fix: require email verification before activation

2026-05-01 01:14:10 +05:30 · 2026-04-29 16:52:04 +10:00
parent aeeef895de
commit 69be1d6fcc
9 changed files with 21 additions and 8 deletions
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -13,6 +13,7 @@ enum Role {

 enum UserStatus {
  ACTIVE
+  PENDING_EMAIL
  DISABLED
  BANNED
 }
--- a/src/actions/auth/email.ts
+++ b/src/actions/auth/email.ts
@@ -77,7 +77,7 @@ export async function requestRegistrationVerification(formData: FormData) {
    select: { id: true, email: true, status: true, emailVerifiedAt: true },
  });

-  if (user?.status === "ACTIVE" && !user.emailVerifiedAt) {
+  if (user && ["ACTIVE", "PENDING_EMAIL"].includes(user.status) && !user.emailVerifiedAt) {
    await sendRegistrationVerificationEmail({
      userId: user.id,
      email: user.email,
--- a/src/app/(admin)/admin/subscription-risk/risk-data.ts
+++ b/src/app/(admin)/admin/subscription-risk/risk-data.ts
@@ -1,4 +1,4 @@
-import type { Prisma, SubscriptionRiskEvent } from "@prisma/client";
+import type { Prisma, SubscriptionRiskEvent, UserStatus } from "@prisma/client";
 import { prisma } from "@/lib/prisma";
 import { parsePage } from "@/lib/utils";
 import {
@@ -11,7 +11,7 @@ type RiskUser = {
  id: string;
  email: string;
  name: string | null;
-  status: "ACTIVE" | "DISABLED" | "BANNED";
+  status: UserStatus;
 };

 type RiskSubscription = {
--- a/src/app/(admin)/admin/users/page.tsx
+++ b/src/app/(admin)/admin/users/page.tsx
@@ -44,6 +44,7 @@ export default async function UsersPage({
            options: [
              { label: "全部状态", value: "" },
              { label: "正常", value: "ACTIVE" },
+              { label: "待邮箱验证", value: "PENDING_EMAIL" },
              { label: "禁用", value: "DISABLED" },
              { label: "封禁", value: "BANNED" },
            ],
--- a/src/app/(admin)/admin/users/users-data.ts
+++ b/src/app/(admin)/admin/users/users-data.ts
@@ -1,4 +1,4 @@
-import type { Prisma } from "@prisma/client";
+import type { Prisma, UserStatus } from "@prisma/client";
 import { prisma } from "@/lib/prisma";
 import { parsePage } from "@/lib/utils";

@@ -31,7 +31,7 @@ export async function getAdminUsers(

  const where = {
    ...(role ? { role: role as "ADMIN" | "USER" } : {}),
-    ...(status ? { status: status as "ACTIVE" | "DISABLED" | "BANNED" } : {}),
+    ...(status ? { status: status as UserStatus } : {}),
    ...(q
      ? {
          OR: [
--- a/src/app/api/auth/register/route.ts
+++ b/src/app/api/auth/register/route.ts
@@ -90,6 +90,7 @@ export async function POST(req: Request) {
    data: {
      email,
      emailVerifiedAt: config.emailVerificationRequired ? null : new Date(),
+      status: config.emailVerificationRequired ? "PENDING_EMAIL" : "ACTIVE",
      password: hashedPassword,
      name: name || null,
      invitedById: inviterId,
--- a/src/components/shared/domain-badges.tsx
+++ b/src/components/shared/domain-badges.tsx
@@ -51,6 +51,7 @@ export const userRoleLabels: Record<Role, string> = {

 export const userStatusLabels: Record<UserStatus, string> = {
  ACTIVE: "正常",
+  PENDING_EMAIL: "待邮箱验证",
  DISABLED: "禁用",
  BANNED: "封禁",
 };
@@ -104,6 +105,7 @@ export function getSubscriptionTypeTone(type: SubscriptionType): StatusTone {

 export function getUserStatusTone(status: UserStatus): StatusTone {
  if (status === "ACTIVE") return "success";
+  if (status === "PENDING_EMAIL") return "info";
  if (status === "DISABLED") return "warning";
  return "danger";
 }
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -27,12 +27,17 @@ export const authOptions: NextAuthOptions = {
        const user = await prisma.user.findUnique({
          where: { email: credentials.email.trim().toLowerCase() },
        });
-        if (!user || user.status !== "ACTIVE") return null;
+        if (!user) return null;
        const valid = await bcrypt.compare(credentials.password, user.password);
        if (!valid) return null;
-        if (config?.emailVerificationRequired && user.role !== "ADMIN" && !user.emailVerifiedAt) {
+        if (
+          user.role !== "ADMIN" &&
+          !user.emailVerifiedAt &&
+          (config?.emailVerificationRequired || user.status === "PENDING_EMAIL")
+        ) {
          throw new Error("EMAIL_NOT_VERIFIED");
        }
+        if (user.status !== "ACTIVE") return null;
        return { id: user.id, email: user.email, name: user.name, role: user.role };
      },
    }),
--- a/src/services/email.ts
+++ b/src/services/email.ts
@@ -244,7 +244,10 @@ export async function verifyEmailToken(token: string) {
    if (!record.userId) return { ok: false as const, message: "验证链接缺少账户信息" };
    await prisma.user.update({
      where: { id: record.userId },
-      data: { emailVerifiedAt: new Date() },
+      data: {
+        emailVerifiedAt: new Date(),
+        status: "ACTIVE",
+      },
    });
    return { ok: true as const, message: "邮箱验证完成，现在可以登录账户。" };
  }