Overview
When a user registers with email/password, their isVerified flag is set to false but no verification email is ever sent and there is no endpoint to verify the email. Users can log in with an unverified email indefinitely. This is the mechanism by which spam registrations are filtered and ownership of an email address is confirmed.
Background
Files relevant:
backend/src/auth/auth.service.ts — register() should send a verification email after account creation
backend/src/mail/mail.service.ts — sendWelcome() exists but is never called; a new sendEmailVerification(to, token) method is needed
backend/src/auth/auth.controller.ts — add GET /api/auth/verify-email?token=:token endpoint
backend/src/users/users.service.ts — update() exists and can set isVerified: true
Verification token approach: generate a signed JWT with short expiry (24h), embed in the link, verify and decode on the endpoint.
Acceptance Criteria
Overview
When a user registers with email/password, their
isVerifiedflag is set tofalsebut no verification email is ever sent and there is no endpoint to verify the email. Users can log in with an unverified email indefinitely. This is the mechanism by which spam registrations are filtered and ownership of an email address is confirmed.Background
Files relevant:
backend/src/auth/auth.service.ts—register()should send a verification email after account creationbackend/src/mail/mail.service.ts—sendWelcome()exists but is never called; a newsendEmailVerification(to, token)method is neededbackend/src/auth/auth.controller.ts— addGET /api/auth/verify-email?token=:tokenendpointbackend/src/users/users.service.ts—update()exists and can setisVerified: trueVerification token approach: generate a signed JWT with short expiry (24h), embed in the link, verify and decode on the endpoint.
Acceptance Criteria
GET /api/auth/verify-email?token=endpoint validates the token and setsisVerified: trueon the user400if the token is expired or malformed200and a success message on valid tokenisVerified: trueat creation) are not required to verify