Nariman Jelveh 1f1149e32e Block unconfirmed users from API endpoints server-side (#2916) ...

Add a default-on email confirmation gate that rejects users with
`requires_email_confirmation && !email_confirmed` on all authenticated
routes, returning 403 with `email_confirmation_required`.

Previously this was only enforced client-side via a GUI modal, meaning
direct API calls could bypass the check entirely.

Essential routes are exempted via `allowUnconfirmed: true`:
  `/whoami`, `/logout`, `/send-confirm-email`, `/confirm-email`,
  `/save_account`, `/get-anticsrf-token`, `/get-gui-token`,
  `/session/sync-cookie`, `/auth/revoke-session`,
  `/user-protected/delete-own-user`

No impact on temp users (`requires_email_confirmation` is false),
self-hosted deployments without email (flag is never set), or
unauthenticated routes (login, signup, password recovery, OIDC).

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

2026-05-05 10:08:50 -07:00

..

appTelemetry.ts

rework: change backend and backend extensions to use simpler code structure and patterns (#2815)

2026-04-30 12:13:43 -07:00

devWatcher.ts

backport devwatcher (#2861)

2026-04-30 16:23:34 -07:00

installedApps.ts

rework: change backend and backend extensions to use simpler code structure and patterns (#2815)

2026-04-30 12:13:43 -07:00

metering.ts

rework: change backend and backend extensions to use simpler code structure and patterns (#2815)

2026-04-30 12:13:43 -07:00

serverInfo.ts

rework: change backend and backend extensions to use simpler code structure and patterns (#2815)

2026-04-30 12:13:43 -07:00

thumbnails.ts

fix: selfhosted thumbnails extensions (#2905)

2026-05-04 19:56:10 -07:00

whoami.ts

Block unconfirmed users from API endpoints server-side (#2916)

2026-05-05 10:08:50 -07:00

workerSandbox.ts

rework: change backend and backend extensions to use simpler code structure and patterns (#2815)

2026-04-30 12:13:43 -07:00