Block sign-in for unverified email addresses#1192
Draft
codenem wants to merge 2 commits into
Draft
Conversation
dd4dbe5 to
4604949
Compare
CheckCredentials now rejects password authentication when the identity's email_address_verified flag is false, returning a new ErrEmailNotVerified error. The SignIn resolver catches this error, resends a verification email so the user gets a fresh link, and returns a GraphQL error with code EMAIL_NOT_VERIFIED. The frontend PasswordSignInPage handles this code to display a specific toast telling the user to check their inbox. SAML, OIDC, magic-link, and invitation-activation flows are unaffected because they already set email_address_verified = true upon identity creation or update. Co-authored-by: Émile Ré <[email protected]> Signed-off-by: Cursor Agent <[email protected]>
Replace the automatic email resend on sign-in rejection with a dedicated resend-verification-email page. The PasswordSignInPage now redirects to /auth/resend-verification-email?email=<addr> when the EMAIL_NOT_VERIFIED error is returned. The new page follows the same UX pattern as forgot-password: an email input (prefilled from the query string), a submit button that calls the new resendVerificationEmail GraphQL mutation, and a confirmation screen with a 'try again' link. The SendEmailVerification method now takes an email address and silently succeeds when the identity is not found or already verified, preventing information leakage. Co-authored-by: Émile Ré <[email protected]> Signed-off-by: Cursor Agent <[email protected]>
4604949 to
bd9f6fa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves ENG-401: Users with unverified email addresses can no longer authenticate via password sign-in. When blocked, they are redirected to a dedicated verification page where they can request a new verification email.
Changes
Backend
pkg/iam/errors.go— AddedErrEmailNotVerifiederror type for the IAM package.pkg/iam/auth_service.go—CheckCredentialsnow checksEmailAddressVerifiedafter successful password verification. If the flag isfalse, it returnsErrEmailNotVerified. AddedSendEmailVerification(email)method that looks up the identity and sends a verification email (silently succeeds if identity not found or already verified, to prevent information leakage).pkg/server/api/connect/v1/graphql/session.graphql— AddedresendVerificationEmailmutation (@session(required: NONE)), withResendVerificationEmailInputandResendVerificationEmailPayload.pkg/server/api/connect/v1/session_resolvers.go— TheSignInresolver catchesErrEmailNotVerifiedand returns a GraphQL error with codeEMAIL_NOT_VERIFIED. NewResendVerificationEmailresolver delegates toAuthService.SendEmailVerification.Frontend
apps/console/src/pages/iam/auth/ResendVerificationEmailPage.tsx— New page modeled afterForgotPasswordPage: email input (prefilled from query string), submit callsresendVerificationEmailmutation, then shows a "check your email" confirmation with a "try again" link.apps/console/src/pages/iam/auth/sign-in/PasswordSignInPage.tsx— OnEMAIL_NOT_VERIFIED, redirects to/auth/resend-verification-email?email=<addr>instead of showing a toast.apps/console/src/routes.tsx— Added/auth/resend-verification-emailroute.How it works
email_address_verifiedisfalse, authentication is rejected withEMAIL_NOT_VERIFIED/auth/resend-verification-email?email=<addr>Unaffected flows
SAML, OIDC, magic-link, and invitation-activation flows are unaffected because they already set
email_address_verified = trueupon identity creation or update.Linear Issue: ENG-401
Summary by cubic
Blocks password sign-in for unverified accounts and redirects users to a dedicated verification flow. Implements ENG-401 by returning
EMAIL_NOT_VERIFIEDand adding a safe resend path; SAML, OIDC, magic-link, and invitation activation stay the same.CheckCredentialsrejects unverified identities viaErrEmailNotVerified. AddedSendEmailVerification(ctx, email)which no-ops if the account doesn’t exist or is already verified to avoid info leaks.SignInnow only returns a GraphQL error with codeEMAIL_NOT_VERIFIED(no auto-resend). AddedresendVerificationEmailmutation.EMAIL_NOT_VERIFIED, password sign-in redirects to/auth/resend-verification-email?email=<addr>. NewResendVerificationEmailPagelets users enter an email, call the mutation, and see a confirmation; route added inroutes.tsx.Written for commit bd9f6fa. Summary will update on new commits. Review in cubic