e2b-dev · tomassrnka · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025
@@ -1,7 +1,8 @@
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
+import { USER_MESSAGES } from '@/configs/user-messages'
 import { l } from '@/lib/clients/logger/logger'
 import { createClient } from '@/lib/clients/supabase/server'
-import { encodedRedirect } from '@/lib/utils/auth'
+import { encodedRedirect, isOAuthEmailVerified } from '@/lib/utils/auth'
 import { redirect } from 'next/navigation'
 import { serializeError } from 'serialize-error'
 
@@ -57,6 +58,59 @@ export async function GET(request: Request) {
         },
         `OTP successfully exchanged for user session`
       )
+
+      // Check email verification only for new users (signup)
+      // Existing users with linked identities can sign in with any provider
+      const isNewUser = data.user.identities?.length === 1
+
+      if (isNewUser) {
+        const emailVerification = isOAuthEmailVerified(data.user)
+
+        if (!emailVerification.verified) {
+          l.warn(
+            {
+              key: 'auth_callback:email_not_verified',
+              user_id: data.user.id,
+              provider: emailVerification.provider,
+              reason: emailVerification.reason,
+            },
+            `User OAuth email not verified: ${emailVerification.reason}`
+          )
+
+          // Sign out the user since they don't have a verified email
+          await supabase.auth.signOut()
+
+          // Redirect with appropriate error message based on provider
+          let errorMessage: string
+          if (emailVerification.provider === 'google') {
+            errorMessage = USER_MESSAGES.googleEmailNotVerified.message
+          } else if (emailVerification.provider === 'github') {
+            errorMessage = USER_MESSAGES.githubEmailNotVerified.message
+          } else if (emailVerification.provider) {
+            errorMessage = USER_MESSAGES.oauthEmailNotVerified.message
+          } else {
+            errorMessage = USER_MESSAGES.genericEmailNotVerified.message
+          }
+
+          throw encodedRedirect('error', AUTH_URLS.SIGN_IN, errorMessage)
+        }
+
+        l.info(
+          {
+            key: 'auth_callback:email_verified',
+            user_id: data.user.id,
+          },
+          `User OAuth email verified successfully`
+        )
+      } else {
+        l.info(
+          {
+            key: 'auth_callback:existing_user',
+            user_id: data.user.id,
+          },
+          `Existing user sign-in, skipping email verification check`
+        )
+      }
     }
   }
 

@@ -72,6 +72,26 @@ export const USER_MESSAGES = {
   checkCredentials: {
     message: 'Please check your credentials.',
   },
+  googleEmailNotVerified: {
+    message:
+      'Your Google account email is not verified. Please verify your email with Google and try again.',
+    timeoutMs: 30000,
+  },
+  githubEmailNotVerified: {
+    message:
+      'Your GitHub email is not verified. Please verify your email with GitHub and try again.',
+    timeoutMs: 30000,
+  },
+  oauthEmailNotVerified: {
+    message:
+      'Your email is not verified. Please verify your email and try again.',
+    timeoutMs: 30000,
+  },
+  genericEmailNotVerified: {
+    message:
+      'Your email is not verified. Please verify your email and try again.',
+    timeoutMs: 30000,
+  },
 }
 
 export const getTimeoutMsFromUserMessage = (

@@ -28,3 +28,80 @@ export function encodedRedirect(
 export function getUserProviders(user: User) {
   return user.app_metadata.providers as string[] | undefined
 }
+
+/**
+ * Checks if a user's email is verified based on their OAuth provider's identity data.
+ * Intended for use at signup when user has exactly one identity.
+ * @param {User} user - The Supabase user object
+ * @returns {{ verified: boolean, provider?: string, reason?: string }} - Verification status and details
+ */
+export function isOAuthEmailVerified(user: User): {
+  verified: boolean
+  provider?: string
+  reason?: string
+} {
+  // Get the user's identities (OAuth providers they've signed in with)
+  const identities = user.identities || []
+
+  if (identities.length === 0) {
+    // Email/password user - consider verified if email_confirmed_at is set
+    return {
+      verified: !!user.email_confirmed_at,
+      reason: user.email_confirmed_at
+        ? 'Email confirmed'
+        : 'Email not confirmed',
+    }
+  }
+
+  // Check the first identity (at signup, there's only one)
+  const identity = identities[0]
+  if (!identity) {
+    return { verified: false, reason: 'No identity found' }
+  }
+
+  const provider = identity.provider
+  const identityData = identity.identity_data
+
+  if (!identityData) {
+    return {
+      verified: false,
+      provider,
+      reason: 'No identity data available',
+    }
+  }
+
+  switch (provider) {
+    case 'google':
+      // Google provides email_verified field
+      // Require explicit true - fail closed if undefined/null/false
+      if (identityData.email_verified !== true) {
+        return {
+          verified: false,
+          provider: 'google',
+          reason: 'Google email not verified',
+        }
+      }
+      break
+
+    case 'github':
+      // GitHub provides verified field (for email verification)
+      // Note: GitHub returns the primary email's verification status
+      // Require explicit true - fail closed if undefined/null/false
+      if (identityData.verified !== true) {
+        return {
+          verified: false,
+          provider: 'github',
+          reason: 'GitHub email not verified',
+        }
+      }
+      break
+
+    // Add other providers as needed
+    default:
+      // For other OAuth providers, assume verified if they have an email
+      break
+  }
+
+  // If we get here, the check passed
+  return { verified: true, provider }
+}