feat: Add support for email verification

author: Mohamed Bassem <me@mbassem.com> 2025-07-10 08:35:32 +0000
committer: Mohamed Bassem <me@mbassem.com> 2025-07-10 08:37:44 +0000
commit: 93049e864ae6d281b60c23dee868bca3f585dd4a (patch)
tree: d39c0b4221486dbc82461a505f205d162a9e4def /apps/web/server
parent: aae3ef17eccf0752edb5ce5638a58444ccb6ce3a (diff)
download: karakeep-93049e864ae6d281b60c23dee868bca3f585dd4a.tar.zst
1 files changed, 26 insertions, 10 deletions
diff --git a/apps/web/server/auth.ts b/apps/web/server/auth.ts
index 3d32f702..e7b5e1cb 100644
--- a/apps/web/server/auth.ts
+++ b/apps/web/server/auth.ts
@@ -1,6 +1,6 @@
 import { Adapter, AdapterUser } from "@auth/core/adapters";
 import { DrizzleAdapter } from "@auth/drizzle-adapter";
-import { and, count, eq } from "drizzle-orm";
+import { count, eq } from "drizzle-orm";
 import NextAuth, {
   DefaultSession,
   getServerSession,
@@ -169,22 +169,38 @@ export const authOptions: NextAuthOptions = {
     newUser: "/signin",
   },
   callbacks: {
-    async signIn({ credentials, profile }) {
+    async signIn({ user: credUser, credentials, profile }) {
+      const email = credUser.email || profile?.email;
+      if (!email) {
+        throw new Error("Provider didn't provide an email during signin");
+      }
+      const user = await db.query.users.findFirst({
+        columns: { emailVerified: true },
+        where: eq(users.email, email),
+      });
+
       if (credentials) {
+        if (!user) {
+          throw new Error("Invalid credentials");
+        }
+        if (
+          serverConfig.auth.emailVerificationRequired &&
+          !user.emailVerified
+        ) {
+          throw new Error("Please verify your email address before signing in");
+        }
         return true;
       }
-      if (!profile?.email) {
-        throw new Error("No profile");
-      }
-      const [{ count: userCount }] = await db
-        .select({ count: count() })
-        .from(users)
-        .where(and(eq(users.email, profile.email)));
 
       // If it's a new user and signups are disabled, fail the sign in
-      if (userCount === 0 && serverConfig.auth.disableSignups) {
+      if (!user && serverConfig.auth.disableSignups) {
         throw new Error("Signups are disabled in server config");
       }
+
+      // TODO: We're blindly trusting oauth providers to validate emails
+      // As such, oauth users can sign in even if email verification is enabled.
+      // We might want to change this in the future.
+
       return true;
     },
     async jwt({ token, user }) {
author	Mohamed Bassem <me@mbassem.com>	2025-07-10 08:35:32 +0000
committer	Mohamed Bassem <me@mbassem.com>	2025-07-10 08:37:44 +0000
commit	93049e864ae6d281b60c23dee868bca3f585dd4a (patch)
tree	d39c0b4221486dbc82461a505f205d162a9e4def /apps/web/server
parent	aae3ef17eccf0752edb5ce5638a58444ccb6ce3a (diff)
download	karakeep-93049e864ae6d281b60c23dee868bca3f585dd4a.tar.zst