From 36922cc946078cf8c59bc14a10b3a2e0a5f49f2a Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Tue, 31 Mar 2026 18:01:24 +0200
Subject: [PATCH] fix(mana-auth): robust email-not-verified detection

Better Auth throws APIError.from(FORBIDDEN, EMAIL_NOT_VERIFIED).
Check status 403, body.code, and lowercased message.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/mana-auth/src/routes/auth.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/services/mana-auth/src/routes/auth.ts b/services/mana-auth/src/routes/auth.ts
index a052f735d..4abbcad60 100644
--- a/services/mana-auth/src/routes/auth.ts
+++ b/services/mana-auth/src/routes/auth.ts
@@ -131,10 +131,13 @@ export function createAuthRoutes(
 
 			return c.json(response);
 		} catch (error) {
-			// Check if Better Auth rejected login due to unverified email
-			const errorMessage = error instanceof Error ? error.message : String(error);
+			// Better Auth throws APIError.from("FORBIDDEN", "EMAIL_NOT_VERIFIED") for unverified emails
 			const isEmailNotVerified =
-				errorMessage.includes('email') && errorMessage.toLowerCase().includes('verif');
+				(error as any)?.status === 403 ||
+				(error as any)?.body?.code === 'EMAIL_NOT_VERIFIED' ||
+				String((error as any)?.message ?? error)
+					.toLowerCase()
+					.includes('not verified');
 			if (isEmailNotVerified) {
 				return c.json({ error: 'Email not verified', code: 'EMAIL_NOT_VERIFIED' }, 403);
 			}