Adds ability to prevent login with unverified emails

README.md

@@ -209,6 +209,8 @@ var server = ParseServer({
   ...otherOptions,
   // Enable email verification
   verifyUserEmails: true,
+  // allows user to login only after email verification
+  allowLoginForUnverifiedEmail: false, // defaults to true
   // The public URL of your app.
   // This will appear in the link that is used to verify email addresses and reset passwords.
   // Set the mount path as it is in serverURL

src/Config.js

@@ -36,6 +36,7 @@ export class Config {
     this.serverURL = cacheInfo.serverURL;
     this.publicServerURL = removeTrailingSlash(cacheInfo.publicServerURL);
     this.verifyUserEmails = cacheInfo.verifyUserEmails;
+    this.allowLoginForUnverifiedEmail = cacheInfo.allowLoginForUnverifiedEmail;
     this.appName = cacheInfo.appName;
 
     this.cacheController = cacheInfo.cacheController;
@@ -61,11 +62,13 @@ export class Config {
     revokeSessionOnPasswordReset,
     expireInactiveSessions,
     sessionLength,
+    allowLoginForUnverifiedEmail,
   }) {
     this.validateEmailConfiguration({
       verifyUserEmails: verifyUserEmails,
       appName: appName,
-      publicServerURL: publicServerURL
+      publicServerURL: publicServerURL,
+      allowLoginForUnverifiedEmail: allowLoginForUnverifiedEmail,
     })
 
     if (typeof revokeSessionOnPasswordReset !== 'boolean') {
@@ -81,7 +84,7 @@ export class Config {
     this.validateSessionConfiguration(sessionLength, expireInactiveSessions);
   }
 
-  static validateEmailConfiguration({verifyUserEmails, appName, publicServerURL}) {
+  static validateEmailConfiguration({verifyUserEmails, appName, publicServerURL, allowLoginForUnverifiedEmail}) {
     if (verifyUserEmails) {
       if (typeof appName !== 'string') {
         throw 'An app name is required when using email verification.';
@@ -90,6 +93,9 @@ export class Config {
         throw 'A public server url is required when using email verification.';
       }
     }
+    if (!allowLoginForUnverifiedEmail && !verifyUserEmails) {
+      throw 'You can disallow login for unverified email only if the verifyUserEmails flag is set to true';
+    }
   }
 
   get mount() {

src/ParseServer.js

@@ -117,6 +117,7 @@ class ParseServer {
     serverURL = requiredParameter('You must provide a serverURL!'),
     maxUploadSize = '20mb',
     verifyUserEmails = false,
+    allowLoginForUnverifiedEmail = true,
     cacheAdapter,
     emailAdapter,
     publicServerURL,
@@ -231,6 +232,7 @@ class ParseServer {
       hooksController: hooksController,
       userController: userController,
       verifyUserEmails: verifyUserEmails,
+      allowLoginForUnverifiedEmail: allowLoginForUnverifiedEmail,
       allowClientClassCreation: allowClientClassCreation,
       authDataManager: authDataManager(oauth, enableAnonymousUsers),
       appName: appName,

src/Routers/UsersRouter.js

@@ -83,6 +83,11 @@ export class UsersRouter extends ClassesRouter {
           throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
         }
         user = results[0];
+
+        if (req.config.verifyUserEmails && !req.config.allowLoginForUnverifiedEmail && !user.emailVerified) {
+          throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
+        }
+
         return passwordCrypto.compare(req.body.password, user.password);
       }).then((correct) => {
 

src/cli/cli-definitions.js

@@ -146,6 +146,11 @@ export default {
     help: "Enable (or disable) user email validation, defaults to false",
     action: booleanParser
   },
+  "allowLoginForUnverifiedEmail": {
+    env: "PARSE_SERVER_ALLOW_LOGIN_FOR_UNVERIFIED_EMAIL",
+    help: "Allow login even if the users email is not verified, defaults to true",
+    action: booleanParser
+  },
   "appName": {
     env: "PARSE_SERVER_APP_NAME",
     help: "Sets the app name"