Require email_verified to be explicitly true when enforcement is enabled

Previously the check only rejected email_verified === false, allowing
logins when the claim was missing entirely. Since the admin opted in,
the IdP is expected to provide the claim.
This commit is contained in:
Denis Arnst 2026-02-05 19:56:58 +01:00
parent b3d63f4158
commit 49aeb2da19
No known key found for this signature in database
GPG key ID: D5866C58940197BF
2 changed files with 9 additions and 7 deletions

View file

@ -168,7 +168,7 @@ class OidcAuthStrategy {
} }
// Enforce email_verified check on every login if configured // Enforce email_verified check on every login if configured
if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified === false) { if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified !== true) {
throw new AuthError('Email is not verified', 401) throw new AuthError('Email is not verified', 401)
} }

View file

@ -481,14 +481,16 @@ describe('OidcAuthStrategy', function () {
expect(result).to.equal(user) expect(result).to.equal(user)
}) })
it('should allow login when email_verified is missing and enforcement is on', async function () { it('should reject login when email_verified is missing and enforcement is on', async function () {
// Only reject when explicitly false, not when absent
global.ServerSettings.authOpenIDRequireVerifiedEmail = true global.ServerSettings.authOpenIDRequireVerifiedEmail = true
const user = makeUser()
DatabaseStub.userModel.findUserFromOpenIdUserInfo.resolves(user)
const result = await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' }) try {
expect(result).to.equal(user) await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
expect.fail('should have thrown')
} catch (err) {
expect(err.message).to.equal('Email is not verified')
expect(err.statusCode).to.equal(401)
}
}) })
it('should auto-register new user when enabled', async function () { it('should auto-register new user when enabled', async function () {