feat: restrict app access for unverified users

2025-11-14 00:32:43 +10:00 · 2024-01-16 14:25:05 +02:00
parent b09071ebc7
commit 4aefb80989
9 changed files with 181 additions and 5 deletions
--- a/packages/lib/next-auth/auth-options.ts
+++ b/packages/lib/next-auth/auth-options.ts
@ -10,6 +10,7 @@ import GoogleProvider from 'next-auth/providers/google';

 import { prisma } from '@documenso/prisma';

+import { ONE_DAY } from '../constants/time';
 import { isTwoFactorAuthenticationEnabled } from '../server-only/2fa/is-2fa-availble';
 import { validateTwoFactorAuthentication } from '../server-only/2fa/validate-2fa';
 import { getUserByEmail } from '../server-only/user/get-user-by-email';
@ -69,6 +70,17 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
          }
        }

+        const userCreationDate = user?.createdAt;
+        const createdWithinLast72Hours = userCreationDate > new Date(Date.now() - ONE_DAY * 3);
+
+        /*
+          avoid messing with the users who signed up before the email verification requirement
+          the error is thrown only if the user doesn't have a verified email and the account was created within the last 72 hours
+        */
+        if (!user.emailVerified && createdWithinLast72Hours) {
+          throw new Error(ErrorCode.UNVERIFIED_EMAIL);
+        }
+
        return {
          id: Number(user.id),
          email: user.email,
--- a/packages/lib/next-auth/error-codes.ts
+++ b/packages/lib/next-auth/error-codes.ts
@ -19,4 +19,5 @@ export const ErrorCode = {
  INCORRECT_PASSWORD: 'INCORRECT_PASSWORD',
  MISSING_ENCRYPTION_KEY: 'MISSING_ENCRYPTION_KEY',
  MISSING_BACKUP_CODE: 'MISSING_BACKUP_CODE',
+  UNVERIFIED_EMAIL: 'UNVERIFIED_EMAIL',
 } as const;
--- a/packages/lib/server-only/user/get-user-by-email.ts
+++ b/packages/lib/server-only/user/get-user-by-email.ts
@ -9,5 +9,8 @@ export const getUserByEmail = async ({ email }: GetUserByEmailOptions) => {
    where: {
      email: email.toLowerCase(),
    },
+    include: {
+      VerificationToken: true,
+    },
  });
 };
--- a/packages/lib/server-only/user/get-user-by-verification-token.ts
+++ b/packages/lib/server-only/user/get-user-by-verification-token.ts
@ -0,0 +1,17 @@
+import { prisma } from '@documenso/prisma';
+
+export interface GetUserByVerificationTokenOptions {
+  token: string;
+}
+
+export const getUserByVerificationToken = async ({ token }: GetUserByVerificationTokenOptions) => {
+  return await prisma.user.findFirstOrThrow({
+    where: {
+      VerificationToken: {
+        some: {
+          token,
+        },
+      },
+    },
+  });
+};
--- a/packages/trpc/server/profile-router/router.ts
+++ b/packages/trpc/server/profile-router/router.ts
@ -1,7 +1,9 @@
 import { TRPCError } from '@trpc/server';

 import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password';
+import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
 import { getUserById } from '@documenso/lib/server-only/user/get-user-by-id';
+import { getUserByVerificationToken } from '@documenso/lib/server-only/user/get-user-by-verification-token';
 import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
 import { sendConfirmationToken } from '@documenso/lib/server-only/user/send-confirmation-token';
 import { updatePassword } from '@documenso/lib/server-only/user/update-password';
@ -12,7 +14,9 @@ import {
  ZConfirmEmailMutationSchema,
  ZForgotPasswordFormSchema,
  ZResetPasswordFormSchema,
+  ZRetrieveUserByEmailMutationSchema,
  ZRetrieveUserByIdQuerySchema,
+  ZRetrieveUserByVerificationTokenQuerySchema,
  ZUpdatePasswordMutationSchema,
  ZUpdateProfileMutationSchema,
 } from './schema';
@ -31,6 +35,36 @@ export const profileRouter = router({
    }
  }),

+  getUserByEmail: procedure
+    .input(ZRetrieveUserByEmailMutationSchema)
+    .mutation(async ({ input }) => {
+      try {
+        const { email } = input;
+
+        return await getUserByEmail({ email });
+      } catch (err) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'We were unable to retrieve the specified account. Please try again.',
+        });
+      }
+    }),
+
+  getUserFromVerificationToken: procedure
+    .input(ZRetrieveUserByVerificationTokenQuerySchema)
+    .query(async ({ input }) => {
+      try {
+        const { token } = input;
+
+        return await getUserByVerificationToken({ token });
+      } catch (err) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'We were unable to retrieve the specified account. Please try again.',
+        });
+      }
+    }),
+
  updateProfile: authenticatedProcedure
    .input(ZUpdateProfileMutationSchema)
    .mutation(async ({ input, ctx }) => {
--- a/packages/trpc/server/profile-router/schema.ts
+++ b/packages/trpc/server/profile-router/schema.ts
@ -4,6 +4,14 @@ export const ZRetrieveUserByIdQuerySchema = z.object({
  id: z.number().min(1),
 });

+export const ZRetrieveUserByEmailMutationSchema = z.object({
+  email: z.string().email().min(1),
+});
+
+export const ZRetrieveUserByVerificationTokenQuerySchema = z.object({
+  token: z.string().min(1),
+});
+
 export const ZUpdateProfileMutationSchema = z.object({
  name: z.string().min(1),
  signature: z.string(),