@lenne.tech/nest-server 11.11.1 → 11.13.0

package/src/core/modules/better-auth/core-better-auth.resolver.ts

@@ -1,4 +1,4 @@
-import { BadRequestException, Logger, UnauthorizedException } from '@nestjs/common';
+import { BadRequestException, Logger, Optional, UnauthorizedException } from '@nestjs/common';
 import { Args, Context, Mutation, Query, Resolver } from '@nestjs/graphql';
 import { Request, Response } from 'express';
 
@@ -15,6 +15,7 @@ import {
   requires2FA,
 } from './better-auth.types';
 import { CoreBetterAuthAuthModel } from './core-better-auth-auth.model';
+import { CoreBetterAuthEmailVerificationService } from './core-better-auth-email-verification.service';
 import { CoreBetterAuthMigrationStatusModel } from './core-better-auth-migration-status.model';
 import {
   CoreBetterAuth2FASetupModel,
@@ -24,7 +25,9 @@ import {
   CoreBetterAuthSessionModel,
   CoreBetterAuthUserModel,
 } from './core-better-auth-models';
+import { CoreBetterAuthSignUpValidatorService } from './core-better-auth-signup-validator.service';
 import { BetterAuthSessionUser, CoreBetterAuthUserMapper, MappedUser } from './core-better-auth-user.mapper';
+import { convertExpressHeaders } from './core-better-auth-web.helper';
 import { CoreBetterAuthService } from './core-better-auth.service';
 
 /**
@@ -69,8 +72,72 @@ export class CoreBetterAuthResolver {
   constructor(
     protected readonly betterAuthService: CoreBetterAuthService,
     protected readonly userMapper: CoreBetterAuthUserMapper,
+    @Optional() protected readonly signUpValidator?: CoreBetterAuthSignUpValidatorService,
+    @Optional() protected readonly emailVerificationService?: CoreBetterAuthEmailVerificationService,
   ) {}
 
+  // ===========================================================================
+  // Token Resolution
+  // ===========================================================================
+
+  /**
+   * Resolves a session token to a JWT when cookies are disabled and JWT is enabled.
+   * Delegates to CoreBetterAuthService.resolveJwtToken().
+   *
+   * @param token - The token from BetterAuth response (may be session token or JWT)
+   * @returns A proper JWT token, or the original token if conversion is not needed/possible
+   */
+  protected async resolveJwtToken(token: string | undefined): Promise<string | undefined> {
+    return this.betterAuthService.resolveJwtToken(token);
+  }
+
+  // ===========================================================================
+  // Email Verification
+  // ===========================================================================
+
+  /**
+   * Check if email verification is required and the user's email is verified.
+   * Throws UnauthorizedException with EMAIL_VERIFICATION_REQUIRED if:
+   * - emailVerificationService is available AND enabled
+   * - AND the user's email is NOT verified
+   *
+   * Override this method to customize the email verification check behavior.
+   *
+   * @param sessionUser - The user from Better-Auth sign-in response
+   * @throws UnauthorizedException if email is not verified and verification is required
+   */
+  protected checkEmailVerification(sessionUser: BetterAuthSessionUser): void {
+    if (
+      this.emailVerificationService?.isEnabled()
+      && !sessionUser.emailVerified
+    ) {
+      this.logger.debug(`[SignIn] Email not verified for ${maskEmail(sessionUser.email)}, blocking login`);
+      throw new UnauthorizedException(ErrorCode.EMAIL_VERIFICATION_REQUIRED);
+    }
+  }
+
+  /**
+   * Check email verification by looking up the user by email address.
+   *
+   * This is used in the 2FA path where the sign-in response does NOT include user data
+   * (only a 2FA challenge), so we cannot use checkEmailVerification(sessionUser).
+   * Instead, we look up the user via CoreBetterAuthService.isUserEmailVerified().
+   *
+   * @param email - The email address to check
+   * @throws UnauthorizedException if email is not verified and verification is required
+   */
+  protected async checkEmailVerificationByEmail(email: string): Promise<void> {
+    if (!this.emailVerificationService?.isEnabled()) {
+      return;
+    }
+
+    const verified = await this.betterAuthService.isUserEmailVerified(email);
+    if (verified === false) {
+      this.logger.debug(`[SignIn/2FA] Email not verified for ${maskEmail(email)}, blocking login`);
+      throw new UnauthorizedException(ErrorCode.EMAIL_VERIFICATION_REQUIRED);
+    }
+  }
+
   // ===========================================================================
   // Queries
   // ===========================================================================
@@ -122,6 +189,7 @@ export class CoreBetterAuthResolver {
   @Roles(RoleEnum.S_EVERYONE)
   betterAuthFeatures(): CoreBetterAuthFeaturesModel {
     return {
+      emailVerification: this.emailVerificationService?.isEnabled() ?? false,
       enabled: this.betterAuthService.isEnabled(),
       jwt: this.betterAuthService.isJwtEnabled(),
       passkey: this.betterAuthService.isPasskeyEnabled(),
@@ -189,6 +257,11 @@ export class CoreBetterAuthResolver {
    * but not in IAM, they will be automatically migrated on first IAM sign-in.
    *
    * Override this method to add custom pre/post sign-in logic.
+   *
+   * NOTE: The `_ctx` parameter is intentionally kept but unused in the base implementation.
+   * It provides override flexibility for consuming projects that need access to the Express
+   * Request/Response context (e.g., for IP logging, custom cookie handling, audit trails).
+   * DO NOT REMOVE this parameter - it would break existing project overrides.
    */
   @Mutation(() => CoreBetterAuthAuthModel, {
     description: 'Sign in via Better-Auth (email/password)',
@@ -197,8 +270,8 @@ export class CoreBetterAuthResolver {
   async betterAuthSignIn(
     @Args('email') email: string,
     @Args('password') password: string,
-     
-    @Context() _ctx: { req: Request; res: Response },
+    // Kept for override flexibility - projects may need req/res in their overrides
+    @Context() _ctx?: { req: Request; res: Response },
   ): Promise<CoreBetterAuthAuthModel> {
     this.ensureEnabled();
 
@@ -245,6 +318,8 @@ export class CoreBetterAuthResolver {
 
       // Check for 2FA requirement
       if (requires2FA(response)) {
+        // Defense-in-depth: Check email verification even for 2FA users
+        await this.checkEmailVerificationByEmail(email);
         return {
           requiresTwoFactor: true,
           success: false,
@@ -255,13 +330,19 @@ export class CoreBetterAuthResolver {
       // Get user data
       if (hasUser(response)) {
         const sessionUser: BetterAuthSessionUser = response.user;
+
+        // Check email verification requirement before allowing login
+        this.checkEmailVerification(sessionUser);
+
         const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
 
-        // Return the session token for session-based authentication
-        // Note: If JWT plugin is enabled, accessToken may be in response or in set-auth-jwt header
-        // For GraphQL responses, we return the session token and let clients use it for session auth
+        // Return the best available token:
+        // 1. accessToken (JWT plugin enriched response)
+        // 2. token (top-level, some BetterAuth versions)
+        // 3. session.token (session-based fallback)
         const responseAny = response as any;
-        const token = responseAny.accessToken || responseAny.token;
+        const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+        const token = await this.resolveJwtToken(rawToken);
 
         return {
           requiresTwoFactor: false,
@@ -299,7 +380,7 @@ export class CoreBetterAuthResolver {
   /**
    * Direct sign-in attempt without migration logic (used after migration)
    */
-  private async attemptSignInDirect(
+  protected async attemptSignInDirect(
     email: string,
     password: string,
     api: ReturnType<CoreBetterAuthService['getApi']>,
@@ -313,14 +394,24 @@ export class CoreBetterAuthResolver {
     }
 
     if (requires2FA(response)) {
+      // Defense-in-depth: Check email verification even for 2FA users
+      await this.checkEmailVerificationByEmail(email);
       return { requiresTwoFactor: true, success: false, user: null };
     }
 
     const sessionUser: BetterAuthSessionUser = response.user;
+
+    // Check email verification requirement before allowing login
+    this.checkEmailVerification(sessionUser);
+
     const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
-    // Return accessToken if available (JWT), otherwise fall back to session token
+    // Return the best available token:
+    // 1. accessToken (JWT plugin enriched response)
+    // 2. token (top-level, some BetterAuth versions)
+    // 3. session.token (session-based fallback)
     const responseAny = response as any;
-    const token = responseAny.accessToken || responseAny.token;
+    const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+    const token = await this.resolveJwtToken(rawToken);
 
     return {
       requiresTwoFactor: false,
@@ -335,6 +426,16 @@ export class CoreBetterAuthResolver {
    * Sign up via Better-Auth
    *
    * Override this method to add custom pre/post sign-up logic (e.g., sending welcome emails).
+   *
+   * By default, `termsAndPrivacyAccepted` must be `true` for sign-up to succeed.
+   * This can be configured via `betterAuth.signUpChecks` in your server config:
+   * - `signUpChecks: false` - Disable all sign-up checks
+   * - `signUpChecks: { requiredFields: ['termsAndPrivacyAccepted', 'ageConfirmed'] }` - Custom fields
+   *
+   * @param email - User email address
+   * @param password - User password
+   * @param name - Optional display name
+   * @param termsAndPrivacyAccepted - Whether user accepted terms and privacy policy (required by default)
    */
   @Mutation(() => CoreBetterAuthAuthModel, {
     description: 'Sign up via Better-Auth (email/password)',
@@ -344,9 +445,15 @@ export class CoreBetterAuthResolver {
     @Args('email') email: string,
     @Args('password') password: string,
     @Args('name', { nullable: true }) name?: string,
+    @Args('termsAndPrivacyAccepted', { nullable: true }) termsAndPrivacyAccepted?: boolean,
   ): Promise<CoreBetterAuthAuthModel> {
     this.ensureEnabled();
 
+    // Validate sign-up input (termsAndPrivacyAccepted is required by default)
+    if (this.signUpValidator) {
+      this.signUpValidator.validateSignUpInput({ termsAndPrivacyAccepted });
+    }
+
     const api = this.betterAuthService.getApi();
     if (!api) {
       throw new BadRequestException(ErrorCode.BETTERAUTH_API_NOT_AVAILABLE);
@@ -369,9 +476,26 @@ export class CoreBetterAuthResolver {
         const sessionUser: BetterAuthSessionUser = response.user;
 
         // Link or create user in our database
-        await this.userMapper.linkOrCreateUser(sessionUser);
+        // Pass termsAndPrivacyAccepted to store the acceptance timestamp
+        await this.userMapper.linkOrCreateUser(sessionUser, { termsAndPrivacyAccepted });
         const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
 
+        // If email verification is enabled, revoke the session and don't return session data
+        // The user must verify their email before they can use any session
+        if (this.emailVerificationService?.isEnabled()) {
+          const sessionToken = hasSession(response) ? response.session.token : undefined;
+          if (sessionToken) {
+            await this.betterAuthService.revokeSession(sessionToken);
+          }
+          this.logger.debug(`[SignUp] Email verification required for ${maskEmail(sessionUser.email)}, session revoked`);
+          return {
+            emailVerificationRequired: true,
+            requiresTwoFactor: false,
+            success: true,
+            user: mappedUser ? this.mapToUserModel(mappedUser) : null,
+          };
+        }
+
         return {
           requiresTwoFactor: false,
           session: hasSession(response) ? this.mapSessionInfo(response.session) : null,
@@ -387,6 +511,10 @@ export class CoreBetterAuthResolver {
       if (errorMessage.includes('already exists')) {
         throw new BadRequestException(ErrorCode.EMAIL_ALREADY_EXISTS);
       }
+      // Re-throw BadRequestException (e.g., from sign-up validation)
+      if (error instanceof BadRequestException) {
+        throw error;
+      }
       throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
     }
   }
@@ -782,15 +910,7 @@ export class CoreBetterAuthResolver {
    * Convert Express headers to Web API Headers
    */
   protected convertHeaders(headers: Record<string, string | string[] | undefined>): Headers {
-    const result = new Headers();
-    for (const [key, value] of Object.entries(headers)) {
-      if (typeof value === 'string') {
-        result.set(key, value);
-      } else if (Array.isArray(value)) {
-        result.set(key, value.join(', '));
-      }
-    }
-    return result;
+    return convertExpressHeaders(headers);
   }
 
   /**

package/src/core/modules/better-auth/core-better-auth.service.ts

@@ -4,11 +4,12 @@ import { Request } from 'express';
 import { importJWK, jwtVerify } from 'jose';
 import { Connection } from 'mongoose';
 
-import { maskCookieHeader, maskEmail, maskToken } from '../../common/helpers/logging.helper';
+import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
 import { IBetterAuth } from '../../common/interfaces/server-options.interface';
 import { ConfigService } from '../../common/services/config.service';
 import { BetterAuthInstance } from './better-auth.config';
 import { BetterAuthSessionUser } from './core-better-auth-user.mapper';
+import { convertExpressHeaders, parseCookieHeader, signCookieValueIfNeeded } from './core-better-auth-web.helper';
 import { BETTER_AUTH_INSTANCE } from './core-better-auth.module';
 
 /**
@@ -215,6 +216,48 @@ export class CoreBetterAuthService {
   // JWT Token Methods
   // ===================================================================================================================
 
+  /**
+   * Resolves a session token to a JWT when cookies are disabled and JWT is enabled.
+   *
+   * When cookies are disabled, BetterAuth's internal API may return a session token
+   * (opaque string like "TVRRtiL19h9q...") instead of a JWT. This method detects
+   * non-JWT tokens and converts them to proper JWTs via the BetterAuth JWT plugin.
+   *
+   * @param token - The token from BetterAuth response (may be session token or JWT)
+   * @returns A proper JWT token, or the original token if conversion is not needed/possible
+   */
+  async resolveJwtToken(token: string | undefined): Promise<string | undefined> {
+    if (!token) return undefined;
+
+    const cookiesEnabled = ConfigService.configFastButReadOnly?.cookies !== false;
+    if (cookiesEnabled || !this.isJwtEnabled()) {
+      return token;
+    }
+
+    // Already a JWT (three base64url segments separated by dots)
+    if (token.startsWith('eyJ') && token.split('.').length === 3) {
+      return token;
+    }
+
+    // Convert session token to JWT via BetterAuth JWT plugin
+    // BetterAuth identifies sessions via the session cookie, so we pass
+    // the session token as a cookie header (signed, as BetterAuth expects)
+    const cookieName = this.getSessionCookieName();
+    const secret = this.config?.secret || '';
+    const signedToken = secret ? signCookieValueIfNeeded(token, secret, true) : encodeURIComponent(token);
+    const jwt = await this.getToken({
+      headers: { cookie: `${cookieName}=${signedToken}` },
+    });
+
+    if (jwt) {
+      this.logger.debug('Resolved session token to JWT for cookie-less mode');
+      return jwt;
+    }
+
+    this.logger.warn('Failed to resolve session token to JWT - returning session token as fallback');
+    return token;
+  }
+
   /**
    * Gets a fresh JWT token for the current session.
    *
@@ -248,16 +291,8 @@ export class CoreBetterAuthService {
 
     try {
       // Convert headers to the format Better-Auth expects
-      const headers = new Headers();
       const reqHeaders = 'headers' in req ? req.headers : {};
-
-      for (const [key, value] of Object.entries(reqHeaders)) {
-        if (typeof value === 'string') {
-          headers.set(key, value);
-        } else if (Array.isArray(value)) {
-          headers.set(key, value.join(', '));
-        }
-      }
+      const headers = convertExpressHeaders(reqHeaders as Record<string, string | string[] | undefined>);
 
       // Call the token endpoint via Better-Auth API
       // The jwt plugin adds a getToken method to the API
@@ -305,26 +340,39 @@ export class CoreBetterAuthService {
 
     try {
       // Convert headers to the format Better-Auth expects
-      const headers = new Headers();
       const reqHeaders = 'headers' in req ? req.headers : {};
+      const headers = convertExpressHeaders(reqHeaders as Record<string, string | string[] | undefined>);
 
-      for (const [key, value] of Object.entries(reqHeaders)) {
-        if (typeof value === 'string') {
-          headers.set(key, value);
-        } else if (Array.isArray(value)) {
-          headers.set(key, value.join(', '));
+      // Sign cookies before sending to Better-Auth API
+      // Browser clients send unsigned cookies, but Better-Auth expects signed cookies
+      const cookieHeader = headers.get('cookie');
+      if (cookieHeader && this.config?.secret) {
+        const basePath = this.getBasePath()?.replace(/^\//, '').replace(/\//g, '.') || 'iam';
+        const sessionCookieName = `${basePath}.session_token`;
+        const cookies = parseCookieHeader(cookieHeader);
+        let modified = false;
+
+        for (const [name, value] of Object.entries(cookies)) {
+          // Sign the session token cookie if it's not already signed
+          if (name === sessionCookieName || name === 'token') {
+            const signedValue = signCookieValueIfNeeded(value, this.config.secret);
+            if (signedValue !== value) {
+              cookies[name] = signedValue;
+              modified = true;
+            }
+          }
         }
-      }
 
-      // Debug: Log the cookie header being sent to api.getSession (masked for security)
-      const cookieHeader = headers.get('cookie');
-      this.logger.debug(`getSession called with cookies: ${maskCookieHeader(cookieHeader)}`);
+        if (modified) {
+          const signedCookieHeader = Object.entries(cookies)
+            .map(([name, value]) => `${name}=${value}`)
+            .join('; ');
+          headers.set('cookie', signedCookieHeader);
+        }
+      }
 
       const response = await api.getSession({ headers });
 
-      // Debug: Log the response from api.getSession
-      this.logger.debug(`getSession response: ${JSON.stringify(response)?.substring(0, 200)}`);
-
       if (response && typeof response === 'object' && 'user' in response) {
         return response as SessionResult;
       }
@@ -347,11 +395,11 @@ export class CoreBetterAuthService {
    *
    * @example
    * ```typescript
-   * // Get session token from cookie or header
-   * const sessionToken = req.cookies['better-auth.session_token'];
+   * // Get session token from cookie (using basePath-based name)
+   * const sessionToken = req.cookies['iam.session_token'];
    * const success = await betterAuthService.revokeSession(sessionToken);
    * if (success) {
-   *   res.clearCookie('better-auth.session_token');
+   *   res.clearCookie('iam.session_token');
    * }
    * ```
    */
@@ -521,6 +569,132 @@ export class CoreBetterAuthService {
     }
   }
 
+  /**
+   * Gets the most recent active (non-expired) session for a user.
+   *
+   * This is needed in JWT mode where the client only has a JWT but BetterAuth's
+   * plugin endpoints (2FA, Passkey, etc.) need a real session token for authentication.
+   *
+   * @param userId - The user ID to find an active session for
+   * @returns Session result with token, or null if no active session exists
+   */
+  async getActiveSessionForUser(userId: string): Promise<SessionResult> {
+    if (!this.isEnabled() || !this.connection?.db) {
+      return { session: null, user: null };
+    }
+
+    try {
+      const db = this.connection.db;
+      const sessionsCollection = db.collection('session');
+
+      // Find the most recent non-expired session for this user
+      const results = await sessionsCollection
+        .aggregate([
+          {
+            $match: {
+              $expr: {
+                $or: [
+                  { $eq: ['$userId', userId] },
+                  { $eq: [{ $toString: '$userId' }, userId] },
+                ],
+              },
+              expiresAt: { $gt: new Date() },
+            },
+          },
+          { $sort: { createdAt: -1 } },
+          { $limit: 1 },
+          {
+            $lookup: {
+              as: 'userDoc',
+              from: 'users',
+              let: { sessionUserId: '$userId' },
+              pipeline: [
+                {
+                  $match: {
+                    $expr: {
+                      $or: [
+                        { $eq: ['$_id', '$$sessionUserId'] },
+                        { $eq: [{ $toString: '$_id' }, { $toString: '$$sessionUserId' }] },
+                        { $eq: ['$id', { $toString: '$$sessionUserId' }] },
+                      ],
+                    },
+                  },
+                },
+              ],
+            },
+          },
+          { $unwind: { path: '$userDoc', preserveNullAndEmptyArrays: true } },
+        ])
+        .toArray();
+
+      const result = results[0];
+
+      if (!result) {
+        this.logger.debug(`getActiveSessionForUser: no active session for user ${userId}`);
+        return { session: null, user: null };
+      }
+
+      const user = result.userDoc;
+
+      return {
+        session: {
+          expiresAt: result.expiresAt,
+          id: result.id || result._id?.toString(),
+          token: result.token,
+          userId: result.userId?.toString(),
+        },
+        user: user
+          ? {
+              email: user.email,
+              emailVerified: user.emailVerified,
+              id: user.id || user._id?.toString(),
+              name: user.name,
+            }
+          : null,
+      };
+    } catch (error) {
+      this.logger.debug(`getActiveSessionForUser error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      return { session: null, user: null };
+    }
+  }
+
+  // ===================================================================================================================
+  // User Lookup Methods
+  // ===================================================================================================================
+
+  /**
+   * Checks whether a user's email is verified via Better-Auth's internal adapter.
+   *
+   * Returns:
+   * - `true` if the user exists and their email is verified
+   * - `false` if the user exists and their email is NOT verified
+   * - `null` if the user could not be found or Better-Auth is not available
+   *
+   * This method is used by controller and resolver to check email verification
+   * in the 2FA path, where the sign-in response does not include user data.
+   *
+   * @param email - The email address to look up
+   * @returns `true`, `false`, or `null`
+   */
+  async isUserEmailVerified(email: string): Promise<boolean | null> {
+    const authInstance = this.getInstance();
+    if (!authInstance) {
+      return null;
+    }
+
+    try {
+      const context = await authInstance.$context;
+      const result = await context.internalAdapter.findUserByEmail(email);
+      if (!result?.user) {
+        return null;
+      }
+      return !!result.user.emailVerified;
+    } catch (error) {
+      this.logger.debug(`isUserEmailVerified error for ${maskEmail(email)}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      return null;
+    }
+  }
+
   // ===================================================================================================================
   // JWT Token Verification (for BetterAuth JWT tokens using JWKS)
   // ===================================================================================================================
@@ -686,22 +860,26 @@ export class CoreBetterAuthService {
   }
 
   /**
-   * Extracts and verifies a JWT token from a request's Authorization header.
+   * Extracts and verifies a JWT token from a request's Authorization header,
+   * or verifies a directly provided token.
    *
    * @param req - Express request object
+   * @param token - Optional JWT token to verify directly (bypasses header extraction)
    * @returns The JWT payload with user info, or null if no valid token
    */
-  async verifyJwtFromRequest(req: Request): Promise<null | {
+  async verifyJwtFromRequest(req: Request, token?: string): Promise<null | {
     [key: string]: any;
     email?: string;
     sub: string;
   }> {
-    const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith('Bearer ')) {
-      return null;
+    if (!token) {
+      const authHeader = req.headers.authorization;
+      if (!authHeader?.startsWith('Bearer ')) {
+        return null;
+      }
+      token = authHeader.substring(7);
     }
 
-    const token = authHeader.substring(7);
     return this.verifyJwtToken(token);
   }
 }

package/src/core/modules/better-auth/index.ts

@@ -28,10 +28,14 @@ export * from './better-auth.resolver';
 export * from './better-auth.types';
 export * from './core-better-auth-api.middleware';
 export * from './core-better-auth-auth.model';
+export * from './core-better-auth-cookie.helper';
+export * from './core-better-auth-email-verification.service';
 export * from './core-better-auth-migration-status.model';
 export * from './core-better-auth-models';
 export * from './core-better-auth-rate-limit.middleware';
 export * from './core-better-auth-rate-limiter.service';
+export * from './core-better-auth-signup-validator.service';
+export * from './core-better-auth-token.helper';
 export * from './core-better-auth-user.mapper';
 export * from './core-better-auth-web.helper';
 export * from './core-better-auth.controller';

package/src/core/modules/error-code/error-codes.ts

@@ -233,6 +233,51 @@ export const LtnsErrors = {
     },
   },
 
+  SIGNUP_TERMS_NOT_ACCEPTED: {
+    code: 'LTNS_0021',
+    message: 'Terms and privacy policy must be accepted',
+    translations: {
+      de: 'Die Nutzungsbedingungen und Datenschutzrichtlinie müssen akzeptiert werden.',
+      en: 'Terms and privacy policy must be accepted.',
+    },
+  },
+
+  SIGNUP_MISSING_REQUIRED_FIELDS: {
+    code: 'LTNS_0022',
+    message: 'Required sign-up fields are missing',
+    translations: {
+      de: 'Erforderliche Registrierungsfelder fehlen.',
+      en: 'Required sign-up fields are missing.',
+    },
+  },
+
+  EMAIL_VERIFICATION_REQUIRED: {
+    code: 'LTNS_0023',
+    message: 'Email verification required',
+    translations: {
+      de: 'Bitte verifizieren Sie Ihre E-Mail-Adresse.',
+      en: 'Please verify your email address.',
+    },
+  },
+
+  EMAIL_VERIFICATION_TOKEN_INVALID: {
+    code: 'LTNS_0024',
+    message: 'Email verification token is invalid or expired',
+    translations: {
+      de: 'Der E-Mail-Verifizierungslink ist ungültig oder abgelaufen.',
+      en: 'The email verification link is invalid or expired.',
+    },
+  },
+
+  EMAIL_ALREADY_VERIFIED: {
+    code: 'LTNS_0025',
+    message: 'Email is already verified',
+    translations: {
+      de: 'Die E-Mail-Adresse ist bereits verifiziert.',
+      en: 'The email address is already verified.',
+    },
+  },
+
   // =====================================================
   // Authorization Errors (LTNS_0100-LTNS_0199)
   // =====================================================

package/src/core/modules/user/core-user.model.ts

@@ -256,6 +256,21 @@ export abstract class CoreUserModel extends CorePersistenceModel {
   })
   twoFactorEnabled: boolean = undefined;
 
+  /**
+   * Date when terms and privacy policy were accepted
+   * Set during sign-up when user accepts terms and privacy policy
+   *
+   * @since 11.13.0
+   */
+  @UnifiedField({
+    description: 'Date when terms and privacy policy were accepted',
+    isOptional: true,
+    mongoose: { type: Date },
+    roles: RoleEnum.S_EVERYONE,
+    type: () => Date,
+  })
+  termsAndPrivacyAcceptedAt: Date = undefined;
+
   // ===================================================================================================================
   // Methods
   // ===================================================================================================================