From b2d79e707643f9612d9a2921d9b7dc0f273af360 Mon Sep 17 00:00:00 2001
From: ice-cronus <105345303+ice-cronus@users.noreply.github.com>
Date: Thu, 18 Jan 2024 13:12:11 +0300
Subject: [PATCH] allow users who signed in with password but verified email

---
 auth/internal/firebase/auth.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/auth/internal/firebase/auth.go b/auth/internal/firebase/auth.go
index f7223e3..17bdce3 100644
--- a/auth/internal/firebase/auth.go
+++ b/auth/internal/firebase/auth.go
@@ -57,7 +57,13 @@ func (a *auth) VerifyToken(ctx context.Context, token string) (*internal.Token,
 		return nil, errors.Wrap(vErr, "error verifying firebase token")
 	}
 	if (!a.allowEmailPassword) && firebaseToken.Firebase.SignInProvider == passwordSignInProvider {
-		return nil, errors.Wrapf(ErrForbidden, "%v sign_in_provider is not allowed", firebaseToken.Firebase.SignInProvider)
+		emailVerified := false
+		if emailVerifiedInterface, found := firebaseToken.Claims["email_verified"]; found {
+			emailVerified, _ = emailVerifiedInterface.(bool) //nolint:errcheck,revive // Not needed.
+		}
+		if !emailVerified {
+			return nil, errors.Wrapf(ErrForbidden, "%v sign_in_provider is not allowed without verified email", firebaseToken.Firebase.SignInProvider)
+		}
 	}
 	var email, role string
 	userID := firebaseToken.UID