portal: require Keycloak VERIFY_EMAIL

2026-01-04 00:40:48 -03:00 · 2026-01-04 00:40:48 -03:00 · 6375e87d2a
commit 6375e87d2a
parent 24fc02ff1f
1 changed files with 4 additions and 5 deletions
--- a/backend/atlas_portal/provisioning.py
+++ b/backend/atlas_portal/provisioning.py
@ -181,15 +181,14 @@ def provision_access_request(request_code: str) -> ProvisionResult:
                    email = contact_email.strip()
                    if not email:
                        raise RuntimeError("missing verified email address")
-                    email_is_verified = bool(email_verified_at)
-                    required_actions = ["UPDATE_PASSWORD", "CONFIGURE_TOTP"]
-                    if not email_is_verified:
-                        required_actions.append("VERIFY_EMAIL")
+                    # Always enforce email verification in Keycloak itself (even if the portal
+                    # already verified an external email before approval).
+                    required_actions = ["UPDATE_PASSWORD", "VERIFY_EMAIL", "CONFIGURE_TOTP"]
                    payload = {
                        "username": username,
                        "enabled": True,
                        "email": email,
-                        "emailVerified": email_is_verified,
+                        "emailVerified": False,
                        "requiredActions": required_actions,
                        "attributes": {MAILU_EMAIL_ATTR: [mailu_email]},
                    }