feat: add email status check to verify page

Security Enhancement: - Server-side validation of email status before allowing verification - Only allow verifying emails in VerificationPending state - Show "Action not possible" message for invalid states - Extract and validate share-id on server side - Return 404 for invalid share-ids or missing tenant emails Implementation: - Convert page.tsx to async server component - Fetch location and check tenantEmailStatus - Pass isPending prop to client component - Add bilingual "not-allowed" translations (same as unsubscribe page) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-29 20:54:14 +01:00
parent ff6f8890c5
commit db9c57472d
4 changed files with 54 additions and 2 deletions
--- a/web-app/app/[locale]/email/verify/[id]/EmailVerifyPage.tsx
+++ b/web-app/app/[locale]/email/verify/[id]/EmailVerifyPage.tsx
@@ -7,9 +7,10 @@ import { CheckCircleIcon } from '@heroicons/react/24/outline';

 interface EmailVerifyPageProps {
    shareId: string;
+    isPending: boolean;
 }

-export default function EmailVerifyPage({ shareId }: EmailVerifyPageProps) {
+export default function EmailVerifyPage({ shareId, isPending }: EmailVerifyPageProps) {
    const t = useTranslations('email-verify-page');
    const [isVerifying, setIsVerifying] = useState(false);
    const [isVerified, setIsVerified] = useState(false);
@@ -61,6 +62,17 @@ export default function EmailVerifyPage({ shareId }: EmailVerifyPageProps) {
        );
    }

+    if (!isPending) {
+        return (
+            <div className="card bg-base-100 shadow-xl max-w-2xl mx-auto mt-8">
+                <div className="card-body">
+                    <h2 className="card-title text-warning">{t('not-allowed.title')}</h2>
+                    <p>{t('not-allowed.message')}</p>
+                </div>
+            </div>
+        );
+    }
+
    return (
        <div className="card bg-base-100 shadow-xl max-w-2xl mx-auto mt-8">
            <div className="card-body">
--- a/web-app/app/[locale]/email/verify/[id]/page.tsx
+++ b/web-app/app/[locale]/email/verify/[id]/page.tsx
@@ -1,12 +1,44 @@
 import { Suspense } from 'react';
 import EmailVerifyPage from './EmailVerifyPage';
 import { Main } from '@/app/ui/Main';
+import { getDbClient } from '@/app/lib/dbClient';
+import { BillingLocation, EmailStatus } from '@/app/lib/db-types';
+import { extractShareId, validateShareChecksum } from '@/app/lib/shareChecksum';
+import { notFound } from 'next/navigation';

 export default async function Page({ params: { id } }: { params: { id: string } }) {
+    // Extract and validate share ID
+    const extracted = extractShareId(id);
+    if (!extracted) {
+        notFound();
+    }
+
+    const { locationId, checksum } = extracted;
+
+    // Validate checksum
+    if (!validateShareChecksum(locationId, checksum)) {
+        notFound();
+    }
+
+    // Fetch location to check email status
+    const dbClient = await getDbClient();
+    const location = await dbClient.collection<BillingLocation>("lokacije")
+        .findOne(
+            { _id: locationId },
+            { projection: { tenantEmail: 1, tenantEmailStatus: 1 } }
+        );
+
+    if (!location || !location.tenantEmail) {
+        notFound();
+    }
+
+    // Check if email is pending verification
+    const isPending = location.tenantEmailStatus === EmailStatus.VerificationPending;
+
    return (
        <Main>
            <Suspense fallback={<div className="text-center p-8">Loading...</div>}>
-                <EmailVerifyPage shareId={id} />
+                <EmailVerifyPage shareId={id} isPending={isPending} />
            </Suspense>
        </Main>
    );