Aktueller Stand

lib/auth-helpers.ts

@@ -1,6 +1,7 @@
 import { getServerSession } from "next-auth";
 import { NextResponse } from "next/server";
 import { authOptions } from "./auth";
+import { getEmailVerificationRequired } from "./system-settings";
 
 export async function requireSession() {
   const session = await getServerSession(authOptions);
@@ -13,7 +14,8 @@ export async function requireSession() {
       response: NextResponse.json({ error: "Account nicht freigeschaltet." }, { status: 403 })
     };
   }
-  if (session.user.emailVerified === false) {
+  const emailVerificationRequired = await getEmailVerificationRequired();
+  if (emailVerificationRequired && session.user.emailVerified === false) {
     return {
       session: null,
       response: NextResponse.json({ error: "E-Mail nicht verifiziert." }, { status: 403 })

lib/auth.ts

@@ -4,6 +4,7 @@ import type { NextAuthOptions } from "next-auth";
 import CredentialsProvider from "next-auth/providers/credentials";
 import { prisma } from "./prisma";
 import { checkRateLimit, getRateLimitConfig } from "./rate-limit";
+import { getEmailVerificationRequired } from "./system-settings";
 
 const MAX_LOGIN_ATTEMPTS = 5;
 const LOGIN_WINDOW_MINUTES = 15;
@@ -139,7 +140,8 @@ export const authOptions: NextAuthOptions = {
           throw new Error("PENDING");
         }
 
-        if (!user.emailVerified) {
+        const emailVerificationRequired = await getEmailVerificationRequired();
+        if (emailVerificationRequired && !user.emailVerified) {
           throw new Error("EMAIL_NOT_VERIFIED");
         }
 

lib/system-settings.ts

@@ -8,9 +8,11 @@ export type SystemSettings = AccessSettings & {
   apiKey: string;
   provider: "google" | "osm";
   registrationEnabled: boolean;
+  emailVerificationRequired: boolean;
 };
 
 const PUBLIC_ACCESS_KEY = "public_access_enabled";
+const EMAIL_VERIFICATION_KEY = "email_verification_required";
 const LEGACY_ACCESS_KEYS = [
   "public_events_enabled",
   "anonymous_access_enabled"
@@ -18,7 +20,8 @@ const LEGACY_ACCESS_KEYS = [
 const SYSTEM_KEYS = [
   "google_places_api_key",
   "geocoding_provider",
-  "registration_enabled"
+  "registration_enabled",
+  EMAIL_VERIFICATION_KEY
 ] as const;
 
 const getSettingMap = async (keys: readonly string[]) => {
@@ -96,12 +99,24 @@ export async function getSystemSettings(): Promise<SystemSettings> {
     settings.get("registration_enabled"),
     true
   );
+  const emailVerificationRequired = readBoolean(
+    settings.get(EMAIL_VERIFICATION_KEY),
+    true
+  );
   const publicAccessEnabled = await ensurePublicAccessSetting(settings);
 
   return {
     apiKey,
     provider,
     registrationEnabled,
-    publicAccessEnabled
+    publicAccessEnabled,
+    emailVerificationRequired
   };
 }
+
+export async function getEmailVerificationRequired(): Promise<boolean> {
+  const setting = await prisma.setting.findUnique({
+    where: { key: EMAIL_VERIFICATION_KEY }
+  });
+  return setting?.value !== "false";
+}