Prevent usage of password reset if email has not been verified yet

README.md

@@ -173,6 +173,9 @@ try {
 catch (\Delight\Auth\InvalidEmailException $e) {
     // invalid email address
 }
+catch (\Delight\Auth\EmailNotVerifiedException $e) {
+    // email not verified
+}
 catch (\Delight\Auth\TooManyRequestsException $e) {
     // too many requests
 }

src/Auth.php

@@ -690,6 +690,7 @@ class Auth {
 	 * @param int|null $requestExpiresAfter (optional) the interval in seconds after which the request should expire
 	 * @param int|null $maxOpenRequests (optional) the maximum number of unexpired and unused requests per user
 	 * @throws InvalidEmailException if the email address was invalid or could not be found
+	 * @throws EmailNotVerifiedException if the email address has not been verified yet via confirmation email
 	 * @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
@@ -712,11 +713,20 @@ class Auth {
 			$maxOpenRequests = (int) $maxOpenRequests;
 		}
 
-		$userId = $this->getUserIdByEmailAddress($email);
-		$openRequests = (int) $this->getOpenPasswordResetRequests($userId);
+		$userData = $this->getUserDataByEmailAddress(
+			$email,
+			[ 'id', 'verified' ]
+		);
+
+		// ensure that the account has been verified before initiating a password reset
+		if ($userData['verified'] !== 1) {
+			throw new EmailNotVerifiedException();
+		}
+
+		$openRequests = (int) $this->getOpenPasswordResetRequests($userData['id']);
 
 		if ($openRequests < $maxOpenRequests) {
-			$this->createPasswordResetRequest($userId, $requestExpiresAfter, $callback);
+			$this->createPasswordResetRequest($userData['id'], $requestExpiresAfter, $callback);
 		}
 		else {
 			self::onTooManyRequests($requestExpiresAfter);
@@ -724,17 +734,21 @@ class Auth {
 	}
 
 	/**
-	 * Returns the user ID for the account with the specified email address (if any)
+	 * Returns the requested user data for the account with the specified email address (if any)
+	 *
+	 * You must never pass untrusted input to the parameter that takes the column list
 	 *
 	 * @param string $email the email address to look for
-	 * @return string the user ID (if an account was found)
+	 * @param array $requestColumns the columns to request from the user's record
+	 * @return array the user data (if an account was found)
 	 * @throws InvalidEmailException if the email address could not be found
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
-	private function getUserIdByEmailAddress($email) {
+	private function getUserDataByEmailAddress($email, array $requestColumns) {
 		try {
-			$userId = $this->db->selectValue(
-				'SELECT id FROM users WHERE email = ?',
+			$projection = implode(', ', $requestColumns);
+			$userData = $this->db->selectRow(
+				'SELECT ' . $projection . ' FROM users WHERE email = ?',
 				[ $email ]
 			);
 		}
@@ -742,8 +756,8 @@ class Auth {
 			throw new DatabaseError();
 		}
 
-		if (!empty($userId)) {
-			return $userId;
+		if (!empty($userData)) {
+			return $userData;
 		}
 		else {
 			throw new InvalidEmailException();

tests/index.php

@@ -138,6 +138,9 @@ function processRequestData(\Delight\Auth\Auth $auth) {
 				catch (\Delight\Auth\InvalidEmailException $e) {
 					return 'invalid email address';
 				}
+				catch (\Delight\Auth\EmailNotVerifiedException $e) {
+					return 'email not verified';
+				}
 				catch (\Delight\Auth\TooManyRequestsException $e) {
 					return 'too many requests';
 				}