Symptom
User signs up via Google → user doc created with `emailVerified: false` (schema default, `users.schema.js:41`). Any downstream flow gated on `emailVerified` (mailer opt-in, restricted features) treats the user as unverified, even though Google guarantees the email.
Root cause
`modules/auth/strategies/local/google.js:27-34` and `apple.js:31-38` — the `_profile` object passed to `checkOAuthUserProfile` does not include `emailVerified`. Schema default is `false`.
Fix
In both `google.js` and `apple.js`, add to `_profile`:
```js
emailVerified: true,
```
Google always returns `email_verified: true` in the ID token when email scope is granted (verify it via `profile._json.email_verified` to be defensive — reject signin if `false`, which would indicate a rare edge case of unverified Google address).
Apple always returns verified emails.
Impact
Medium — cosmetic if no feature gates on `emailVerified`, annoying if any do.
Symptom
User signs up via Google → user doc created with `emailVerified: false` (schema default, `users.schema.js:41`). Any downstream flow gated on `emailVerified` (mailer opt-in, restricted features) treats the user as unverified, even though Google guarantees the email.
Root cause
`modules/auth/strategies/local/google.js:27-34` and `apple.js:31-38` — the `_profile` object passed to `checkOAuthUserProfile` does not include `emailVerified`. Schema default is `false`.
Fix
In both `google.js` and `apple.js`, add to `_profile`:
```js
emailVerified: true,
```
Google always returns `email_verified: true` in the ID token when email scope is granted (verify it via `profile._json.email_verified` to be defensive — reject signin if `false`, which would indicate a rare edge case of unverified Google address).
Apple always returns verified emails.
Impact
Medium — cosmetic if no feature gates on `emailVerified`, annoying if any do.