Bug Description

In internal/http_handlers/verify_email.go:96-102, roles for the auth token come from the ?roles= query parameter without any validation against the user's stored roles. An attacker can append ?roles=admin to the email verification link to escalate privileges.

Impact

HIGH — Privilege escalation via query parameter manipulation on email verification links.

Fix

Validate the roles from query string against user's stored roles before using them, similar to how the Login handler validates roles.