From 49aeb2da195b8eb2f74a315c4d7bea3222656558 Mon Sep 17 00:00:00 2001
From: Denis Arnst <git@sapd.eu>
Date: Thu, 5 Feb 2026 19:56:58 +0100
Subject: [PATCH] Require email_verified to be explicitly true when enforcement
 is enabled

Previously the check only rejected email_verified === false, allowing
logins when the claim was missing entirely. Since the admin opted in,
the IdP is expected to provide the claim.
---
 server/auth/OidcAuthStrategy.js           |  2 +-
 test/server/auth/OidcAuthStrategy.test.js | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/server/auth/OidcAuthStrategy.js b/server/auth/OidcAuthStrategy.js
index 5e48917af..85003fe35 100644
--- a/server/auth/OidcAuthStrategy.js
+++ b/server/auth/OidcAuthStrategy.js
@@ -168,7 +168,7 @@ class OidcAuthStrategy {
       }
 
       // Enforce email_verified check on every login if configured
-      if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified === false) {
+      if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified !== true) {
         throw new AuthError('Email is not verified', 401)
       }
 
diff --git a/test/server/auth/OidcAuthStrategy.test.js b/test/server/auth/OidcAuthStrategy.test.js
index 29afc3196..801e1d5c6 100644
--- a/test/server/auth/OidcAuthStrategy.test.js
+++ b/test/server/auth/OidcAuthStrategy.test.js
@@ -481,14 +481,16 @@ describe('OidcAuthStrategy', function () {
       expect(result).to.equal(user)
     })
 
-    it('should allow login when email_verified is missing and enforcement is on', async function () {
-      // Only reject when explicitly false, not when absent
+    it('should reject login when email_verified is missing and enforcement is on', async function () {
       global.ServerSettings.authOpenIDRequireVerifiedEmail = true
-      const user = makeUser()
-      DatabaseStub.userModel.findUserFromOpenIdUserInfo.resolves(user)
 
-      const result = await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
-      expect(result).to.equal(user)
+      try {
+        await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
+        expect.fail('should have thrown')
+      } catch (err) {
+        expect(err.message).to.equal('Email is not verified')
+        expect(err.statusCode).to.equal(401)
+      }
     })
 
     it('should auto-register new user when enabled', async function () {