From 6bfa29883613bd0cf93b9a269dec7970e6105233 Mon Sep 17 00:00:00 2001
From: Marco <marco1@live.de>
Date: Mon, 12 Dec 2016 20:58:37 +0100
Subject: [PATCH] Prevent usage of password reset if email has not been
 verified yet

---
 README.md       | 3 +++
 src/Auth.php    | 9 ++++++++-
 tests/index.php | 3 +++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d2b16bf..5fab743 100644
--- a/README.md
+++ b/README.md
@@ -173,6 +173,9 @@ try {
 catch (\Delight\Auth\InvalidEmailException $e) {
     // invalid email address
 }
+catch (\Delight\Auth\EmailNotVerifiedException $e) {
+    // email not verified
+}
 catch (\Delight\Auth\TooManyRequestsException $e) {
     // too many requests
 }
diff --git a/src/Auth.php b/src/Auth.php
index 82d203f..47a7296 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -690,6 +690,7 @@ class Auth {
 	 * @param int|null $requestExpiresAfter (optional) the interval in seconds after which the request should expire
 	 * @param int|null $maxOpenRequests (optional) the maximum number of unexpired and unused requests per user
 	 * @throws InvalidEmailException if the email address was invalid or could not be found
+	 * @throws EmailNotVerifiedException if the email address has not been verified yet via confirmation email
 	 * @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
@@ -714,8 +715,14 @@ class Auth {
 
 		$userData = $this->getUserDataByEmailAddress(
 			$email,
-			[ 'id' ]
+			[ 'id', 'verified' ]
 		);
+
+		// ensure that the account has been verified before initiating a password reset
+		if ($userData['verified'] !== 1) {
+			throw new EmailNotVerifiedException();
+		}
+
 		$openRequests = (int) $this->getOpenPasswordResetRequests($userData['id']);
 
 		if ($openRequests < $maxOpenRequests) {
diff --git a/tests/index.php b/tests/index.php
index 7301746..1599f78 100644
--- a/tests/index.php
+++ b/tests/index.php
@@ -138,6 +138,9 @@ function processRequestData(\Delight\Auth\Auth $auth) {
 				catch (\Delight\Auth\InvalidEmailException $e) {
 					return 'invalid email address';
 				}
+				catch (\Delight\Auth\EmailNotVerifiedException $e) {
+					return 'email not verified';
+				}
 				catch (\Delight\Auth\TooManyRequestsException $e) {
 					return 'too many requests';
 				}