Don't hand out auth tokens if they're not verified

server/auth.go

@@ -41,6 +41,10 @@ func (s *Server) getAuthToken(w http.ResponseWriter, req *http.Request) {
 		errorJson(w, http.StatusUnauthorized, "No match for email and password")
 		return
 	}
+	if err == store.ErrNotVerified {
+		errorJson(w, http.StatusUnauthorized, "Account is not verified")
+		return
+	}
 	if err != nil {
 		internalServiceErrorJson(w, err, "Error getting User Id")
 		return

server/auth_test.go

@@ -69,6 +69,14 @@ func TestServerAuthHandlerErrors(t *testing.T) {
 
 			storeErrors: TestStoreFunctionsErrors{GetUserId: store.ErrWrongCredentials},
 		},
+		{
+			name:                "unverified account",
+			email:               "abc@example.com",
+			expectedStatusCode:  http.StatusUnauthorized,
+			expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": Account is not verified",
+
+			storeErrors: TestStoreFunctionsErrors{GetUserId: store.ErrNotVerified},
+		},
 		{
 			name:                "generate token fail",
 			email:               "abc@example.com",

store/store.go

@@ -30,6 +30,7 @@ var (
 	ErrDuplicateAccount = fmt.Errorf("User already has an account")
 
 	ErrWrongCredentials = fmt.Errorf("No match for email and password")
+	ErrNotVerified = fmt.Errorf("User account is not verified")
 )
 
 // For test stubs