3 files changed, 14 insertions, 6 deletions

diff --git a/src/api/routes/auth/login.ts b/src/api/routes/auth/login.ts
index 2b97ec10..89d0be69 100644
--- a/src/api/routes/auth/login.ts
+++ b/src/api/routes/auth/login.ts
@@ -102,6 +102,17 @@ router.post(
 			});
 		}
 
+		// return an error for unverified accounts if verification is required
+		if (config.login.requireVerification && !user.verified) {
+			throw FieldErrors({
+				login: {
+					code: "ACCOUNT_LOGIN_VERIFICATION_EMAIL",
+					message:
+						"Email verification is required, please check your email.",
+				},
+			});
+		}
+
 		if (user.mfa_enabled && !user.webauthn_enabled) {
 			// TODO: This is not a discord.com ticket. I'm not sure what it is but I'm lazy
 			const ticket = crypto.randomBytes(40).toString("hex");
diff --git a/src/api/routes/auth/verify/index.ts b/src/api/routes/auth/verify/index.ts
index 7809bc26..14cc3f95 100644
--- a/src/api/routes/auth/verify/index.ts
+++ b/src/api/routes/auth/verify/index.ts
@@ -17,7 +17,7 @@
 */
 
 import { route, verifyCaptcha } from "@fosscord/api";
-import { checkToken, Config, FieldErrors } from "@fosscord/util";
+import { checkToken, Config, FieldErrors, User } from "@fosscord/util";
 import { Request, Response, Router } from "express";
 import { HTTPError } from "lambert-server";
 const router = Router();
@@ -57,11 +57,7 @@ router.post(
 
 			if (user.verified) return res.send(user);
 
-			// verify email
-			user.verified = true;
-			await user.save();
-
-			// TODO: invalidate token after use?
+			await User.update({ id: user.id }, { verified: true });
 
 			return res.send(user);
 		} catch (error) {
diff --git a/src/util/config/types/LoginConfiguration.ts b/src/util/config/types/LoginConfiguration.ts
index 862bc185..1d5752fe 100644
--- a/src/util/config/types/LoginConfiguration.ts
+++ b/src/util/config/types/LoginConfiguration.ts
@@ -18,4 +18,5 @@
 
 export class LoginConfiguration {
 	requireCaptcha: boolean = false;
+	requireVerification: boolean = false;
 }