Feature/ser 280 require email confirmation

.env.example

@@ -9,6 +9,9 @@ JWT_SECRET=0a6b944d-d2fb-46fc-a85e-0295c986cd9f
 AUTH_SERVICE_PUBLIC_REGISTRATION=false
 AUTH_SERVICE_REGISTRAR_SCOPES=["registrar"]
 
+AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION=false
+AUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION=true
+
 AUTH_SERVICE_JWT_MODE=hmac
 // AUTH_SERVICE_JWT_PRIVATE_KEY_PATH=private.key
 // AUTH_SERVICE_JWT_PUBLIC_KEY_PATH=private.key.pub

.env.production

@@ -7,6 +7,9 @@ JWT_SECRET=
 // AUTH_SERVICE_PORT=
 AUTH_SERVICE_ONLY_ADMIN_CAN_CREATE_USERS=false
 
+AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION=false
+AUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION=true
+
 AUTH_SERVICE_JWT_MODE=hmac
 AUTH_SERVICE_JWT_PRIVATE_KEY_PATH=private.key
 AUTH_SERVICE_JWT_PUBLIC_KEY_PATH=private.key.pub

.env.test

@@ -14,6 +14,9 @@ AUTH_SERVICE_ONLY_ADMIN_CAN_CREATE_USERS=false
 AUTH_SERVICE_PUBLIC_REGISTRATION=false
 AUTH_SERVICE_REGISTRAR_SCOPES=["registrar"]
 
+AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION=false
+AUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION=false
+
 AUTH_SERVICE_REFRESH_TOKEN_ENABLED=true
 AUTH_SERVICE_REFRESH_TOKEN_MULTIPLE_DEVICES=false
 

CHANGELOG.md

@@ -4,6 +4,9 @@
 ### Added
 - ENV `ALWAYS_INCLUDE_ERROR_STACKS` to include full error stack, including any causal errors.
   * Use with caution in production, because the full stack could leak sensitive information.
+- Optional email verification for users
+  * When `AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION=true`, a user cannot sign-in without email verification
+  * When `AUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION=true`, a user password is required for email verification
 
 ### Fixed
 - `auth.controller.js:login()` no longer throws duplicate errors for incorrect username or password

README.md

@@ -356,9 +356,11 @@ The port this server will run on.
 - When in development, by default set to `4000`, because other Amida microservices run, by default, on other `400x` ports.
 
 ##### `AUTH_SERVICE_ONLY_ADMIN_CAN_CREATE_USERS` (Deprecated)
+
 - This environment variable is no longer used. Use `AUTH_SERVICE_PUBLIC_REGISTRATION` instead.
 
 ##### `AUTH_SERVICE_PUBLIC_REGISTRATION` (Required) [`false`]
+
 - When `false`, only a user who has `admin` OR a scope defined in `AUTH_SERVICE_REGISTRAR_SCOPES` can create new users.
 - When `true`, anyone can sign up and create a new account.
 
@@ -367,7 +369,16 @@ The port this server will run on.
 - Otherwise must be JSON array of strings (Use double quotes!) I.e. `["registrar"]`. Each string is a scope that will be allowed to create users.
   - An empty array `[]` is acceptable and will allow only the `admin` scope to create users.
 
+##### `AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION [`false`]
+
+- When `true`, a user cannot sign-in without completing contact method verification process (currently only email is supported).
+
+##### `AUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION` [false`]
+
+- When `true`, a user is required to provide their password during the contact method verification process.
+
 ##### `AUTH_SERVICE_JWT_MODE` (Required) [`hmac`]
+
 - When set to `hmac`, json web tokens will use the shared-secret signing strategy, in which case `JWT_SECRET` needs to be specified on and match between this microservice and all other services that integrate with this microservice.
 - When set to `rsa`, json web tokens will use the public/private key pair signing strategy, in which case `JWT_PRIVATE_KEY` and `JWT_PUBLIC_KEY` need to be defined.