Home Original page

Login verification request expiry logic is inverted

Bug Description

In internal/graphql/login.go:109-121, when checking email verification request expiry:

  • When ExpiresAt > Now (NOT expired), the code deletes the verification request
  • When expired (ExpiresAt <= Now), it blocks the user with "email verification pending"

This is backwards — it should block the user when the verification hasn't expired yet, and re-send when it has expired.

Impact

HIGH — Valid (non-expired) verification requests get deleted, and expired ones block the user permanently.

Fix

Swap the logic — return "email verification pending" when NOT expired, delete and re-send when expired.