From e4f434e730f4bb683523326f8e6fbeaffa0ab439 Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Sun, 30 Nov 2025 00:27:07 +0000
Subject: fix: fix bypass email verification in apiKey.exchange

---
 packages/trpc/routers/apiKeys.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'packages/trpc/routers/apiKeys.ts')

diff --git a/packages/trpc/routers/apiKeys.ts b/packages/trpc/routers/apiKeys.ts
index 93b7d9ec..763bc23a 100644
--- a/packages/trpc/routers/apiKeys.ts
+++ b/packages/trpc/routers/apiKeys.ts
@@ -131,6 +131,16 @@ export const apiKeysAppRouter = router({
       } catch {
         throw new TRPCError({ code: "UNAUTHORIZED" });
       }
+
+      // Check if email verification is required and if the user has verified their email
+      if (serverConfig.auth.emailVerificationRequired && !user.emailVerified) {
+        throw new TRPCError({
+          message:
+            "Please verify your email address before generating an API key",
+          code: "FORBIDDEN",
+        });
+      }
+
       return await generateApiKey(input.keyName, user.id, ctx.db);
     }),
   validate: publicProcedure
-- 
cgit v1.2.3-70-g09d2