Prevent authentication when: no validated email address but an activation key.

This commit is contained in:
Philippe PITTOLI 2024-07-06 19:58:40 +02:00
parent d24cb5d94e
commit 8f7c3f5b0d

View File

@ -34,9 +34,9 @@ class AuthD::Request
# No user means DODB::MissingEntry, so it's already covered.
return Response::ErrorInvalidCredentials.new if user.nil?
# In case the user hasn't validated his email address,
# In case the user hasn't validated his email address (no email address but a token is present),
# authentication shouldn't be possible.
if user.contact.activation_key
if user.contact.email.nil? && user.contact.activation_key
return Response::ErrorEmailAddressNotValidated.new
end