fix: correct verification request expiry logic in Login (#492)

lakhansamani · web-flow · commit 841eb625e474 · 2026-03-01T12:45:24.000+05:30
* fix: correct verification request expiry logic in Login The expiry check was inverted - non-expired verification requests were being deleted while expired ones blocked the user. Now non-expired requests correctly return 'email verification pending' and expired ones are deleted and re-sent. Fixes #481 * test: add test for login with unverified email verification pending * chore: improve err handling
diff --git a/internal/graphql/login.go b/internal/graphql/login.go
@@ -110,13 +110,15 @@ func (g *graphqlProvider) Login(ctx context.Context, params *model.LoginRequest)
 					// if verification request exists and not expired then return
 					// if verification request exists and expired then delete it and proceed
 					if vreq.ExpiresAt > time.Now().Unix() {
+						log.Debug().Msg("Email verification pending")
+						return nil, fmt.Errorf(`email verification pending`)
+					} else {
 						if err := g.StorageProvider.DeleteVerificationRequest(ctx, vreq); err != nil {
 							log.Debug().Msg("Failed to delete verification request")
-							// continue with the flow
+							return nil, err
+						} else {
+							log.Debug().Msg("Verification request deleted")
 						}
-					} else {
-						log.Debug().Msg("Email verification pending")
-						return nil, fmt.Errorf(`email verification pending`)
 					}
 				}
 				expiresAt := time.Now().Add(1 * time.Minute).Unix()
diff --git a/internal/integration_tests/login_test.go b/internal/integration_tests/login_test.go
@@ -8,8 +8,53 @@ import (
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
+// TestLoginUnverifiedEmail tests login with email verification enabled
+func TestLoginUnverifiedEmail(t *testing.T) {
+	cfg := getTestConfig()
+	cfg.IsEmailServiceEnabled = true
+	cfg.EnableEmailVerification = true
+	cfg.SMTPHost = "localhost"
+	cfg.SMTPPort = 1025
+	cfg.SMTPSenderEmail = "test@authorizer.dev"
+	cfg.SMTPSenderName = "Test"
+	cfg.SMTPLocalName = "Test"
+	cfg.SMTPSkipTLSVerification = true
+	ts := initTestSetup(t, cfg)
+	_, ctx := createContext(ts)
+
+	email := "login_unverified_" + uuid.New().String() + "@authorizer.dev"
+	password := "Password@123"
+
+	signupReq := &model.SignUpRequest{
+		Email:           &email,
+		Password:        password,
+		ConfirmPassword: password,
+	}
+	signupRes, err := ts.GraphQLProvider.SignUp(ctx, signupReq)
+	require.NoError(t, err)
+	require.NotNil(t, signupRes)
+	// User should be nil since email verification is pending
+	assert.Nil(t, signupRes.User)
+
+	t.Run("should return verification pending for unverified email", func(t *testing.T) {
+		loginReq := &model.LoginRequest{
+			Email:    &email,
+			Password: password,
+		}
+		res, err := ts.GraphQLProvider.Login(ctx, loginReq)
+		// Should get either an error or an OTP screen response
+		if err != nil {
+			assert.Contains(t, err.Error(), "verification")
+		} else {
+			// If MFA/OTP flow is triggered instead of error
+			assert.NotNil(t, res)
+		}
+	})
+}
+
 // TestLogin tests the login functionality of the Authorizer application.
 func TestLogin(t *testing.T) {
 	// Initialize test setup
