portal: enforce Keycloak required actions

2026-01-03 21:45:29 -03:00 · 2026-01-03 21:45:29 -03:00 · 24fc02ff1f
commit 24fc02ff1f
parent d62ac0fd45
1 changed files with 6 additions and 2 deletions
--- a/backend/atlas_portal/provisioning.py
+++ b/backend/atlas_portal/provisioning.py
@ -181,12 +181,16 @@ def provision_access_request(request_code: str) -> ProvisionResult:
                    email = contact_email.strip()
                    if not email:
                        raise RuntimeError("missing verified email address")
+                    email_is_verified = bool(email_verified_at)
+                    required_actions = ["UPDATE_PASSWORD", "CONFIGURE_TOTP"]
+                    if not email_is_verified:
+                        required_actions.append("VERIFY_EMAIL")
                    payload = {
                        "username": username,
                        "enabled": True,
                        "email": email,
-                        "emailVerified": bool(email_verified_at),
-                        "requiredActions": ["CONFIGURE_TOTP"],
+                        "emailVerified": email_is_verified,
+                        "requiredActions": required_actions,
                        "attributes": {MAILU_EMAIL_ATTR: [mailu_email]},
                    }
                    created_id = admin_client().create_user(payload)