Add email verification flow

[Copilot]

Users can sign up but cannot log in until their email address is verified. Verification uses the same SHA-256 hash-of-random-token pattern as API keys.

auth package

• User gains EmailVerified bool
• ErrEmailNotVerified sentinel added
• EmailVerificationToken struct and EmailVerificationStore interface:
  • CreateEmailVerification — stores SHA-256 hash of plaintext token
  • ConsumeEmailVerification — single-use lookup-and-delete by hash; returns sql.ErrNoRows when not found
  • SetEmailVerified — marks user verified

handler package

EmailVerificationHandler (new file) — two public endpoints:

• SendVerification (POST) — generates 32-byte random token, stores hash, calls SendEmail(ctx, to, plaintext). Always returns 200 regardless of whether the address is registered.
• VerifyEmail (GET ?token=…) — re-hashes token, consumes record, checks expiry, calls SetEmailVerified.

AuthHandler changes:

• RequireVerification bool — when set, Login returns 403 for unverified users.
• UserDTO gains email_verified JSON field.

Usage sketch

verHandler := &handler.EmailVerificationHandler{
    Users:         userStore,
    Verifications: verificationStore,
    SendEmail: func(ctx context.Context, to, token string) error {
        link := "https://example.com/verify-email?token=" + token
        // format and send via smtp.Send(...)
    },
}

authHandler := &handler.AuthHandler{
    Users:               userStore,
    JWT:                 jwtManager,
    RequireVerification: true,
}

// Routes (router-agnostic):
// POST /verify-email/send  → verHandler.SendVerification
// GET  /verify-email       → verHandler.VerifyEmail

[Copilot]

Pull request overview

Adds an email verification flow to the auth/handler layers so applications can require users to verify their email before logging in.

Changes:

• Introduces EmailVerificationHandler with endpoints to send and verify email verification tokens.
• Extends auth.User / handler.UserDTO with EmailVerified and blocks login when AuthHandler.RequireVerification is enabled.
• Adds EmailVerificationToken + EmailVerificationStore interface, plus new handler-level tests covering the flow.

Show a summary per file

File	Description
handler/email_verification.go	New HTTP endpoints for sending/consuming verification tokens and marking users verified.
handler/email_verification_test.go	New tests for send/verify endpoints and RequireVerification login behavior.
handler/auth.go	Adds RequireVerification gate in Login and exposes email_verified in UserDTO.
auth/types.go	Adds EmailVerified, new sentinel error, and email verification store/token types.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 4

[Copilot]

AuthHandler now includes an exported Verifications field that is not used anywhere in this file. Leaving unused exported fields increases API surface and (because this is a public struct) creates avoidable compatibility risk for any consumers using positional composite literals. Consider removing this field until it’s needed, or wiring it into behavior in this PR.

Suggested change

	Users auth.UserStore
	JWT *auth.JWTManager
	CookieName string
	SecureCookies bool
	DisableSignup bool
	RequireVerification bool
	Verifications auth.EmailVerificationStore
	Users auth.UserStore
	JWT *auth.JWTManager
	CookieName string
	SecureCookies bool
	DisableSignup bool
	RequireVerification bool