From dc055e55593860f7cf1d68b55226426d560c96a6 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Thu, 18 Dec 2014 13:07:31 -0500
Subject: [PATCH] Require valid login credentials before verified email check. 
 - strongloop/loopback#931.

---
 common/models/user.js | 43 +++++++++++++++++++++----------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/common/models/user.js b/common/models/user.js
index 42661905..85bf389a 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -183,33 +183,32 @@ module.exports = function(User) {
         debug('An error is reported from User.findOne: %j', err);
         fn(defaultError);
       } else if (user) {
-        if (self.settings.emailVerificationRequired) {
-          if (!user.emailVerified) {
-            // Fail to log in if email verification is not done yet
-            debug('User email has not been verified');
-            err = new Error('login failed as the email has not been verified');
-            err.statusCode = 401;
-            return fn(err);
-          }
-        }
         user.hasPassword(credentials.password, function(err, isMatch) {
           if (err) {
             debug('An error is reported from User.hasPassword: %j', err);
             fn(defaultError);
           } else if (isMatch) {
-            user.createAccessToken(credentials.ttl, function(err, token) {
-              if (err) return fn(err);
-              if (Array.isArray(include) ? include.indexOf('user') !== -1 : include === 'user') {
-                // NOTE(bajtos) We can't set token.user here:
-                //  1. token.user already exists, it's a function injected by
-                //     "AccessToken belongsTo User" relation
-                //  2. ModelBaseClass.toJSON() ignores own properties, thus
-                //     the value won't be included in the HTTP response
-                // See also loopback#161 and loopback#162
-                token.__data.user = user;
-              }
-              fn(err, token);
-            });
+            if (self.settings.emailVerificationRequired && !user.emailVerified) {
+              // Fail to log in if email verification is not done yet
+              debug('User email has not been verified');
+              err = new Error('login failed as the email has not been verified');
+              err.statusCode = 401;
+              return fn(err);
+            } else {
+              user.createAccessToken(credentials.ttl, function(err, token) {
+                if (err) return fn(err);
+                if (Array.isArray(include) ? include.indexOf('user') !== -1 : include === 'user') {
+                  // NOTE(bajtos) We can't set token.user here:
+                  //  1. token.user already exists, it's a function injected by
+                  //     "AccessToken belongsTo User" relation
+                  //  2. ModelBaseClass.toJSON() ignores own properties, thus
+                  //     the value won't be included in the HTTP response
+                  // See also loopback#161 and loopback#162
+                  token.__data.user = user;
+                }
+                fn(err, token);
+              });
+            }
           } else {
             debug('The password is invalid for user %s', query.email || query.username);
             fn(defaultError);