From f922d2c4a1d2b1f2b7751db43a91c36b3b6051c8 Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Tue, 17 Mar 2026 12:33:27 +0100
Subject: [PATCH] fix(auth): return proper 403 for unverified email on login

Better Auth throws APIError("FORBIDDEN") when email is not verified,
but the signIn catch block didn't handle this case, causing a 500.
Now returns ForbiddenException with EMAIL_NOT_VERIFIED code so the
client can show the resend verification link.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../src/auth/services/better-auth.service.ts             | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts
index 326a2cbec..6b6b3cf1c 100644
--- a/services/mana-core-auth/src/auth/services/better-auth.service.ts
+++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts
@@ -551,6 +551,15 @@ export class BetterAuthService {
 			};
 		} catch (error: unknown) {
 			if (error instanceof Error) {
+				if (
+					error.message?.includes('Email not verified') ||
+					error.message?.includes('EMAIL_NOT_VERIFIED')
+				) {
+					throw new ForbiddenException({
+						message: 'Email not verified',
+						code: 'EMAIL_NOT_VERIFIED',
+					});
+				}
 				if (
 					error.message?.includes('invalid') ||
 					error.message?.includes('credentials') ||