feat(auth): require email confirmation for new accounts

Updates the user registration and new account creation endpoints to require email confirmation. - Sets the 'confirmed' flag to 'false' by default for all new user accounts. - Generates a unique confirmation token for each new user. - Logs the confirmation link to the console for development purposes. This change ensures that users cannot log in without first verifying their email address, enhancing account security.
2026-01-18 16:28:33 -05:00
parent a5a76743c7
commit 6c35393f1f
7 changed files with 92 additions and 14 deletions
--- a/routes/auth/new.py
+++ b/routes/auth/new.py
@@ -1,3 +1,4 @@
+import secrets
 import random
 import string
 import os
@@ -99,6 +100,7 @@ async def register_new_customer(customer: NewCustomerCreate, db: AsyncSession =
    # Create account user
    username = account_number
    hashed_password = get_password_hash(customer.password)
+    token = secrets.token_urlsafe(32)
    db_user = Account_User(
        username=username,
        account_number=account_number,
@@ -109,13 +111,21 @@ async def register_new_customer(customer: NewCustomerCreate, db: AsyncSession =
        last_seen=datetime.utcnow(),
        admin=0,
        admin_role=0,
-        confirmed=1,
+        confirmed=0,
        active=1,
-        user_id=db_customer.id
+        user_id=db_customer.id,
+        confirmation_token=token,
+        confirmation_sent_at=datetime.utcnow()
    )
    db.add(db_user)
    await db.commit()
    await db.refresh(db_user)
+
+    # In a real application, you would send an email here
+    # For now, we'll just print the confirmation URL to the console
+    confirmation_url = f"http://localhost:3000/confirm-email?token={token}"
+    print(f"Confirmation URL: {confirmation_url}")
+    
    return db_user

@router.post("/step3")
@@ -504,7 +514,7 @@ async def create_customer_step1(customer: CustomerCreateStep1, db: AsyncSession
    customer_data.pop('house_description')  # Remove from customer data
    customer_data.update({
        'account_number': account_number,
-        'customer_state': 1,  # Default
+        'customer_state': 0,  # Default
        'customer_automatic': 0,
        'company_id': 1,  # Default
        'customer_latitude': '0',
@@ -568,6 +578,7 @@ async def create_customer_account(account_data: CustomerAccountCreate, db: Async
    # Create account user
    username = account_data.account_number
    hashed_password = get_password_hash(account_data.password)
+    token = secrets.token_urlsafe(32)
    db_user = Account_User(
        username=username,
        account_number=account_data.account_number,
@@ -578,11 +589,19 @@ async def create_customer_account(account_data: CustomerAccountCreate, db: Async
        last_seen=datetime.utcnow(),
        admin=0,
        admin_role=0,
-        confirmed=1,
+        confirmed=0,
        active=1,
-        user_id=customer.id
+        user_id=customer.id,
+        confirmation_token=token,
+        confirmation_sent_at=datetime.utcnow()
    )
    db.add(db_user)
    await db.commit()
    await db.refresh(db_user)
+
+    # In a real application, you would send an email here
+    # For now, we'll just print the confirmation URL to the console
+    confirmation_url = f"http://localhost:3000/confirm-email?token={token}"
+    print(f"Confirmation URL: {confirmation_url}")
+
    return db_user