From ac1aea23dc08253fe73f13cc29cbe6d6773ad348 Mon Sep 17 00:00:00 2001
From: Elliot DeNolf <denolfe@gmail.com>
Date: Sat, 19 Sep 2020 14:29:19 -0400
Subject: [PATCH] only allow verified accounts to login

---
 demo/collections/Admin.js    | 1 +
 src/auth/operations/login.js | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/demo/collections/Admin.js b/demo/collections/Admin.js
index 11f7f83817..a2f3c53d08 100644
--- a/demo/collections/Admin.js
+++ b/demo/collections/Admin.js
@@ -21,6 +21,7 @@ module.exports = {
   },
   auth: {
     tokenExpiration: 7200,
+    emailVerification: false,
     useAPIKey: true,
     cookies: {
       secure: process.env.NODE_ENV === 'production',
diff --git a/src/auth/operations/login.js b/src/auth/operations/login.js
index de32108c7b..f53a078a7d 100644
--- a/src/auth/operations/login.js
+++ b/src/auth/operations/login.js
@@ -32,9 +32,9 @@ async function login(args) {
 
   const userDoc = await Model.findByUsername(email);
 
-
-  if (!userDoc) throw new AuthenticationError();
-
+  if (!userDoc || (args.collection.config.auth.emailVerification && !userDoc.verified)) {
+    throw new AuthenticationError();
+  }
   const authResult = await userDoc.authenticate(password);
 
   if (!authResult.user) {