Skip to content

[BE-12] Implement email verification flow on user registration #737

Description

@mftee

Overview

When a user registers with email/password, their isVerified flag is set to false but no verification email is ever sent and there is no endpoint to verify the email. Users can log in with an unverified email indefinitely. This is the mechanism by which spam registrations are filtered and ownership of an email address is confirmed.

Background

Files relevant:

  • backend/src/auth/auth.service.tsregister() should send a verification email after account creation
  • backend/src/mail/mail.service.tssendWelcome() exists but is never called; a new sendEmailVerification(to, token) method is needed
  • backend/src/auth/auth.controller.ts — add GET /api/auth/verify-email?token=:token endpoint
  • backend/src/users/users.service.tsupdate() exists and can set isVerified: true

Verification token approach: generate a signed JWT with short expiry (24h), embed in the link, verify and decode on the endpoint.

Acceptance Criteria

  • Registration sends a verification email containing a one-time link
  • GET /api/auth/verify-email?token= endpoint validates the token and sets isVerified: true on the user
  • Returns 400 if the token is expired or malformed
  • Returns 200 and a success message on valid token
  • OAuth users (isVerified: true at creation) are not required to verify

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions