fix: check for verified emails on auth'd paths

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "thatconference.com",
-	"version": "5.1.3",
+	"version": "5.1.4",
 	"description": "THATConference.com website",
 	"main": "index.js",
 	"type": "module",

src/hooks.server.js

@@ -38,6 +38,10 @@ async function authorization({ event, resolve }) {
 			}
 			throw redirect(303, `/login-redirect?returnTo=${toPath}`);
 		}
+
+		if (!session.user.sub.startsWith('twitter') && session.user?.emailVerified === false) {
+			throw redirect(307, `/verify-account`);
+		}
 	}
 
 	return resolve(event);
@@ -71,14 +75,19 @@ const authConfig = {
 			if (url.startsWith('/')) return `${baseUrl}${url}`;
 			// Allows callback URLs on the same origin
 			else if (new URL(url).origin === baseUrl) return url;
+
 			return baseUrl;
 		},
 		jwt(jwtGoo) {
-			const { account, token } = jwtGoo;
+			const { account, token, profile } = jwtGoo;
 			if (account) {
 				token.accessToken = account.access_token;
 				token.idToken = account.id_token;
 			}
+			if (profile) {
+				token.emailVerified = profile.email_verified;
+			}
+
 			return token;
 		},
 		session(sessionGoo) {
@@ -87,13 +96,15 @@ const authConfig = {
 			session.idToken = token.idToken;
 			session.user.id = token.sub;
 			session.user.sub = token.sub;
+			session.user.emailVerified = token.emailVerified;
 			const payload = parseOnly(token.accessToken);
 			if (payload) {
 				const { permissions } = payload;
 				if (permissions && Array.isArray(permissions)) {
 					session.user.permissions = permissions;
 				}
 			}
+
 			return session;
 		}
 	}