Require valid login credentials before verified email check.

- strongloop/loopback#931.

common/models/user.js

@@ -183,20 +183,18 @@ module.exports = function(User) {
         debug('An error is reported from User.findOne: %j', err);
         fn(defaultError);
       } else if (user) {
-        if (self.settings.emailVerificationRequired) {
-          if (!user.emailVerified) {
-            // Fail to log in if email verification is not done yet
-            debug('User email has not been verified');
-            err = new Error('login failed as the email has not been verified');
-            err.statusCode = 401;
-            return fn(err);
-          }
-        }
         user.hasPassword(credentials.password, function(err, isMatch) {
           if (err) {
             debug('An error is reported from User.hasPassword: %j', err);
             fn(defaultError);
           } else if (isMatch) {
+            if (self.settings.emailVerificationRequired && !user.emailVerified) {
+              // Fail to log in if email verification is not done yet
+              debug('User email has not been verified');
+              err = new Error('login failed as the email has not been verified');
+              err.statusCode = 401;
+              return fn(err);
+            } else {
               user.createAccessToken(credentials.ttl, function(err, token) {
                 if (err) return fn(err);
                 if (Array.isArray(include) ? include.indexOf('user') !== -1 : include === 'user') {
@@ -210,6 +208,7 @@ module.exports = function(User) {
                 }
                 fn(err, token);
               });
+            }
           } else {
             debug('The password is invalid for user %s', query.email || query.username);
             fn(defaultError);