Require confirmed email when checking oauth token (#332)

* move token checker to security package * update tests with new security package * add oauth token checking to security package * check if user email confirmed when parsing token
2025-06-05 21:59:39 +02:00 · 2021-11-27 14:53:34 +01:00
parent 5ed03480e7
commit ce22e03f9d
8 changed files with 57 additions and 30 deletions
--- a/internal/oauth/util.go
+++ b/internal/oauth/util.go
@ -85,6 +85,9 @@ func Authed(c *gin.Context, requireToken bool, requireApp bool, requireUser bool
 		if a.User.Disabled || !a.User.Approved {
 			return nil, errors.New("user disabled or not approved")
 		}
+		if a.User.Email == "" {
+			return nil, errors.New("user has no confirmed email address")
+		}
 	}

 	if requireAccount {