feat: distinct error for unverified email login (#11647)

<!--

Thank you for the PR! Please go through the checklist below and make
sure you've completed all the steps.

Please review the
[CONTRIBUTING.md](https://github.com/payloadcms/payload/blob/main/CONTRIBUTING.md)
document in this repository if you haven't already.

The following items will ensure that your PR is handled as smoothly as
possible:

- PR Title must follow conventional commits format. For example, `feat:
my new feature`, `fix(plugin-seo): my fix`.
- Minimal description explained as if explained to someone not
immediately familiar with the code.
- Provide before/after screenshots or code diffs if applicable.
- Link any related issues/discussions from GitHub or Discord.
- Add review comments if necessary to explain to the reviewer the logic
behind a change

### What?

### Why?

### How?

Fixes #

-->
### What?
This PR adds a new error to be thrown when logging in while having
`verify: true` set but no email has been verified for the user yet.

### Why?
To have a more descriptive, actionable error thrown in this case as
opposed to the generic "Invalid email or password." This gives users
more insight into why the login failed.

### How?
Introducing a new error: `UnverifiedEmail` and adjusting the check to be
separate from `if (!user) { ... }`.

Fixes #11358

Notes:
- In terms of account enumeration: this should not be a concern here as
the check for throwing this error comes _after_ the check for valid args
as well as the find for the user. This means that credentials must be on
hand, both an email and password, before seeing this error.
- I have an int test written in `/test/auth/int.spec.ts` for this,
however whenever I try to commit it I get an error stating that the
`eslint@9.14.0` module was not found during `lint-staged`.

<details>
  <summary>Int test</summary>
  
  ```ts
it('should respond with unverifiedEmail if email is unverified on
login', async () => {
    await payload.create({
      collection: publicUsersSlug,
      data: {
        email: 'user@example.com',
        password: 'test',
      },
    })

const response = await restClient.POST(`/${publicUsersSlug}/login`, {
      body: JSON.stringify({
        email: 'user@example.com',
        password: 'test',
      }),
    })

    expect(response.status).toBe(403)

    const responseData = await response.json()
expect(responseData.errors[0].message).toBe('Please verify your email
before logging in.')
  })
  ```
  
</details>

Demo of toast:

![Login-Payload-03-11-2025_11_52_PM-unverified-after](https://github.com/user-attachments/assets/55112f61-1d1f-41b9-93e6-8a4d66365b81)

Author: akhrarovsaid

packages/payload/src/auth/operations/login.ts

@@ -9,7 +9,12 @@ import type { PayloadRequest, Where } from '../../types/index.js'
 import type { User } from '../types.js'
 
 import { buildAfterOperation } from '../../collections/operations/utils.js'
-import { AuthenticationError, LockedAuth, ValidationError } from '../../errors/index.js'
+import {
+  AuthenticationError,
+  LockedAuth,
+  UnverifiedEmail,
+  ValidationError,
+} from '../../errors/index.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
 import { Forbidden } from '../../index.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
@@ -179,10 +184,14 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
       where: whereConstraint,
     })
 
-    if (!user || (args.collection.config.auth.verify && user._verified === false)) {
+    if (!user) {
       throw new AuthenticationError(req.t, Boolean(canLoginWithUsername && sanitizedUsername))
     }
 
+    if (args.collection.config.auth.verify && user._verified === false) {
+      throw new UnverifiedEmail({ t: req.t })
+    }
+
     user.collection = collectionConfig.slug
     user._strategy = 'local-jwt'
 

packages/payload/src/errors/UnverifiedEmail.ts

@@ -0,0 +1,15 @@
+import type { TFunction } from '@payloadcms/translations'
+
+import { en } from '@payloadcms/translations/languages/en'
+import { status as httpStatus } from 'http-status'
+
+import { APIError } from './APIError.js'
+
+export class UnverifiedEmail extends APIError {
+  constructor({ t }: { t?: TFunction }) {
+    super(
+      t ? t('error:unverifiedEmail') : en.translations.error.unverifiedEmail,
+      httpStatus.FORBIDDEN,
+    )
+  }
+}

packages/payload/src/errors/index.ts

@@ -20,5 +20,6 @@ export { MissingFile } from './MissingFile.js'
 export { NotFound } from './NotFound.js'
 export { QueryError } from './QueryError.js'
 export { ReservedFieldName } from './ReservedFieldName.js'
+export { UnverifiedEmail } from './UnverifiedEmail.js'
 export { ValidationError, ValidationErrorName } from './ValidationError.js'
 export type { ValidationFieldError } from './ValidationError.js'

packages/payload/src/errors/types.ts

@@ -15,4 +15,5 @@ export type ErrorName =
   | 'MissingFile'
   | 'NotFound'
   | 'QueryError'
+  | 'UnverifiedEmail'
   | 'ValidationError'

packages/translations/src/clientKeys.ts

@@ -81,6 +81,7 @@ export const clientTranslationKeys = createClientTranslationKeys([
   'error:unauthorizedAdmin',
   'error:unknown',
   'error:unspecific',
+  'error:unverifiedEmail',
   'error:userEmailAlreadyRegistered',
   'error:usernameAlreadyRegistered',
   'error:tokenNotProvided',

packages/translations/src/languages/ar.ts

@@ -119,6 +119,7 @@ export const arTranslations: DefaultTranslationsObject = {
     unknown: 'حدث خطأ غير معروف.',
     unPublishingDocument: 'حدث خطأ أثناء إلغاء نشر هذا المستند.',
     unspecific: 'حدث خطأ.',
+    unverifiedEmail: 'يرجى التحقق من بريدك الإلكتروني قبل تسجيل الدخول.',
     userEmailAlreadyRegistered: 'يوجد مستخدم مسجل بالفعل بهذا البريد الإلكتروني.',
     userLocked: 'تمّ قفل هذا المستخدم نظرًا لوجود عدد كبير من محاولات تسجيل الدّخول الغير ناجحة.',
     usernameAlreadyRegistered: 'المستخدم بالاسم المعطى مسجل بالفعل.',

packages/translations/src/languages/az.ts

@@ -120,6 +120,7 @@ export const azTranslations: DefaultTranslationsObject = {
     unknown: 'Naməlum bir xəta baş verdi.',
     unPublishingDocument: 'Bu sənədin nəşrini ləğv etmək zamanı problem baş verdi.',
     unspecific: 'Xəta baş verdi.',
+    unverifiedEmail: 'Zəhmət olmasa, daxil olmadan əvvəl e-poçtunuzu təsdiqləyin.',
     userEmailAlreadyRegistered: 'Verilən e-poçt ünvanı ilə artıq istifadəçi qeydiyyatdan keçib.',
     userLocked: 'Bu istifadəçi çoxsaylı uğursuz giriş cəhdləri səbəbindən kilidlənib.',
     usernameAlreadyRegistered: 'Verilən istifadəçi adı ilə artıq qeydiyyatdan keçmişdir.',

packages/translations/src/languages/bg.ts

@@ -120,6 +120,7 @@ export const bgTranslations: DefaultTranslationsObject = {
     unknown: 'Неизвестна грешка.',
     unPublishingDocument: 'Имаше проблем при скриването на този документ.',
     unspecific: 'Грешка.',
+    unverifiedEmail: 'Моля, потвърдете своя имейл, преди да влезете.',
     userEmailAlreadyRegistered: 'Потребител с дадения имейл вече е регистриран.',
     userLocked: 'Този потребител има прекалено много невалидни опити за влизане и е заключен.',
     usernameAlreadyRegistered: 'Потребител със зададеното потребителско име вече е регистриран.',

packages/translations/src/languages/ca.ts

@@ -121,6 +121,7 @@ export const caTranslations: DefaultTranslationsObject = {
     unknown: "S'ha produït un error desconegut.",
     unPublishingDocument: 'Hi ha hagut un problema mentre es despublicava aquest document.',
     unspecific: "S'ha produït un error.",
+    unverifiedEmail: 'Si us plau, verifica el teu correu electrònic abans d’iniciar sessió.',
     userEmailAlreadyRegistered: 'Ja hi ha un usuari registrat amb aquest correu electrònic.',
     userLocked: "Aquest usuari està bloquejat per massa intents fallits d'inici de sessió.",
     usernameAlreadyRegistered: "Ja hi ha un usuari registrat amb aquest nom d'usuari.",

packages/translations/src/languages/cs.ts

@@ -120,6 +120,7 @@ export const csTranslations: DefaultTranslationsObject = {
     unknown: 'Došlo k neznámé chybě.',
     unPublishingDocument: 'Při zrušení publikování tohoto dokumentu došlo k chybě.',
     unspecific: 'Došlo k chybě.',
+    unverifiedEmail: 'Před přihlášením ověřte svůj e-mail.',
     userEmailAlreadyRegistered: 'Uživatel s daným e-mailem je již zaregistrován.',
     userLocked: 'Tento uživatel je uzamčen kvůli příliš mnoha neúspěšným pokusům o přihlášení.',
     usernameAlreadyRegistered: 'Uživatel se zadaným uživatelským jménem je již zaregistrován.',