 Jul 2024 19:58:40 +0200 Subject: [PATCH] Prevent authentication when: no validated email address but an activation key. --- src/requests/login.cr | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/requests/login.cr b/src/requests/login.cr index 22125d6..b7625c7 100644 --- a/src/requests/login.cr +++ b/src/requests/login.cr @@ -34,9 +34,9 @@ class AuthD::Request # No user means DODB::MissingEntry, so it's already covered. return Response::ErrorInvalidCredentials.new if user.nil? - # In case the user hasn't validated his email address, + # In case the user hasn't validated his email address (no email address but a token is present), # authentication shouldn't be possible. - if user.contact.activation_key + if user.contact.email.nil? && user.contact.activation_key return Response::ErrorEmailAddressNotValidated.new end