strapi-plugin-firebase-authentication 1.1.12 → 1.2.0

package/dist/server/index.mjs

@@ -198,7 +198,7 @@ const register = ({ strapi: strapi2 }) => {
 const config$1 = {
   default: ({ env: env2 }) => ({
     firebaseJsonEncryptionKey: env2("FIREBASE_JSON_ENCRYPTION_KEY", "your-key-here"),
-    emailRequired: true,
+    emailRequired: env2.bool("FIREBASE_EMAIL_REQUIRED", false),
     emailPattern: "{randomString}@phone-user.firebase.local"
   }),
   validator(config2) {
@@ -289,6 +289,15 @@ const attributes$1 = {
     minimum: 1,
     maximum: 72,
     description: "How long the magic link remains valid (in hours)"
+  },
+  emailVerificationUrl: {
+    type: "string",
+    "default": "http://localhost:3000/verify-email",
+    description: "URL where users will be redirected to verify their email"
+  },
+  emailVerificationEmailSubject: {
+    type: "string",
+    "default": "Verify Your Email"
   }
 };
 const firebaseAuthenticationConfiguration = {
@@ -339,6 +348,13 @@ const attributes = {
   },
   resetTokenExpiresAt: {
     type: "datetime"
+  },
+  verificationTokenHash: {
+    type: "string",
+    "private": true
+  },
+  verificationTokenExpiresAt: {
+    type: "datetime"
   }
 };
 const firebaseUserData = {
@@ -583,6 +599,61 @@ const firebaseController = {
       ctx.status = 500;
       ctx.body = { error: "An error occurred while resetting your password" };
     }
+  },
+  /**
+   * Send email verification - public endpoint
+   * POST /api/firebase-authentication/sendVerificationEmail
+   * Public endpoint - no authentication required
+   */
+  async sendVerificationEmail(ctx) {
+    strapi.log.debug("sendVerificationEmail endpoint called");
+    try {
+      const { email: email2 } = ctx.request.body || {};
+      ctx.body = await strapi.plugin(pluginName).service("firebaseService").sendVerificationEmail(email2);
+    } catch (error2) {
+      strapi.log.error("sendVerificationEmail controller error:", error2);
+      if (error2.name === "ValidationError") {
+        ctx.status = 400;
+      } else {
+        ctx.status = 500;
+      }
+      ctx.body = { error: error2.message };
+    }
+  },
+  /**
+   * Verify email using custom JWT token
+   * POST /api/firebase-authentication/verifyEmail
+   * Public endpoint - token provides authentication
+   *
+   * @param ctx - Koa context with { token } in body
+   * @returns { success: true, message: "Email verified successfully" }
+   */
+  async verifyEmail(ctx) {
+    strapi.log.debug("verifyEmail endpoint called");
+    try {
+      const { token } = ctx.request.body || {};
+      if (!token) {
+        ctx.status = 400;
+        ctx.body = { error: "Token is required" };
+        return;
+      }
+      const result = await strapi.plugin(pluginName).service("firebaseService").verifyEmail(token);
+      ctx.body = result;
+    } catch (error2) {
+      strapi.log.error("verifyEmail controller error:", error2);
+      if (error2.name === "ValidationError") {
+        ctx.status = 400;
+        ctx.body = { error: error2.message };
+        return;
+      }
+      if (error2.name === "NotFoundError") {
+        ctx.status = 404;
+        ctx.body = { error: error2.message };
+        return;
+      }
+      ctx.status = 500;
+      ctx.body = { error: "An error occurred while verifying your email" };
+    }
   }
 };
 var commonjsGlobal = typeof globalThis !== "undefined" ? globalThis : typeof window !== "undefined" ? window : typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : {};
@@ -28950,6 +29021,17 @@ const userController = {
     } catch (error2) {
       throw new ApplicationError$2(error2.message || "Failed to send password reset email");
     }
+  },
+  sendVerificationEmail: async (ctx) => {
+    const userId = ctx.params.id;
+    if (!userId) {
+      throw new ValidationError$1("User ID is required");
+    }
+    try {
+      ctx.body = await strapi.plugin("firebase-authentication").service("userService").sendVerificationEmail(userId);
+    } catch (error2) {
+      throw new ApplicationError$2(error2.message || "Failed to send verification email");
+    }
   }
 };
 const settingsController = {
@@ -29052,7 +29134,9 @@ const settingsController = {
         enableMagicLink = false,
         magicLinkUrl = "http://localhost:1338/verify-magic-link.html",
         magicLinkEmailSubject = "Sign in to Your Application",
-        magicLinkExpiryHours = 1
+        magicLinkExpiryHours = 1,
+        emailVerificationUrl = "http://localhost:3000/verify-email",
+        emailVerificationEmailSubject = "Verify Your Email"
       } = requestBody;
       const existingConfig = await strapi.db.query("plugin::firebase-authentication.firebase-authentication-configuration").findOne({ where: {} });
       let result;
@@ -29066,7 +29150,9 @@ const settingsController = {
             enableMagicLink,
             magicLinkUrl,
             magicLinkEmailSubject,
-            magicLinkExpiryHours
+            magicLinkExpiryHours,
+            emailVerificationUrl,
+            emailVerificationEmailSubject
           }
         });
       } else {
@@ -29080,7 +29166,9 @@ const settingsController = {
             enableMagicLink,
             magicLinkUrl,
             magicLinkEmailSubject,
-            magicLinkExpiryHours
+            magicLinkExpiryHours,
+            emailVerificationUrl,
+            emailVerificationEmailSubject
           }
         });
       }
@@ -29092,7 +29180,9 @@ const settingsController = {
         enableMagicLink: result.enableMagicLink,
         magicLinkUrl: result.magicLinkUrl,
         magicLinkEmailSubject: result.magicLinkEmailSubject,
-        magicLinkExpiryHours: result.magicLinkExpiryHours
+        magicLinkExpiryHours: result.magicLinkExpiryHours,
+        emailVerificationUrl: result.emailVerificationUrl,
+        emailVerificationEmailSubject: result.emailVerificationEmailSubject
       };
     } catch (error2) {
       throw new ApplicationError$2("Error saving password configuration", {
@@ -29185,6 +29275,14 @@ const admin = {
         policies: ["admin::isAuthenticatedAdmin"]
       }
     },
+    {
+      method: "PUT",
+      path: "/users/sendVerificationEmail/:id",
+      handler: "userController.sendVerificationEmail",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
+    },
     {
       method: "GET",
       path: "/users/:id",
@@ -29283,6 +29381,26 @@ const contentApi = {
         // Public endpoint - token provides authentication
         policies: []
       }
+    },
+    {
+      method: "POST",
+      path: "/sendVerificationEmail",
+      handler: "firebaseController.sendVerificationEmail",
+      config: {
+        auth: false,
+        // Public endpoint - sends email verification link
+        policies: []
+      }
+    },
+    {
+      method: "POST",
+      path: "/verifyEmail",
+      handler: "firebaseController.verifyEmail",
+      config: {
+        auth: false,
+        // Public endpoint - token provides authentication
+        policies: []
+      }
     }
   ]
 };
@@ -29403,7 +29521,10 @@ const settingsService = ({ strapi: strapi2 }) => {
           enableMagicLink: configObject.enableMagicLink || false,
           magicLinkUrl: configObject.magicLinkUrl || "http://localhost:1338/verify-magic-link.html",
           magicLinkEmailSubject: configObject.magicLinkEmailSubject || "Sign in to Your Application",
-          magicLinkExpiryHours: configObject.magicLinkExpiryHours || 1
+          magicLinkExpiryHours: configObject.magicLinkExpiryHours || 1,
+          // Include email verification configuration fields
+          emailVerificationUrl: configObject.emailVerificationUrl || "http://localhost:3000/verify-email",
+          emailVerificationEmailSubject: configObject.emailVerificationEmailSubject || "Verify Your Email"
         };
       } catch (error2) {
         strapi2.log.error(`Firebase config error: ${error2.message}`);
@@ -29446,7 +29567,9 @@ const settingsService = ({ strapi: strapi2 }) => {
           enableMagicLink = false,
           magicLinkUrl = "http://localhost:1338/verify-magic-link.html",
           magicLinkEmailSubject = "Sign in to Your Application",
-          magicLinkExpiryHours = 1
+          magicLinkExpiryHours = 1,
+          emailVerificationUrl = "http://localhost:3000/verify-email",
+          emailVerificationEmailSubject = "Verify Your Email"
         } = requestBody;
         if (!requestBody) throw new ValidationError3(ERROR_MESSAGES.MISSING_DATA);
         try {
@@ -29482,7 +29605,9 @@ const settingsService = ({ strapi: strapi2 }) => {
               enableMagicLink,
               magicLinkUrl,
               magicLinkEmailSubject,
-              magicLinkExpiryHours
+              magicLinkExpiryHours,
+              emailVerificationUrl,
+              emailVerificationEmailSubject
             }
           });
         } else {
@@ -29498,11 +29623,20 @@ const settingsService = ({ strapi: strapi2 }) => {
               enableMagicLink,
               magicLinkUrl,
               magicLinkEmailSubject,
-              magicLinkExpiryHours
+              magicLinkExpiryHours,
+              emailVerificationUrl,
+              emailVerificationEmailSubject
             }
           });
         }
         await strapi2.plugin("firebase-authentication").service("settingsService").init();
+        setImmediate(async () => {
+          try {
+            await strapi2.plugin("firebase-authentication").service("autoLinkService").linkAllUsers(strapi2);
+          } catch (error2) {
+            strapi2.log.error(`Auto-linking after config save failed: ${error2.message}`);
+          }
+        });
         const configData = res.firebaseConfigJson || res.firebase_config_json;
         if (!configData) {
           strapi2.log.error("Firebase config data missing from database response");
@@ -29526,6 +29660,8 @@ const settingsService = ({ strapi: strapi2 }) => {
         res.magicLinkUrl = res.magicLinkUrl || magicLinkUrl;
         res.magicLinkEmailSubject = res.magicLinkEmailSubject || magicLinkEmailSubject;
         res.magicLinkExpiryHours = res.magicLinkExpiryHours || magicLinkExpiryHours;
+        res.emailVerificationUrl = res.emailVerificationUrl || emailVerificationUrl;
+        res.emailVerificationEmailSubject = res.emailVerificationEmailSubject || emailVerificationEmailSubject;
         return res;
       } catch (error2) {
         strapi2.log.error("=== FIREBASE CONFIG SAVE ERROR ===");
@@ -30185,6 +30321,40 @@ const userService = ({ strapi: strapi2 }) => {
         }
         throw new ApplicationError$2(e.message?.toString() || "Failed to reset password");
       }
+    },
+    /**
+     * Send email verification email (admin-initiated)
+     * @param entityId - Firebase UID of the user
+     */
+    sendVerificationEmail: async (entityId) => {
+      try {
+        ensureFirebaseInitialized();
+        const user = await strapi2.firebase.auth().getUser(entityId);
+        if (!user.email) {
+          throw new ApplicationError$2("User does not have an email address");
+        }
+        if (user.emailVerified) {
+          return { success: true, message: "Email is already verified" };
+        }
+        const config2 = await strapi2.db.query("plugin::firebase-authentication.firebase-authentication-configuration").findOne({ where: {} });
+        const emailVerificationUrl = config2?.emailVerificationUrl;
+        if (!emailVerificationUrl) {
+          throw new ApplicationError$2("Email verification URL is not configured");
+        }
+        const firebaseUserData2 = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(entityId);
+        if (!firebaseUserData2) {
+          throw new ApplicationError$2("User is not linked to Firebase authentication");
+        }
+        const tokenService2 = strapi2.plugin("firebase-authentication").service("tokenService");
+        const token = await tokenService2.generateVerificationToken(firebaseUserData2.documentId, user.email);
+        const verificationLink = `${emailVerificationUrl}?token=${token}`;
+        strapi2.log.debug(`Generated email verification link for user ${user.email}`);
+        const emailService2 = strapi2.plugin("firebase-authentication").service("emailService");
+        return await emailService2.sendVerificationEmail(user, verificationLink);
+      } catch (e) {
+        strapi2.log.error(`sendVerificationEmail error: ${e.message}`);
+        throw new ApplicationError$2(e.message?.toString() || "Failed to send verification email");
+      }
     }
   };
 };
@@ -30864,6 +31034,159 @@ const firebaseService = ({ strapi: strapi2 }) => ({
         verificationUrl: magicLinkUrl
       };
     }
+  },
+  /**
+   * Send email verification - public endpoint
+   * Generates a verification token and sends an email to the user
+   * Security: Always returns generic success message to prevent email enumeration
+   */
+  async sendVerificationEmail(email2) {
+    strapi2.log.info(`[sendVerificationEmail] Starting email verification for: ${email2}`);
+    if (!email2) {
+      throw new ValidationError$1("Email is required");
+    }
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email2)) {
+      throw new ValidationError$1("Invalid email format");
+    }
+    const config2 = await strapi2.plugin("firebase-authentication").service("settingsService").getFirebaseConfigJson();
+    const verificationUrl = config2?.emailVerificationUrl;
+    if (!verificationUrl) {
+      throw new ApplicationError$2("Email verification URL is not configured");
+    }
+    if (process.env.NODE_ENV === "production" && !verificationUrl.startsWith("https://")) {
+      throw new ApplicationError$2("Email verification URL must use HTTPS in production");
+    }
+    try {
+      new URL(verificationUrl);
+    } catch (error2) {
+      throw new ApplicationError$2("Email verification URL is not a valid URL format");
+    }
+    try {
+      let firebaseUser;
+      try {
+        firebaseUser = await strapi2.firebase.auth().getUserByEmail(email2);
+      } catch (fbError) {
+        strapi2.log.debug("User not found in Firebase");
+      }
+      if (!firebaseUser) {
+        strapi2.log.warn(`⚠️ [sendVerificationEmail] User not found in Firebase for email: ${email2}`);
+        return { message: "If an account with that email exists, a verification link has been sent." };
+      }
+      if (firebaseUser.emailVerified) {
+        strapi2.log.info(`[sendVerificationEmail] User ${email2} is already verified`);
+        return { message: "Email is already verified." };
+      }
+      const firebaseData = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(firebaseUser.uid);
+      if (!firebaseData) {
+        strapi2.log.warn(`⚠️ [sendVerificationEmail] No firebase-user-data record for: ${email2}`);
+        return { message: "If an account with that email exists, a verification link has been sent." };
+      }
+      strapi2.log.info(
+        `✅ [sendVerificationEmail] User found: ${JSON.stringify({
+          firebaseUID: firebaseUser.uid,
+          email: firebaseUser.email,
+          emailVerified: firebaseUser.emailVerified
+        })}`
+      );
+      const tokenService2 = strapi2.plugin("firebase-authentication").service("tokenService");
+      const token = await tokenService2.generateVerificationToken(firebaseData.documentId, email2);
+      const verificationLink = `${verificationUrl}?token=${token}`;
+      strapi2.log.info(`✅ [sendVerificationEmail] Verification link generated for ${email2}`);
+      strapi2.log.info(`[sendVerificationEmail] Attempting to send verification email to: ${email2}`);
+      await strapi2.plugin("firebase-authentication").service("emailService").sendVerificationEmail(firebaseUser, verificationLink);
+      strapi2.log.info(`✅ [sendVerificationEmail] Verification email sent successfully to: ${email2}`);
+      return {
+        message: "If an account with that email exists, a verification link has been sent."
+      };
+    } catch (error2) {
+      strapi2.log.error(
+        `❌ [sendVerificationEmail] ERROR: ${JSON.stringify({
+          email: email2,
+          message: error2.message,
+          code: error2.code,
+          name: error2.name,
+          stack: error2.stack
+        })}`
+      );
+      return {
+        message: "If an account with that email exists, a verification link has been sent."
+      };
+    }
+  },
+  /**
+   * Verify email with token - public endpoint
+   * Validates the token and marks the user's email as verified in Firebase
+   */
+  async verifyEmail(token) {
+    strapi2.log.info(`[verifyEmail] Starting email verification with token`);
+    if (!token) {
+      throw new ValidationError$1("Verification token is required");
+    }
+    const tokenService2 = strapi2.plugin("firebase-authentication").service("tokenService");
+    const validationResult = await tokenService2.validateVerificationToken(token);
+    if (!validationResult.valid) {
+      strapi2.log.warn(`[verifyEmail] Token validation failed: ${validationResult.error}`);
+      throw new ValidationError$1(validationResult.error || "Invalid verification link");
+    }
+    const { firebaseUID, firebaseUserDataDocumentId, email: tokenEmail } = validationResult;
+    try {
+      const firebaseUser = await strapi2.firebase.auth().getUser(firebaseUID);
+      if (tokenEmail && firebaseUser.email !== tokenEmail) {
+        strapi2.log.warn(
+          `[verifyEmail] Email changed: token email ${tokenEmail} != current email ${firebaseUser.email}`
+        );
+        await tokenService2.invalidateVerificationToken(firebaseUserDataDocumentId);
+        throw new ValidationError$1(
+          "Email address has changed since verification was requested. Please request a new verification link."
+        );
+      }
+      if (firebaseUser.emailVerified) {
+        strapi2.log.info(`[verifyEmail] User ${firebaseUser.email} is already verified`);
+        await tokenService2.invalidateVerificationToken(firebaseUserDataDocumentId);
+        return {
+          success: true,
+          message: "Email is already verified."
+        };
+      }
+      await strapi2.firebase.auth().updateUser(firebaseUID, {
+        emailVerified: true
+      });
+      try {
+        const firebaseUserDataService2 = strapi2.plugin("firebase-authentication").service("firebaseUserDataService");
+        const firebaseUserData2 = await firebaseUserDataService2.getByFirebaseUID(firebaseUID);
+        if (firebaseUserData2?.user?.documentId) {
+          await strapi2.db.query("plugin::users-permissions.user").update({
+            where: { documentId: firebaseUserData2.user.documentId },
+            data: { confirmed: true }
+          });
+          strapi2.log.info(`✅ [verifyEmail] Strapi user confirmed for: ${firebaseUserData2.user.documentId}`);
+        }
+      } catch (strapiUpdateError) {
+        strapi2.log.warn(
+          `[verifyEmail] Failed to update Strapi user confirmed status: ${strapiUpdateError.message}`
+        );
+      }
+      strapi2.log.info(`✅ [verifyEmail] Email verified successfully for: ${firebaseUser.email}`);
+      await tokenService2.invalidateVerificationToken(firebaseUserDataDocumentId);
+      return {
+        success: true,
+        message: "Email verified successfully."
+      };
+    } catch (error2) {
+      strapi2.log.error(
+        `❌ [verifyEmail] ERROR: ${JSON.stringify({
+          firebaseUID,
+          message: error2.message,
+          code: error2.code,
+          name: error2.name
+        })}`
+      );
+      if (error2 instanceof ValidationError$1) {
+        throw error2;
+      }
+      throw new ApplicationError$2("Failed to verify email. Please try again.");
+    }
   }
 });
 const passwordResetTemplate = {
@@ -31243,13 +31566,144 @@ The <%= appName %> Team
 Need help? Contact us at <%= supportEmail %>
 <% } %>
 
+© <%= year %> <%= appName %>. All rights reserved.
+  `.trim()
+};
+const emailVerificationTemplate = {
+  subject: "Verify Your Email - <%= appName %>",
+  html: `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Verify Your Email</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; background-color: #f4f4f4;">
+  <table role="presentation" style="width: 100%; border-collapse: collapse; background-color: #f4f4f4;">
+    <tr>
+      <td align="center" style="padding: 40px 0;">
+        <table role="presentation" style="width: 600px; max-width: 100%; background-color: #ffffff; border-radius: 8px; box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);">
+          <!-- Header -->
+          <tr>
+            <td style="padding: 40px 40px 20px 40px; text-align: center;">
+              <h1 style="margin: 0; font-size: 28px; color: #333333; font-weight: 600;">
+                Verify Your Email Address
+              </h1>
+            </td>
+          </tr>
+
+          <!-- Content -->
+          <tr>
+            <td style="padding: 20px 40px;">
+              <p style="margin: 0 0 20px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                Hello<% if (user.firstName) { %> <%= user.firstName %><% } %>,
+              </p>
+
+              <p style="margin: 0 0 20px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                Thank you for signing up with <strong><%= appName %></strong>! Please verify your email address <strong><%= user.email %></strong> to complete your registration.
+              </p>
+
+              <p style="margin: 0 0 30px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                Click the button below to verify your email:
+              </p>
+
+              <!-- CTA Button -->
+              <table role="presentation" style="width: 100%; border-collapse: collapse;">
+                <tr>
+                  <td align="center" style="padding: 0 0 30px 0;">
+                    <a href="<%= verificationLink %>"
+                       style="display: inline-block; padding: 14px 32px; background-color: #28a745; color: #ffffff; text-decoration: none; font-size: 16px; font-weight: 600; border-radius: 5px; transition: background-color 0.3s;">
+                      Verify Email Address
+                    </a>
+                  </td>
+                </tr>
+              </table>
+
+              <p style="margin: 0 0 20px 0; font-size: 14px; line-height: 1.6; color: #777777;">
+                Or copy and paste this link into your browser:
+              </p>
+
+              <p style="margin: 0 0 30px 0; font-size: 14px; line-height: 1.6; word-break: break-all; color: #28a745;">
+                <%= verificationLink %>
+              </p>
+
+              <!-- Security Notice -->
+              <table role="presentation" style="width: 100%; border-collapse: collapse; background-color: #fff3cd; border-radius: 4px; margin: 0 0 20px 0;">
+                <tr>
+                  <td style="padding: 12px 16px;">
+                    <p style="margin: 0; font-size: 14px; line-height: 1.6; color: #856404;">
+                      <strong>⚠️ Important:</strong> This link will expire in <strong><%= expiresIn %></strong>.
+                      If you didn't create an account with us, you can safely ignore this email.
+                    </p>
+                  </td>
+                </tr>
+              </table>
+
+              <p style="margin: 0 0 20px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                For security reasons, please do not share this link with anyone.
+              </p>
+            </td>
+          </tr>
+
+          <!-- Footer -->
+          <tr>
+            <td style="padding: 30px 40px 40px 40px; border-top: 1px solid #eeeeee;">
+              <p style="margin: 0 0 10px 0; font-size: 14px; line-height: 1.6; color: #999999; text-align: center;">
+                Best regards,<br>
+                The <%= appName %> Team
+              </p>
+
+              <% if (supportEmail) { %>
+              <p style="margin: 0 0 10px 0; font-size: 12px; line-height: 1.6; color: #999999; text-align: center;">
+                Need help? Contact us at <a href="mailto:<%= supportEmail %>" style="color: #28a745; text-decoration: none;"><%= supportEmail %></a>
+              </p>
+              <% } %>
+
+              <p style="margin: 0; font-size: 12px; line-height: 1.6; color: #999999; text-align: center;">
+                © <%= year %> <%= appName %>. All rights reserved.
+              </p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>
+  `.trim(),
+  text: `
+Verify Your Email Address
+
+Hello<% if (user.firstName) { %> <%= user.firstName %><% } %>,
+
+Thank you for signing up with <%= appName %>! Please verify your email address <%= user.email %> to complete your registration.
+
+To verify your email, please visit the following link:
+
+<%= verificationLink %>
+
+This link will expire in <%= expiresIn %>.
+
+If you didn't create an account with us, you can safely ignore this email.
+
+For security reasons, please do not share this link with anyone.
+
+Best regards,
+The <%= appName %> Team
+
+<% if (supportEmail) { %>
+Need help? Contact us at <%= supportEmail %>
+<% } %>
+
 © <%= year %> <%= appName %>. All rights reserved.
   `.trim()
 };
 const defaultTemplates = {
   passwordReset: passwordResetTemplate,
   magicLink: magicLinkTemplate,
-  passwordChanged: passwordChangedTemplate
+  passwordChanged: passwordChangedTemplate,
+  emailVerification: emailVerificationTemplate
 };
 class TemplateService {
   /**
@@ -31661,6 +32115,114 @@ class EmailService {
       message: "Password changed but confirmation email could not be sent"
     };
   }
+  /**
+   * Send email verification email with three-tier fallback system
+   * Tier 1: Strapi Email Plugin (if configured)
+   * Tier 2: Custom Hook Function (if provided in config)
+   * Tier 3: Development Console Logging (dev mode only)
+   */
+  async sendVerificationEmail(user, verificationLink) {
+    if (!user.email) {
+      throw new ValidationError$1("User does not have an email address");
+    }
+    const variables = {
+      user: {
+        email: user.email,
+        firstName: user.firstName || user.displayName?.split(" ")[0],
+        lastName: user.lastName,
+        displayName: user.displayName,
+        phoneNumber: user.phoneNumber,
+        uid: user.uid
+      },
+      verificationLink,
+      expiresIn: "1 hour"
+    };
+    const settingsService2 = strapi.plugin("firebase-authentication").service("settingsService");
+    const dbConfig = await settingsService2.getFirebaseConfigJson();
+    const customSubject = dbConfig?.emailVerificationEmailSubject;
+    const pluginConfig = strapi.config.get("plugin::firebase-authentication");
+    const appConfig = pluginConfig?.app || {};
+    const completeVariables = {
+      ...variables,
+      appName: appConfig?.name || "Your Application",
+      appUrl: appConfig?.url || process.env.PUBLIC_URL || "http://localhost:3000",
+      supportEmail: appConfig?.supportEmail,
+      year: (/* @__PURE__ */ new Date()).getFullYear(),
+      expiresIn: variables.expiresIn
+    };
+    const templateService2 = strapi.plugin("firebase-authentication").service("templateService");
+    const template = await templateService2.getTemplate("emailVerification");
+    const subjectTemplate = customSubject || template.subject;
+    const compiledSubject = _$1.template(subjectTemplate)(completeVariables);
+    try {
+      const compiledHtml = template.html ? _$1.template(template.html)(completeVariables) : void 0;
+      const compiledText = template.text ? _$1.template(template.text)(completeVariables) : void 0;
+      const emailPlugin = strapi.plugin("email");
+      if (!emailPlugin) {
+        throw new Error("Email plugin not found");
+      }
+      const emailService2 = emailPlugin.service("email");
+      await emailService2.send({
+        to: user.email,
+        subject: compiledSubject,
+        html: compiledHtml,
+        text: compiledText
+      });
+      strapi.log.info(`✅ Email verification sent via Strapi email plugin to ${user.email}`);
+      return {
+        success: true,
+        message: `Verification email sent to ${user.email}`
+      };
+    } catch (tier1Error) {
+      strapi.log.debug(`Strapi email plugin failed: ${tier1Error.message}. Trying fallback options...`);
+    }
+    const customSender = pluginConfig?.sendVerificationEmail;
+    if (customSender && typeof customSender === "function") {
+      try {
+        const compiledHtml = template.html ? _$1.template(template.html)(completeVariables) : void 0;
+        const compiledText = template.text ? _$1.template(template.text)(completeVariables) : void 0;
+        await customSender({
+          to: user.email,
+          subject: compiledSubject,
+          html: compiledHtml,
+          text: compiledText,
+          verificationLink,
+          variables: completeVariables
+        });
+        strapi.log.info(`✅ Email verification sent via custom hook to ${user.email}`);
+        return {
+          success: true,
+          message: `Verification email sent to ${user.email}`
+        };
+      } catch (tier2Error) {
+        strapi.log.error(`Custom hook failed: ${tier2Error.message}. Continuing to next fallback...`);
+      }
+    }
+    if (process.env.NODE_ENV !== "production") {
+      try {
+        strapi.log.info("\n" + "=".repeat(80));
+        strapi.log.info("EMAIL VERIFICATION (Development Mode)");
+        strapi.log.info("=".repeat(80));
+        strapi.log.info(`To: ${user.email}`);
+        strapi.log.info(`Subject: ${compiledSubject}`);
+        strapi.log.info(`Verification Link: ${verificationLink}`);
+        strapi.log.info(`Expires In: 1 hour`);
+        strapi.log.info("=".repeat(80));
+        strapi.log.info("Note: Email not sent - no email service configured");
+        strapi.log.info("Copy the link above and open in your browser to verify");
+        strapi.log.info("=".repeat(80) + "\n");
+        return {
+          success: true,
+          message: "Verification link logged to console (development mode)"
+        };
+      } catch (tier3Error) {
+        strapi.log.error(`Development fallback failed: ${tier3Error.message}`);
+      }
+    }
+    throw new ApplicationError$2(
+      "Email service is not configured. Please configure Strapi email plugin or provide custom sendVerificationEmail function in plugin config."
+    );
+  }
 }
 const emailService = ({ strapi: strapi2 }) => new EmailService();
 const firebaseUserDataService = ({ strapi: strapi2 }) => ({
@@ -35114,6 +35676,125 @@ const tokenService = ({ strapi: strapi2 }) => {
         }
       });
       strapi2.log.debug(`Invalidated reset token for user ${firebaseUserDataDocumentId}`);
+    },
+    // ==================== EMAIL VERIFICATION TOKENS ====================
+    /**
+     * Generate an email verification token for a user
+     * @param firebaseUserDataDocumentId - The documentId of the firebase-user-data record
+     * @param email - The email address at time of request (for change detection)
+     * @returns The JWT token to include in the verification URL
+     */
+    async generateVerificationToken(firebaseUserDataDocumentId, email2) {
+      const signingKey = getSigningKey();
+      const jti = crypto$1.randomBytes(32).toString("hex");
+      const payload = {
+        sub: firebaseUserDataDocumentId,
+        purpose: "email-verification",
+        email: email2,
+        jti
+      };
+      const token = jwt.sign(payload, signingKey, {
+        expiresIn: "1h"
+      });
+      const tokenHash = crypto$1.createHash("sha256").update(jti).digest("hex");
+      const expiresAt = new Date(Date.now() + 60 * 60 * 1e3);
+      await strapi2.db.query(FIREBASE_USER_DATA_CONTENT_TYPE).update({
+        where: { documentId: firebaseUserDataDocumentId },
+        data: {
+          verificationTokenHash: tokenHash,
+          verificationTokenExpiresAt: expiresAt.toISOString()
+        }
+      });
+      strapi2.log.debug(`Generated verification token for user ${firebaseUserDataDocumentId}`);
+      return token;
+    },
+    /**
+     * Validate an email verification token
+     * @param token - The JWT token from the verification URL
+     * @returns Validation result with user info and email if valid
+     */
+    async validateVerificationToken(token) {
+      const signingKey = getSigningKey();
+      try {
+        const decoded = jwt.verify(token, signingKey);
+        if (decoded.purpose !== "email-verification") {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Invalid token purpose"
+          };
+        }
+        const tokenHash = crypto$1.createHash("sha256").update(decoded.jti).digest("hex");
+        const firebaseUserData2 = await strapi2.db.query(FIREBASE_USER_DATA_CONTENT_TYPE).findOne({
+          where: { documentId: decoded.sub }
+        });
+        if (!firebaseUserData2) {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "User not found"
+          };
+        }
+        if (firebaseUserData2.verificationTokenHash !== tokenHash) {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Verification link has already been used or is invalid"
+          };
+        }
+        if (firebaseUserData2.verificationTokenExpiresAt) {
+          const expiresAt = new Date(firebaseUserData2.verificationTokenExpiresAt);
+          if (expiresAt < /* @__PURE__ */ new Date()) {
+            return {
+              valid: false,
+              firebaseUserDataDocumentId: "",
+              firebaseUID: "",
+              error: "Verification link has expired"
+            };
+          }
+        }
+        return {
+          valid: true,
+          firebaseUserDataDocumentId: firebaseUserData2.documentId,
+          firebaseUID: firebaseUserData2.firebaseUserID,
+          email: decoded.email
+        };
+      } catch (error2) {
+        if (error2.name === "TokenExpiredError") {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Verification link has expired"
+          };
+        }
+        if (error2.name === "JsonWebTokenError") {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Invalid verification link"
+          };
+        }
+        throw error2;
+      }
+    },
+    /**
+     * Invalidate a verification token after use
+     * @param firebaseUserDataDocumentId - The documentId of the firebase-user-data record
+     */
+    async invalidateVerificationToken(firebaseUserDataDocumentId) {
+      await strapi2.db.query(FIREBASE_USER_DATA_CONTENT_TYPE).update({
+        where: { documentId: firebaseUserDataDocumentId },
+        data: {
+          verificationTokenHash: null,
+          verificationTokenExpiresAt: null
+        }
+      });
+      strapi2.log.debug(`Invalidated verification token for user ${firebaseUserDataDocumentId}`);
     }
   };
 };