From ce22e03f9deaf424aa21c5cc0ef85e58992a7882 Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Sat, 27 Nov 2021 14:53:34 +0100
Subject: Require confirmed email when checking oauth token (#332)

* move token checker to security package

* update tests with new security package

* add oauth token checking to security package

* check if user email confirmed when parsing token
---
 internal/oauth/util.go | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'internal/oauth/util.go')

diff --git a/internal/oauth/util.go b/internal/oauth/util.go
index 2520fc784..540045f80 100644
--- a/internal/oauth/util.go
+++ b/internal/oauth/util.go
@@ -85,6 +85,9 @@ func Authed(c *gin.Context, requireToken bool, requireApp bool, requireUser bool
 		if a.User.Disabled || !a.User.Approved {
 			return nil, errors.New("user disabled or not approved")
 		}
+		if a.User.Email == "" {
+			return nil, errors.New("user has no confirmed email address")
+		}
 	}
 
 	if requireAccount {
-- 
cgit v1.2.3