strapi-plugin-firebase-authentication 1.1.12 → 1.2.1

package/dist/server/index.js

@@ -230,7 +230,7 @@ const register = ({ strapi: strapi2 }) => {
 const config$1 = {
   default: ({ env: env2 }) => ({
     firebaseJsonEncryptionKey: env2("FIREBASE_JSON_ENCRYPTION_KEY", "your-key-here"),
-    emailRequired: true,
+    emailRequired: env2.bool("FIREBASE_EMAIL_REQUIRED", false),
     emailPattern: "{randomString}@phone-user.firebase.local"
   }),
   validator(config2) {
@@ -321,6 +321,15 @@ const attributes$1 = {
     minimum: 1,
     maximum: 72,
     description: "How long the magic link remains valid (in hours)"
+  },
+  emailVerificationUrl: {
+    type: "string",
+    "default": "http://localhost:3000/verify-email",
+    description: "URL where users will be redirected to verify their email"
+  },
+  emailVerificationEmailSubject: {
+    type: "string",
+    "default": "Verify Your Email"
   }
 };
 const firebaseAuthenticationConfiguration = {
@@ -371,6 +380,13 @@ const attributes = {
   },
   resetTokenExpiresAt: {
     type: "datetime"
+  },
+  verificationTokenHash: {
+    type: "string",
+    "private": true
+  },
+  verificationTokenExpiresAt: {
+    type: "datetime"
   }
 };
 const firebaseUserData = {
@@ -385,238 +401,6 @@ const contentTypes = {
   "firebase-authentication-configuration": { schema: firebaseAuthenticationConfiguration },
   "firebase-user-data": { schema: firebaseUserData }
 };
-const pluginName = "firebase-authentication";
-const PLUGIN_NAME = "firebase-authentication";
-const PLUGIN_UID = `plugin::${PLUGIN_NAME}`;
-const CONFIG_CONTENT_TYPE = `${PLUGIN_UID}.firebase-authentication-configuration`;
-const DEFAULT_PASSWORD_RESET_URL = "http://localhost:3000/reset-password";
-const DEFAULT_PASSWORD_REGEX = "^.{6,}$";
-const DEFAULT_PASSWORD_MESSAGE = "Password must be at least 6 characters long";
-const DEFAULT_RESET_EMAIL_SUBJECT = "Reset Your Password";
-const ERROR_MESSAGES = {
-  FIREBASE_NOT_INITIALIZED: "Firebase is not initialized. Please upload Firebase service account configuration via Settings → Firebase Authentication.",
-  INVALID_JSON: "Invalid JSON format. Please ensure you copied the entire JSON content correctly.",
-  MISSING_DATA: "data is missing",
-  SOMETHING_WENT_WRONG: "Something went wrong",
-  AUTHENTICATION_FAILED: "Authentication failed",
-  TOKEN_MISSING: "idToken is missing!",
-  EMAIL_PASSWORD_REQUIRED: "Email and password are required",
-  PASSWORD_REQUIRED: "Password is required",
-  AUTHORIZATION_REQUIRED: "Authorization token is required",
-  INVALID_TOKEN: "Invalid or expired token",
-  USER_NOT_FOUND: "User not found",
-  USER_NO_EMAIL: "User does not have an email address",
-  FIREBASE_LINK_FAILED: "Failed to generate Firebase reset link",
-  CONFIG_NOT_FOUND: "No config found",
-  INVALID_SERVICE_ACCOUNT: "Invalid service account JSON",
-  WEB_API_NOT_CONFIGURED: "Email/password authentication is not available. Web API Key is not configured.",
-  RESET_URL_NOT_CONFIGURED: "Password reset URL is not configured",
-  RESET_URL_MUST_BE_HTTPS: "Password reset URL must use HTTPS in production",
-  RESET_URL_INVALID_FORMAT: "Password reset URL is not a valid URL format",
-  USER_NOT_LINKED_FIREBASE: "User is not linked to Firebase authentication",
-  OVERRIDE_USER_ID_REQUIRED: "Override user ID is required",
-  EITHER_EMAIL_OR_PHONE_REQUIRED: "Either email or phoneNumber is required",
-  DELETION_NO_CONFIG: "No Firebase configs exists for deletion"
-};
-const SUCCESS_MESSAGES = {
-  FIREBASE_INITIALIZED: "Firebase successfully initialized",
-  FIREBASE_CONFIG_DELETED: "Firebase config deleted and reinitialized",
-  PASSWORD_RESET_EMAIL_SENT: "If an account with that email exists, a password reset link has been sent.",
-  SERVER_RESTARTING: "SERVER IS RESTARTING"
-};
-const CONFIG_KEYS = {
-  ENCRYPTION_KEY: `${PLUGIN_UID}.FIREBASE_JSON_ENCRYPTION_KEY`
-};
-const REQUIRED_FIELDS = {
-  SERVICE_ACCOUNT: ["private_key", "client_email", "project_id", "type"],
-  WEB_CONFIG: ["apiKey", "authDomain"]
-  // These indicate wrong JSON type
-};
-const VALIDATION_MESSAGES = {
-  INVALID_SERVICE_ACCOUNT: "Invalid Service Account JSON. Missing required fields:",
-  WRONG_JSON_TYPE: "You uploaded a Web App Config (SDK snippet) instead of a Service Account JSON. Please go to Firebase Console → Service Accounts tab → Generate New Private Key to download the correct file.",
-  SERVICE_ACCOUNT_HELP: "Please download the correct JSON from Firebase Console → Service Accounts → Generate New Private Key. Do NOT use the Web App Config (SDK snippet) - that is a different file!"
-};
-const firebaseController = {
-  async validateToken(ctx) {
-    strapi.log.debug("validateToken called");
-    try {
-      const { idToken, profileMetaData } = ctx.request.body || {};
-      const populate2 = ctx.request.query.populate || [];
-      if (!idToken) {
-        return ctx.badRequest(ERROR_MESSAGES.TOKEN_MISSING);
-      }
-      const result = await strapi.plugin(pluginName).service("firebaseService").validateFirebaseToken(idToken, profileMetaData, populate2);
-      ctx.body = result;
-    } catch (error2) {
-      strapi.log.error(`validateToken controller error: ${error2.message}`);
-      if (error2.name === "ValidationError") {
-        return ctx.badRequest(error2.message);
-      }
-      if (error2.name === "UnauthorizedError") {
-        return ctx.unauthorized(error2.message);
-      }
-      throw error2;
-    }
-  },
-  async deleteByEmail(email2) {
-    const user = await strapi.firebase.auth().getUserByEmail(email2);
-    await strapi.plugin(pluginName).service("firebaseService").delete(user.toJSON().uid);
-    return user.toJSON();
-  },
-  async overrideAccess(ctx) {
-    try {
-      const { overrideUserId } = ctx.request.body || {};
-      const populate2 = ctx.request.query.populate || [];
-      const result = await strapi.plugin(pluginName).service("firebaseService").overrideFirebaseAccess(overrideUserId, populate2);
-      ctx.body = result;
-    } catch (error2) {
-      if (error2.name === "ValidationError") {
-        return ctx.badRequest(error2.message);
-      }
-      if (error2.name === "NotFoundError") {
-        return ctx.notFound(error2.message);
-      }
-      throw error2;
-    }
-  },
-  /**
-   * Controller method for email/password authentication
-   * Handles the `/api/firebase-authentication/emailLogin` endpoint
-   *
-   * @param ctx - Koa context object
-   * @returns Promise that sets ctx.body with user data and JWT or error message
-   *
-   * @remarks
-   * This controller acts as a proxy to Firebase's Identity Toolkit API,
-   * allowing users to authenticate with email/password and receive a Strapi JWT.
-   *
-   * HTTP Status Codes:
-   * - `400`: Validation errors (missing credentials, invalid email/password)
-   * - `500`: Server errors (missing configuration, Firebase API issues)
-   */
-  async emailLogin(ctx) {
-    strapi.log.debug("emailLogin controller");
-    try {
-      const { email: email2, password } = ctx.request.body || {};
-      const populate2 = ctx.request.query.populate || [];
-      const result = await strapi.plugin(pluginName).service("firebaseService").emailLogin(email2, password, populate2);
-      ctx.body = result;
-    } catch (error2) {
-      strapi.log.error("emailLogin controller error:", error2);
-      if (error2.name === "ValidationError") {
-        ctx.status = 400;
-      } else if (error2.name === "ApplicationError") {
-        ctx.status = 500;
-      } else {
-        ctx.status = 500;
-      }
-      ctx.body = { error: error2.message };
-    }
-  },
-  /**
-   * Forgot password - sends reset email
-   * POST /api/firebase-authentication/forgotPassword
-   * Public endpoint - no authentication required
-   */
-  async forgotPassword(ctx) {
-    strapi.log.debug("forgotPassword endpoint called");
-    try {
-      const { email: email2 } = ctx.request.body || {};
-      ctx.body = await strapi.plugin(pluginName).service("firebaseService").forgotPassword(email2);
-    } catch (error2) {
-      strapi.log.error("forgotPassword controller error:", error2);
-      if (error2.name === "ValidationError") {
-        ctx.status = 400;
-      } else if (error2.name === "NotFoundError") {
-        ctx.status = 404;
-      } else {
-        ctx.status = 500;
-      }
-      ctx.body = { error: error2.message };
-    }
-  },
-  /**
-   * Reset password - authenticated password change
-   * POST /api/firebase-authentication/resetPassword
-   * Public endpoint - requires valid JWT in Authorization header
-   * Used for admin-initiated resets or user self-service password changes
-   * NOT used for forgot password email flow (which uses Firebase's hosted UI)
-   */
-  async resetPassword(ctx) {
-    strapi.log.debug("resetPassword endpoint called");
-    try {
-      const { password } = ctx.request.body || {};
-      const token = ctx.request.headers.authorization?.replace("Bearer ", "");
-      const populate2 = ctx.request.query.populate || [];
-      ctx.body = await strapi.plugin(pluginName).service("firebaseService").resetPassword(password, token, populate2);
-    } catch (error2) {
-      strapi.log.error("resetPassword controller error:", error2);
-      if (error2.name === "ValidationError" || error2.name === "UnauthorizedError") {
-        ctx.status = 401;
-      } else {
-        ctx.status = 500;
-      }
-      ctx.body = { error: error2.message };
-    }
-  },
-  async requestMagicLink(ctx) {
-    try {
-      const { email: email2 } = ctx.request.body || {};
-      const result = await strapi.plugin("firebase-authentication").service("firebaseService").requestMagicLink(email2);
-      ctx.body = result;
-    } catch (error2) {
-      if (error2.name === "ValidationError" || error2.name === "ApplicationError") {
-        throw error2;
-      }
-      strapi.log.error("requestMagicLink controller error:", error2);
-      ctx.body = {
-        success: false,
-        message: "An error occurred while processing your request"
-      };
-    }
-  },
-  /**
-   * Reset password using custom JWT token
-   * POST /api/firebase-authentication/resetPasswordWithToken
-   * Public endpoint - token provides authentication
-   *
-   * @param ctx - Koa context with { token, newPassword } in body
-   * @returns { success: true, message: "Password has been reset successfully" }
-   */
-  async resetPasswordWithToken(ctx) {
-    strapi.log.debug("resetPasswordWithToken endpoint called");
-    try {
-      const { token, newPassword } = ctx.request.body || {};
-      if (!token) {
-        ctx.status = 400;
-        ctx.body = { error: "Token is required" };
-        return;
-      }
-      if (!newPassword) {
-        ctx.status = 400;
-        ctx.body = { error: "New password is required" };
-        return;
-      }
-      const result = await strapi.plugin(pluginName).service("userService").resetPasswordWithToken(token, newPassword);
-      ctx.body = result;
-    } catch (error2) {
-      strapi.log.error("resetPasswordWithToken controller error:", error2);
-      if (error2.name === "ValidationError") {
-        ctx.status = 400;
-        ctx.body = { error: error2.message };
-        return;
-      }
-      if (error2.name === "NotFoundError") {
-        ctx.status = 404;
-        ctx.body = { error: error2.message };
-        return;
-      }
-      ctx.status = 500;
-      ctx.body = { error: "An error occurred while resetting your password" };
-    }
-  }
-};
 var commonjsGlobal = typeof globalThis !== "undefined" ? globalThis : typeof window !== "undefined" ? window : typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : {};
 function getDefaultExportFromCjs(x) {
   return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, "default") ? x["default"] : x;
@@ -631,7 +415,7 @@ var lodash = { exports: {} };
  * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
  */
 lodash.exports;
-(function(module2, exports2) {
+(function(module2, exports$1) {
   (function() {
     var undefined$1;
     var VERSION = "4.17.21";
@@ -959,7 +743,7 @@ lodash.exports;
     var freeGlobal2 = typeof commonjsGlobal == "object" && commonjsGlobal && commonjsGlobal.Object === Object && commonjsGlobal;
     var freeSelf2 = typeof self == "object" && self && self.Object === Object && self;
     var root2 = freeGlobal2 || freeSelf2 || Function("return this")();
-    var freeExports = exports2 && !exports2.nodeType && exports2;
+    var freeExports = exports$1 && !exports$1.nodeType && exports$1;
     var freeModule = freeExports && true && module2 && !module2.nodeType && module2;
     var moduleExports = freeModule && freeModule.exports === freeExports;
     var freeProcess = moduleExports && freeGlobal2.process;
@@ -6189,7 +5973,7 @@ var lodash_min = { exports: {} };
  * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
  */
 lodash_min.exports;
-(function(module2, exports2) {
+(function(module2, exports$1) {
   (function() {
     function n(n2, t3, r2) {
       switch (r2.length) {
@@ -6622,7 +6406,7 @@ lodash_min.exports;
       "œ": "oe",
       "ʼn": "'n",
       "ſ": "s"
-    }, Hr = { "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" }, Jr = { "&amp;": "&", "&lt;": "<", "&gt;": ">", "&quot;": '"', "&#39;": "'" }, Yr = { "\\": "\\", "'": "'", "\n": "n", "\r": "r", "\u2028": "u2028", "\u2029": "u2029" }, Qr = parseFloat, Xr = parseInt, ne = "object" == typeof commonjsGlobal && commonjsGlobal && commonjsGlobal.Object === Object && commonjsGlobal, te = "object" == typeof self && self && self.Object === Object && self, re2 = ne || te || Function("return this")(), ee = exports2 && !exports2.nodeType && exports2, ue = ee && true && module2 && !module2.nodeType && module2, ie = ue && ue.exports === ee, oe = ie && ne.process, fe = function() {
+    }, Hr = { "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" }, Jr = { "&amp;": "&", "&lt;": "<", "&gt;": ">", "&quot;": '"', "&#39;": "'" }, Yr = { "\\": "\\", "'": "'", "\n": "n", "\r": "r", "\u2028": "u2028", "\u2029": "u2029" }, Qr = parseFloat, Xr = parseInt, ne = "object" == typeof commonjsGlobal && commonjsGlobal && commonjsGlobal.Object === Object && commonjsGlobal, te = "object" == typeof self && self && self.Object === Object && self, re2 = ne || te || Function("return this")(), ee = exports$1 && !exports$1.nodeType && exports$1, ue = ee && true && module2 && !module2.nodeType && module2, ie = ue && ue.exports === ee, oe = ie && ne.process, fe = function() {
       try {
         var n2 = ue && ue.require && ue.require("util").types;
         return n2 ? n2 : oe && oe.binding && oe.binding("util");
@@ -9295,8 +9079,8 @@ lodash_min.exports;
 })(lodash_min, lodash_min.exports);
 var lodash_minExports = lodash_min.exports;
 var _mapping = {};
-(function(exports2) {
-  exports2.aliasToReal = {
+(function(exports$1) {
+  exports$1.aliasToReal = {
     // Lodash aliases.
     "each": "forEach",
     "eachRight": "forEachRight",
@@ -9361,7 +9145,7 @@ var _mapping = {};
     "whereEq": "isMatch",
     "zipObj": "zipObject"
   };
-  exports2.aryMethod = {
+  exports$1.aryMethod = {
     "1": [
       "assignAll",
       "assignInAll",
@@ -9596,12 +9380,12 @@ var _mapping = {};
       "updateWith"
     ]
   };
-  exports2.aryRearg = {
+  exports$1.aryRearg = {
     "2": [1, 0],
     "3": [2, 0, 1],
     "4": [3, 2, 0, 1]
   };
-  exports2.iterateeAry = {
+  exports$1.iterateeAry = {
     "dropRightWhile": 1,
     "dropWhile": 1,
     "every": 1,
@@ -9639,11 +9423,11 @@ var _mapping = {};
     "times": 1,
     "transform": 2
   };
-  exports2.iterateeRearg = {
+  exports$1.iterateeRearg = {
     "mapKeys": [1],
     "reduceRight": [1, 0]
   };
-  exports2.methodRearg = {
+  exports$1.methodRearg = {
     "assignInAllWith": [1, 0],
     "assignInWith": [1, 2, 0],
     "assignAllWith": [1, 0],
@@ -9674,7 +9458,7 @@ var _mapping = {};
     "xorWith": [1, 2, 0],
     "zipWith": [1, 2, 0]
   };
-  exports2.methodSpread = {
+  exports$1.methodSpread = {
     "assignAll": { "start": 0 },
     "assignAllWith": { "start": 0 },
     "assignInAll": { "start": 0 },
@@ -9690,7 +9474,7 @@ var _mapping = {};
     "without": { "start": 1 },
     "zipAll": { "start": 0 }
   };
-  exports2.mutate = {
+  exports$1.mutate = {
     "array": {
       "fill": true,
       "pull": true,
@@ -9727,8 +9511,8 @@ var _mapping = {};
       "updateWith": true
     }
   };
-  exports2.realToAlias = function() {
-    var hasOwnProperty2 = Object.prototype.hasOwnProperty, object2 = exports2.aliasToReal, result = {};
+  exports$1.realToAlias = function() {
+    var hasOwnProperty2 = Object.prototype.hasOwnProperty, object2 = exports$1.aliasToReal, result = {};
     for (var key in object2) {
       var value = object2[key];
       if (hasOwnProperty2.call(result, value)) {
@@ -9739,7 +9523,7 @@ var _mapping = {};
     }
     return result;
   }();
-  exports2.remap = {
+  exports$1.remap = {
     "assignAll": "assign",
     "assignAllWith": "assignWith",
     "assignInAll": "assignIn",
@@ -9773,7 +9557,7 @@ var _mapping = {};
     "trimCharsStart": "trimStart",
     "zipAll": "zip"
   };
-  exports2.skipFixed = {
+  exports$1.skipFixed = {
     "castArray": true,
     "flow": true,
     "flowRight": true,
@@ -9782,7 +9566,7 @@ var _mapping = {};
     "rearg": true,
     "runInContext": true
   };
-  exports2.skipRearg = {
+  exports$1.skipRearg = {
     "add": true,
     "assign": true,
     "assignIn": true,
@@ -10236,13 +10020,13 @@ const traverseEntity = async (visitor2, options2, entity) => {
     if (fp.isNil(value) || fp.isNil(attribute)) {
       continue;
     }
-    parent = {
-      schema: schema2,
-      key,
-      attribute,
-      path: newPath
-    };
     if (isRelationalAttribute(attribute)) {
+      parent = {
+        schema: schema2,
+        key,
+        attribute,
+        path: newPath
+      };
       const isMorphRelation = attribute.relation.toLowerCase().startsWith("morph");
       const method = isMorphRelation ? traverseMorphRelationTarget : traverseRelationTarget(getModel(attribute.target));
       if (fp.isArray(value)) {
@@ -10261,6 +10045,12 @@ const traverseEntity = async (visitor2, options2, entity) => {
       continue;
     }
     if (isMediaAttribute(attribute)) {
+      parent = {
+        schema: schema2,
+        key,
+        attribute,
+        path: newPath
+      };
       if (fp.isArray(value)) {
         const res = new Array(value.length);
         for (let i2 = 0; i2 < value.length; i2 += 1) {
@@ -10277,6 +10067,12 @@ const traverseEntity = async (visitor2, options2, entity) => {
       continue;
     }
     if (attribute.type === "component") {
+      parent = {
+        schema: schema2,
+        key,
+        attribute,
+        path: newPath
+      };
       const targetSchema = getModel(attribute.component);
       if (fp.isArray(value)) {
         const res = new Array(value.length);
@@ -10294,6 +10090,12 @@ const traverseEntity = async (visitor2, options2, entity) => {
       continue;
     }
     if (attribute.type === "dynamiczone" && fp.isArray(value)) {
+      parent = {
+        schema: schema2,
+        key,
+        attribute,
+        path: newPath
+      };
       const res = new Array(value.length);
       for (let i2 = 0; i2 < value.length; i2 += 1) {
         const arrayPath = {
@@ -10318,7 +10120,7 @@ const createVisitorUtils = ({ data }) => ({
 });
 fp.curry(traverseEntity);
 var dist = { exports: {} };
-(function(module2, exports2) {
+(function(module2, exports$1) {
   !function(t2, n) {
     module2.exports = n(require$$0__default.default, crypto__default.default);
   }(commonjsGlobal, function(t2, n) {
@@ -11866,9 +11668,9 @@ function stubFalse() {
 }
 var stubFalse_1 = stubFalse;
 isBuffer$2.exports;
-(function(module2, exports2) {
+(function(module2, exports$1) {
   var root2 = _root, stubFalse2 = stubFalse_1;
-  var freeExports = exports2 && !exports2.nodeType && exports2;
+  var freeExports = exports$1 && !exports$1.nodeType && exports$1;
   var freeModule = freeExports && true && module2 && !module2.nodeType && module2;
   var moduleExports = freeModule && freeModule.exports === freeExports;
   var Buffer2 = moduleExports ? root2.Buffer : void 0;
@@ -11895,9 +11697,9 @@ function baseUnary$1(func) {
 var _baseUnary = baseUnary$1;
 var _nodeUtil = { exports: {} };
 _nodeUtil.exports;
-(function(module2, exports2) {
+(function(module2, exports$1) {
   var freeGlobal2 = _freeGlobal;
-  var freeExports = exports2 && !exports2.nodeType && exports2;
+  var freeExports = exports$1 && !exports$1.nodeType && exports$1;
   var freeModule = freeExports && true && module2 && !module2.nodeType && module2;
   var moduleExports = freeModule && freeModule.exports === freeExports;
   var freeProcess = moduleExports && freeGlobal2.process;
@@ -14856,7 +14658,7 @@ function toIdentifier(str2) {
       Object.defineProperty(func, "name", desc);
     }
   }
-  function populateConstructorExports(exports2, codes2, HttpError) {
+  function populateConstructorExports(exports$1, codes2, HttpError) {
     codes2.forEach(function forEachCode(code) {
       var CodeError;
       var name = toIdentifier2(statuses$1.message[code]);
@@ -14869,8 +14671,8 @@ function toIdentifier(str2) {
           break;
       }
       if (CodeError) {
-        exports2[code] = CodeError;
-        exports2[name] = CodeError;
+        exports$1[code] = CodeError;
+        exports$1[name] = CodeError;
       }
     });
   }
@@ -14892,7 +14694,7 @@ const formatYupErrors = (yupError) => ({
   message: yupError.message
 });
 let ApplicationError$2 = class ApplicationError extends Error {
-  constructor(message = "An application error occured", details = {}) {
+  constructor(message = "An application error occurred", details = {}) {
     super();
     this.name = "ApplicationError";
     this.message = message;
@@ -18088,8 +17890,8 @@ pkgDir$1.exports.sync = (cwd2) => {
 };
 var pkgDirExports = pkgDir$1.exports;
 var utils$8 = {};
-(function(exports2) {
-  exports2.isInteger = (num) => {
+(function(exports$1) {
+  exports$1.isInteger = (num) => {
     if (typeof num === "number") {
       return Number.isInteger(num);
     }
@@ -18098,13 +17900,13 @@ var utils$8 = {};
     }
     return false;
   };
-  exports2.find = (node, type2) => node.nodes.find((node2) => node2.type === type2);
-  exports2.exceedsLimit = (min, max, step = 1, limit) => {
+  exports$1.find = (node, type2) => node.nodes.find((node2) => node2.type === type2);
+  exports$1.exceedsLimit = (min, max, step = 1, limit) => {
     if (limit === false) return false;
-    if (!exports2.isInteger(min) || !exports2.isInteger(max)) return false;
+    if (!exports$1.isInteger(min) || !exports$1.isInteger(max)) return false;
     return (Number(max) - Number(min)) / Number(step) >= limit;
   };
-  exports2.escapeNode = (block, n = 0, type2) => {
+  exports$1.escapeNode = (block, n = 0, type2) => {
     const node = block.nodes[n];
     if (!node) return;
     if (type2 && node.type === type2 || node.type === "open" || node.type === "close") {
@@ -18114,7 +17916,7 @@ var utils$8 = {};
       }
     }
   };
-  exports2.encloseBrace = (node) => {
+  exports$1.encloseBrace = (node) => {
     if (node.type !== "brace") return false;
     if (node.commas >> 0 + node.ranges >> 0 === 0) {
       node.invalid = true;
@@ -18122,7 +17924,7 @@ var utils$8 = {};
     }
     return false;
   };
-  exports2.isInvalidBrace = (block) => {
+  exports$1.isInvalidBrace = (block) => {
     if (block.type !== "brace") return false;
     if (block.invalid === true || block.dollar) return true;
     if (block.commas >> 0 + block.ranges >> 0 === 0) {
@@ -18135,18 +17937,18 @@ var utils$8 = {};
     }
     return false;
   };
-  exports2.isOpenOrClose = (node) => {
+  exports$1.isOpenOrClose = (node) => {
     if (node.type === "open" || node.type === "close") {
       return true;
     }
     return node.open === true || node.close === true;
   };
-  exports2.reduce = (nodes) => nodes.reduce((acc, node) => {
+  exports$1.reduce = (nodes) => nodes.reduce((acc, node) => {
     if (node.type === "text") acc.push(node.value);
     if (node.type === "range") node.type = "text";
     return acc;
   }, []);
-  exports2.flatten = (...args) => {
+  exports$1.flatten = (...args) => {
     const result = [];
     const flat = (arr) => {
       for (let i = 0; i < arr.length; i++) {
@@ -19248,7 +19050,7 @@ var constants$5 = {
     return win32 === true ? WINDOWS_CHARS : POSIX_CHARS;
   }
 };
-(function(exports2) {
+(function(exports$1) {
   const path2 = require$$0__namespace.default;
   const win32 = process.platform === "win32";
   const {
@@ -19257,36 +19059,36 @@ var constants$5 = {
     REGEX_SPECIAL_CHARS,
     REGEX_SPECIAL_CHARS_GLOBAL
   } = constants$5;
-  exports2.isObject = (val) => val !== null && typeof val === "object" && !Array.isArray(val);
-  exports2.hasRegexChars = (str2) => REGEX_SPECIAL_CHARS.test(str2);
-  exports2.isRegexChar = (str2) => str2.length === 1 && exports2.hasRegexChars(str2);
-  exports2.escapeRegex = (str2) => str2.replace(REGEX_SPECIAL_CHARS_GLOBAL, "\\$1");
-  exports2.toPosixSlashes = (str2) => str2.replace(REGEX_BACKSLASH, "/");
-  exports2.removeBackslashes = (str2) => {
+  exports$1.isObject = (val) => val !== null && typeof val === "object" && !Array.isArray(val);
+  exports$1.hasRegexChars = (str2) => REGEX_SPECIAL_CHARS.test(str2);
+  exports$1.isRegexChar = (str2) => str2.length === 1 && exports$1.hasRegexChars(str2);
+  exports$1.escapeRegex = (str2) => str2.replace(REGEX_SPECIAL_CHARS_GLOBAL, "\\$1");
+  exports$1.toPosixSlashes = (str2) => str2.replace(REGEX_BACKSLASH, "/");
+  exports$1.removeBackslashes = (str2) => {
     return str2.replace(REGEX_REMOVE_BACKSLASH, (match) => {
       return match === "\\" ? "" : match;
     });
   };
-  exports2.supportsLookbehinds = () => {
+  exports$1.supportsLookbehinds = () => {
     const segs = process.version.slice(1).split(".").map(Number);
     if (segs.length === 3 && segs[0] >= 9 || segs[0] === 8 && segs[1] >= 10) {
       return true;
     }
     return false;
   };
-  exports2.isWindows = (options2) => {
+  exports$1.isWindows = (options2) => {
     if (options2 && typeof options2.windows === "boolean") {
       return options2.windows;
     }
     return win32 === true || path2.sep === "\\";
   };
-  exports2.escapeLast = (input, char, lastIdx) => {
+  exports$1.escapeLast = (input, char, lastIdx) => {
     const idx = input.lastIndexOf(char, lastIdx);
     if (idx === -1) return input;
-    if (input[idx - 1] === "\\") return exports2.escapeLast(input, char, idx - 1);
+    if (input[idx - 1] === "\\") return exports$1.escapeLast(input, char, idx - 1);
     return `${input.slice(0, idx)}\\${input.slice(idx)}`;
   };
-  exports2.removePrefix = (input, state = {}) => {
+  exports$1.removePrefix = (input, state = {}) => {
     let output = input;
     if (output.startsWith("./")) {
       output = output.slice(2);
@@ -19294,7 +19096,7 @@ var constants$5 = {
     }
     return output;
   };
-  exports2.wrapOutput = (input, state = {}, options2 = {}) => {
+  exports$1.wrapOutput = (input, state = {}, options2 = {}) => {
     const prepend = options2.contains ? "" : "^";
     const append2 = options2.contains ? "" : "$";
     let output = `${prepend}(?:${input})${append2}`;
@@ -22849,6 +22651,18 @@ function charFromCodepoint(c) {
     (c - 65536 & 1023) + 56320
   );
 }
+function setProperty(object2, key, value) {
+  if (key === "__proto__") {
+    Object.defineProperty(object2, key, {
+      configurable: true,
+      enumerable: true,
+      writable: true,
+      value
+    });
+  } else {
+    object2[key] = value;
+  }
+}
 var simpleEscapeCheck = new Array(256);
 var simpleEscapeMap = new Array(256);
 for (var i = 0; i < 256; i++) {
@@ -22955,7 +22769,7 @@ function mergeMappings(state, destination, source, overridableKeys) {
   for (index2 = 0, quantity = sourceKeys.length; index2 < quantity; index2 += 1) {
     key = sourceKeys[index2];
     if (!_hasOwnProperty$1.call(destination, key)) {
-      destination[key] = source[key];
+      setProperty(destination, key, source[key]);
       overridableKeys[key] = true;
     }
   }
@@ -22994,7 +22808,7 @@ function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valu
       state.position = startPos || state.position;
       throwError(state, "duplicated mapping key");
     }
-    _result[keyNode] = valueNode;
+    setProperty(_result, keyNode, valueNode);
     delete overridableKeys[keyNode];
   }
   return _result;
@@ -28897,6 +28711,247 @@ _enum([
   "published"
 ]).describe("Filter by publication status");
 string().describe("Search query string");
+const pluginName = "firebase-authentication";
+const PLUGIN_NAME = "firebase-authentication";
+const PLUGIN_UID = `plugin::${PLUGIN_NAME}`;
+const CONFIG_CONTENT_TYPE = `${PLUGIN_UID}.firebase-authentication-configuration`;
+const DEFAULT_PASSWORD_RESET_URL = "http://localhost:3000/reset-password";
+const DEFAULT_PASSWORD_REGEX = "^.{6,}$";
+const DEFAULT_PASSWORD_MESSAGE = "Password must be at least 6 characters long";
+const DEFAULT_RESET_EMAIL_SUBJECT = "Reset Your Password";
+const ERROR_MESSAGES = {
+  FIREBASE_NOT_INITIALIZED: "Firebase is not initialized. Please upload Firebase service account configuration via Settings → Firebase Authentication.",
+  INVALID_JSON: "Invalid JSON format. Please ensure you copied the entire JSON content correctly.",
+  MISSING_DATA: "data is missing",
+  SOMETHING_WENT_WRONG: "Something went wrong",
+  AUTHENTICATION_FAILED: "Authentication failed",
+  TOKEN_MISSING: "idToken is missing!",
+  EMAIL_PASSWORD_REQUIRED: "Email and password are required",
+  PASSWORD_REQUIRED: "Password is required",
+  AUTHORIZATION_REQUIRED: "Authorization token is required",
+  INVALID_TOKEN: "Invalid or expired token",
+  USER_NOT_FOUND: "User not found",
+  USER_NO_EMAIL: "User does not have an email address",
+  FIREBASE_LINK_FAILED: "Failed to generate Firebase reset link",
+  CONFIG_NOT_FOUND: "No config found",
+  INVALID_SERVICE_ACCOUNT: "Invalid service account JSON",
+  WEB_API_NOT_CONFIGURED: "Email/password authentication is not available. Web API Key is not configured.",
+  RESET_URL_NOT_CONFIGURED: "Password reset URL is not configured",
+  RESET_URL_MUST_BE_HTTPS: "Password reset URL must use HTTPS in production",
+  RESET_URL_INVALID_FORMAT: "Password reset URL is not a valid URL format",
+  USER_NOT_LINKED_FIREBASE: "User is not linked to Firebase authentication",
+  OVERRIDE_USER_ID_REQUIRED: "Override user ID is required",
+  EITHER_EMAIL_OR_PHONE_REQUIRED: "Either email or phoneNumber is required",
+  DELETION_NO_CONFIG: "No Firebase configs exists for deletion"
+};
+const SUCCESS_MESSAGES = {
+  FIREBASE_INITIALIZED: "Firebase successfully initialized",
+  FIREBASE_CONFIG_DELETED: "Firebase config deleted and reinitialized",
+  PASSWORD_RESET_EMAIL_SENT: "If an account with that email exists, a password reset link has been sent.",
+  SERVER_RESTARTING: "SERVER IS RESTARTING"
+};
+const CONFIG_KEYS = {
+  ENCRYPTION_KEY: `${PLUGIN_UID}.FIREBASE_JSON_ENCRYPTION_KEY`
+};
+const REQUIRED_FIELDS = {
+  SERVICE_ACCOUNT: ["private_key", "client_email", "project_id", "type"],
+  WEB_CONFIG: ["apiKey", "authDomain"]
+  // These indicate wrong JSON type
+};
+const VALIDATION_MESSAGES = {
+  INVALID_SERVICE_ACCOUNT: "Invalid Service Account JSON. Missing required fields:",
+  WRONG_JSON_TYPE: "You uploaded a Web App Config (SDK snippet) instead of a Service Account JSON. Please go to Firebase Console → Service Accounts tab → Generate New Private Key to download the correct file.",
+  SERVICE_ACCOUNT_HELP: "Please download the correct JSON from Firebase Console → Service Accounts → Generate New Private Key. Do NOT use the Web App Config (SDK snippet) - that is a different file!"
+};
+const firebaseController = {
+  async validateToken(ctx) {
+    strapi.log.debug("validateToken called");
+    try {
+      const { idToken, profileMetaData } = ctx.request.body || {};
+      const populate2 = ctx.request.query.populate || [];
+      if (!idToken) {
+        return ctx.badRequest(ERROR_MESSAGES.TOKEN_MISSING);
+      }
+      const result = await strapi.plugin(pluginName).service("firebaseService").validateFirebaseToken(idToken, profileMetaData, populate2);
+      ctx.body = result;
+    } catch (error2) {
+      strapi.log.error(`validateToken controller error: ${error2.message}`);
+      if (error2.name === "ValidationError") {
+        return ctx.badRequest(error2.message);
+      }
+      if (error2.name === "UnauthorizedError") {
+        return ctx.unauthorized(error2.message);
+      }
+      throw error2;
+    }
+  },
+  async deleteByEmail(email2) {
+    try {
+      const user = await strapi.firebase.auth().getUserByEmail(email2);
+      await strapi.plugin(pluginName).service("firebaseService").delete(user.toJSON().uid);
+      return user.toJSON();
+    } catch (error2) {
+      strapi.log.error("deleteByEmail error:", error2);
+      throw error2;
+    }
+  },
+  async overrideAccess(ctx) {
+    try {
+      const { overrideUserId } = ctx.request.body || {};
+      const populate2 = ctx.request.query.populate || [];
+      const result = await strapi.plugin(pluginName).service("firebaseService").overrideFirebaseAccess(overrideUserId, populate2);
+      ctx.body = result;
+    } catch (error2) {
+      if (error2.name === "ValidationError") {
+        return ctx.badRequest(error2.message);
+      }
+      if (error2.name === "NotFoundError") {
+        return ctx.notFound(error2.message);
+      }
+      throw error2;
+    }
+  },
+  /**
+   * Controller method for email/password authentication
+   * Handles the `/api/firebase-authentication/emailLogin` endpoint
+   *
+   * @param ctx - Koa context object
+   * @returns Promise that sets ctx.body with user data and JWT or error message
+   *
+   * @remarks
+   * This controller acts as a proxy to Firebase's Identity Toolkit API,
+   * allowing users to authenticate with email/password and receive a Strapi JWT.
+   *
+   * HTTP Status Codes:
+   * - `400`: Validation errors (missing credentials, invalid email/password)
+   * - `500`: Server errors (missing configuration, Firebase API issues)
+   */
+  async emailLogin(ctx) {
+    strapi.log.debug("emailLogin controller");
+    try {
+      const { email: email2, password } = ctx.request.body || {};
+      const populate2 = ctx.request.query.populate || [];
+      const result = await strapi.plugin(pluginName).service("firebaseService").emailLogin(email2, password, populate2);
+      ctx.body = result;
+    } catch (error2) {
+      strapi.log.error("emailLogin controller error:", error2);
+      throw error2;
+    }
+  },
+  /**
+   * Forgot password - sends reset email
+   * POST /api/firebase-authentication/forgotPassword
+   * Public endpoint - no authentication required
+   */
+  async forgotPassword(ctx) {
+    strapi.log.debug("forgotPassword endpoint called");
+    try {
+      const { email: email2 } = ctx.request.body || {};
+      ctx.body = await strapi.plugin(pluginName).service("firebaseService").forgotPassword(email2);
+    } catch (error2) {
+      strapi.log.error("forgotPassword controller error:", error2);
+      throw error2;
+    }
+  },
+  /**
+   * Reset password - authenticated password change
+   * POST /api/firebase-authentication/resetPassword
+   * Authenticated endpoint - requires valid JWT (enforced by is-authenticated policy)
+   * Used for admin-initiated resets or user self-service password changes
+   * NOT used for forgot password email flow (which uses Firebase's hosted UI)
+   */
+  async resetPassword(ctx) {
+    strapi.log.debug("resetPassword endpoint called");
+    try {
+      const { password } = ctx.request.body || {};
+      const user = ctx.state.user;
+      const populate2 = ctx.request.query.populate || [];
+      ctx.body = await strapi.plugin(pluginName).service("firebaseService").resetPassword(password, user, populate2);
+    } catch (error2) {
+      strapi.log.error("resetPassword controller error:", error2);
+      throw error2;
+    }
+  },
+  async requestMagicLink(ctx) {
+    try {
+      const { email: email2 } = ctx.request.body || {};
+      const result = await strapi.plugin("firebase-authentication").service("firebaseService").requestMagicLink(email2);
+      ctx.body = result;
+    } catch (error2) {
+      if (error2.name === "ValidationError" || error2.name === "ApplicationError") {
+        throw error2;
+      }
+      strapi.log.error("requestMagicLink controller error:", error2);
+      ctx.body = {
+        success: false,
+        message: "An error occurred while processing your request"
+      };
+    }
+  },
+  /**
+   * Reset password using custom JWT token
+   * POST /api/firebase-authentication/resetPasswordWithToken
+   * Public endpoint - token provides authentication
+   *
+   * @param ctx - Koa context with { token, newPassword } in body
+   * @returns { success: true, message: "Password has been reset successfully" }
+   */
+  async resetPasswordWithToken(ctx) {
+    strapi.log.debug("resetPasswordWithToken endpoint called");
+    try {
+      const { token, newPassword } = ctx.request.body || {};
+      if (!token) {
+        throw new ValidationError$1("Token is required");
+      }
+      if (!newPassword) {
+        throw new ValidationError$1("New password is required");
+      }
+      const result = await strapi.plugin(pluginName).service("userService").resetPasswordWithToken(token, newPassword);
+      ctx.body = result;
+    } catch (error2) {
+      strapi.log.error("resetPasswordWithToken controller error:", error2);
+      throw error2;
+    }
+  },
+  /**
+   * Send email verification - public endpoint
+   * POST /api/firebase-authentication/sendVerificationEmail
+   * Authenticated endpoint - sends verification email to the logged-in user's email
+   */
+  async sendVerificationEmail(ctx) {
+    strapi.log.debug("sendVerificationEmail endpoint called");
+    try {
+      const user = ctx.state.user;
+      const email2 = user.email;
+      ctx.body = await strapi.plugin(pluginName).service("firebaseService").sendVerificationEmail(email2);
+    } catch (error2) {
+      strapi.log.error("sendVerificationEmail controller error:", error2);
+      throw error2;
+    }
+  },
+  /**
+   * Verify email using custom JWT token
+   * POST /api/firebase-authentication/verifyEmail
+   * Public endpoint - token provides authentication
+   *
+   * @param ctx - Koa context with { token } in body
+   * @returns { success: true, message: "Email verified successfully" }
+   */
+  async verifyEmail(ctx) {
+    strapi.log.debug("verifyEmail endpoint called");
+    try {
+      const { token } = ctx.request.body || {};
+      if (!token) {
+        throw new ValidationError$1("Token is required");
+      }
+      const result = await strapi.plugin(pluginName).service("firebaseService").verifyEmail(token);
+      ctx.body = result;
+    } catch (error2) {
+      strapi.log.error("verifyEmail controller error:", error2);
+      throw error2;
+    }
+  }
+};
 const STRAPI_DESTINATION = "strapi";
 const FIREBASE_DESTINATION = "firebase";
 const userController = {
@@ -28982,6 +29037,17 @@ const userController = {
     } catch (error2) {
       throw new ApplicationError$2(error2.message || "Failed to send password reset email");
     }
+  },
+  sendVerificationEmail: async (ctx) => {
+    const userId = ctx.params.id;
+    if (!userId) {
+      throw new ValidationError$1("User ID is required");
+    }
+    try {
+      ctx.body = await strapi.plugin("firebase-authentication").service("userService").sendVerificationEmail(userId);
+    } catch (error2) {
+      throw new ApplicationError$2(error2.message || "Failed to send verification email");
+    }
   }
 };
 const settingsController = {
@@ -29084,7 +29150,9 @@ const settingsController = {
         enableMagicLink = false,
         magicLinkUrl = "http://localhost:1338/verify-magic-link.html",
         magicLinkEmailSubject = "Sign in to Your Application",
-        magicLinkExpiryHours = 1
+        magicLinkExpiryHours = 1,
+        emailVerificationUrl = "http://localhost:3000/verify-email",
+        emailVerificationEmailSubject = "Verify Your Email"
       } = requestBody;
       const existingConfig = await strapi.db.query("plugin::firebase-authentication.firebase-authentication-configuration").findOne({ where: {} });
       let result;
@@ -29098,7 +29166,9 @@ const settingsController = {
             enableMagicLink,
             magicLinkUrl,
             magicLinkEmailSubject,
-            magicLinkExpiryHours
+            magicLinkExpiryHours,
+            emailVerificationUrl,
+            emailVerificationEmailSubject
           }
         });
       } else {
@@ -29112,7 +29182,9 @@ const settingsController = {
             enableMagicLink,
             magicLinkUrl,
             magicLinkEmailSubject,
-            magicLinkExpiryHours
+            magicLinkExpiryHours,
+            emailVerificationUrl,
+            emailVerificationEmailSubject
           }
         });
       }
@@ -29124,7 +29196,9 @@ const settingsController = {
         enableMagicLink: result.enableMagicLink,
         magicLinkUrl: result.magicLinkUrl,
         magicLinkEmailSubject: result.magicLinkEmailSubject,
-        magicLinkExpiryHours: result.magicLinkExpiryHours
+        magicLinkExpiryHours: result.magicLinkExpiryHours,
+        emailVerificationUrl: result.emailVerificationUrl,
+        emailVerificationEmailSubject: result.emailVerificationEmailSubject
       };
     } catch (error2) {
       throw new ApplicationError$2("Error saving password configuration", {
@@ -29139,7 +29213,16 @@ const controllers = {
   settingsController
 };
 const middlewares = {};
-const policies = {};
+const isAuthenticated = async (policyContext) => {
+  const user = policyContext.state.user;
+  if (!user) {
+    throw new UnauthorizedError("Authentication required");
+  }
+  return true;
+};
+const policies = {
+  "is-authenticated": isAuthenticated
+};
 const settingsRoute = [
   {
     method: "POST",
@@ -29217,6 +29300,14 @@ const admin = {
         policies: ["admin::isAuthenticatedAdmin"]
       }
     },
+    {
+      method: "PUT",
+      path: "/users/sendVerificationEmail/:id",
+      handler: "userController.sendVerificationEmail",
+      config: {
+        policies: ["admin::isAuthenticatedAdmin"]
+      }
+    },
     {
       method: "GET",
       path: "/users/:id",
@@ -29281,9 +29372,7 @@ const contentApi = {
       path: "/resetPassword",
       handler: "firebaseController.resetPassword",
       config: {
-        auth: false,
-        // Public endpoint - authenticated password change, requires valid JWT in Authorization header
-        policies: []
+        policies: ["plugin::firebase-authentication.is-authenticated"]
       }
     },
     {
@@ -29315,6 +29404,24 @@ const contentApi = {
         // Public endpoint - token provides authentication
         policies: []
       }
+    },
+    {
+      method: "POST",
+      path: "/sendVerificationEmail",
+      handler: "firebaseController.sendVerificationEmail",
+      config: {
+        policies: ["plugin::firebase-authentication.is-authenticated"]
+      }
+    },
+    {
+      method: "POST",
+      path: "/verifyEmail",
+      handler: "firebaseController.verifyEmail",
+      config: {
+        auth: false,
+        // Public endpoint - token provides authentication
+        policies: []
+      }
     }
   ]
 };
@@ -29435,7 +29542,10 @@ const settingsService = ({ strapi: strapi2 }) => {
           enableMagicLink: configObject.enableMagicLink || false,
           magicLinkUrl: configObject.magicLinkUrl || "http://localhost:1338/verify-magic-link.html",
           magicLinkEmailSubject: configObject.magicLinkEmailSubject || "Sign in to Your Application",
-          magicLinkExpiryHours: configObject.magicLinkExpiryHours || 1
+          magicLinkExpiryHours: configObject.magicLinkExpiryHours || 1,
+          // Include email verification configuration fields
+          emailVerificationUrl: configObject.emailVerificationUrl || "http://localhost:3000/verify-email",
+          emailVerificationEmailSubject: configObject.emailVerificationEmailSubject || "Verify Your Email"
         };
       } catch (error2) {
         strapi2.log.error(`Firebase config error: ${error2.message}`);
@@ -29478,7 +29588,9 @@ const settingsService = ({ strapi: strapi2 }) => {
           enableMagicLink = false,
           magicLinkUrl = "http://localhost:1338/verify-magic-link.html",
           magicLinkEmailSubject = "Sign in to Your Application",
-          magicLinkExpiryHours = 1
+          magicLinkExpiryHours = 1,
+          emailVerificationUrl = "http://localhost:3000/verify-email",
+          emailVerificationEmailSubject = "Verify Your Email"
         } = requestBody;
         if (!requestBody) throw new ValidationError3(ERROR_MESSAGES.MISSING_DATA);
         try {
@@ -29514,7 +29626,9 @@ const settingsService = ({ strapi: strapi2 }) => {
               enableMagicLink,
               magicLinkUrl,
               magicLinkEmailSubject,
-              magicLinkExpiryHours
+              magicLinkExpiryHours,
+              emailVerificationUrl,
+              emailVerificationEmailSubject
             }
           });
         } else {
@@ -29530,11 +29644,20 @@ const settingsService = ({ strapi: strapi2 }) => {
               enableMagicLink,
               magicLinkUrl,
               magicLinkEmailSubject,
-              magicLinkExpiryHours
+              magicLinkExpiryHours,
+              emailVerificationUrl,
+              emailVerificationEmailSubject
             }
           });
         }
         await strapi2.plugin("firebase-authentication").service("settingsService").init();
+        setImmediate(async () => {
+          try {
+            await strapi2.plugin("firebase-authentication").service("autoLinkService").linkAllUsers(strapi2);
+          } catch (error2) {
+            strapi2.log.error(`Auto-linking after config save failed: ${error2.message}`);
+          }
+        });
         const configData = res.firebaseConfigJson || res.firebase_config_json;
         if (!configData) {
           strapi2.log.error("Firebase config data missing from database response");
@@ -29558,6 +29681,8 @@ const settingsService = ({ strapi: strapi2 }) => {
         res.magicLinkUrl = res.magicLinkUrl || magicLinkUrl;
         res.magicLinkEmailSubject = res.magicLinkEmailSubject || magicLinkEmailSubject;
         res.magicLinkExpiryHours = res.magicLinkExpiryHours || magicLinkExpiryHours;
+        res.emailVerificationUrl = res.emailVerificationUrl || emailVerificationUrl;
+        res.emailVerificationEmailSubject = res.emailVerificationEmailSubject || emailVerificationEmailSubject;
         return res;
       } catch (error2) {
         strapi2.log.error("=== FIREBASE CONFIG SAVE ERROR ===");
@@ -30217,6 +30342,40 @@ const userService = ({ strapi: strapi2 }) => {
         }
         throw new ApplicationError$2(e.message?.toString() || "Failed to reset password");
       }
+    },
+    /**
+     * Send email verification email (admin-initiated)
+     * @param entityId - Firebase UID of the user
+     */
+    sendVerificationEmail: async (entityId) => {
+      try {
+        ensureFirebaseInitialized();
+        const user = await strapi2.firebase.auth().getUser(entityId);
+        if (!user.email) {
+          throw new ApplicationError$2("User does not have an email address");
+        }
+        if (user.emailVerified) {
+          return { success: true, message: "Email is already verified" };
+        }
+        const config2 = await strapi2.db.query("plugin::firebase-authentication.firebase-authentication-configuration").findOne({ where: {} });
+        const emailVerificationUrl = config2?.emailVerificationUrl;
+        if (!emailVerificationUrl) {
+          throw new ApplicationError$2("Email verification URL is not configured");
+        }
+        const firebaseUserData2 = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(entityId);
+        if (!firebaseUserData2) {
+          throw new ApplicationError$2("User is not linked to Firebase authentication");
+        }
+        const tokenService2 = strapi2.plugin("firebase-authentication").service("tokenService");
+        const token = await tokenService2.generateVerificationToken(firebaseUserData2.documentId, user.email);
+        const verificationLink = `${emailVerificationUrl}?token=${token}`;
+        strapi2.log.debug(`Generated email verification link for user ${user.email}`);
+        const emailService2 = strapi2.plugin("firebase-authentication").service("emailService");
+        return await emailService2.sendVerificationEmail(user, verificationLink);
+      } catch (e) {
+        strapi2.log.error(`sendVerificationEmail error: ${e.message}`);
+        throw new ApplicationError$2(e.message?.toString() || "Failed to send verification email");
+      }
     }
   };
 };
@@ -30760,20 +30919,17 @@ const firebaseService = ({ strapi: strapi2 }) => ({
    * 2. User-initiated password change (when already authenticated)
    *
    * NOT used for forgot password email flow - that now uses Firebase's hosted UI
+   *
+   * @param password - New password to set
+   * @param user - Authenticated user from ctx.state.user (populated by is-authenticated policy)
+   * @param populate - Fields to populate in response
    */
-  resetPassword: async (password, token, populate2) => {
+  resetPassword: async (password, user, populate2) => {
     if (!password) {
       throw new ValidationError$1("Password is required");
     }
-    if (!token) {
-      throw new UnauthorizedError("Authorization token is required");
-    }
-    let decoded;
-    try {
-      const jwtService = strapi2.plugin("users-permissions").service("jwt");
-      decoded = await jwtService.verify(token);
-    } catch (error2) {
-      throw new UnauthorizedError("Invalid or expired token");
+    if (!user || !user.id) {
+      throw new UnauthorizedError("Authentication required");
     }
     const config2 = await strapi2.plugin("firebase-authentication").service("settingsService").getFirebaseConfigJson();
     const passwordRegex = config2?.passwordRequirementsRegex || "^.{6,}$";
@@ -30784,8 +30940,7 @@ const firebaseService = ({ strapi: strapi2 }) => ({
     }
     try {
       const strapiUser = await strapi2.db.query("plugin::users-permissions.user").findOne({
-        where: { id: decoded.id }
-        // Use numeric id from JWT
+        where: { id: user.id }
       });
       if (!strapiUser) {
         throw new NotFoundError("User not found");
@@ -30896,6 +31051,159 @@ const firebaseService = ({ strapi: strapi2 }) => ({
         verificationUrl: magicLinkUrl
       };
     }
+  },
+  /**
+   * Send email verification - public endpoint
+   * Generates a verification token and sends an email to the user
+   * Security: Always returns generic success message to prevent email enumeration
+   */
+  async sendVerificationEmail(email2) {
+    strapi2.log.info(`[sendVerificationEmail] Starting email verification for: ${email2}`);
+    if (!email2) {
+      throw new ValidationError$1("Email is required");
+    }
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email2)) {
+      throw new ValidationError$1("Invalid email format");
+    }
+    const config2 = await strapi2.plugin("firebase-authentication").service("settingsService").getFirebaseConfigJson();
+    const verificationUrl = config2?.emailVerificationUrl;
+    if (!verificationUrl) {
+      throw new ApplicationError$2("Email verification URL is not configured");
+    }
+    if (process.env.NODE_ENV === "production" && !verificationUrl.startsWith("https://")) {
+      throw new ApplicationError$2("Email verification URL must use HTTPS in production");
+    }
+    try {
+      new URL(verificationUrl);
+    } catch (error2) {
+      throw new ApplicationError$2("Email verification URL is not a valid URL format");
+    }
+    try {
+      let firebaseUser;
+      try {
+        firebaseUser = await strapi2.firebase.auth().getUserByEmail(email2);
+      } catch (fbError) {
+        strapi2.log.debug("User not found in Firebase");
+      }
+      if (!firebaseUser) {
+        strapi2.log.warn(`⚠️ [sendVerificationEmail] User not found in Firebase for email: ${email2}`);
+        return { message: "If an account with that email exists, a verification link has been sent." };
+      }
+      if (firebaseUser.emailVerified) {
+        strapi2.log.info(`[sendVerificationEmail] User ${email2} is already verified`);
+        return { message: "Email is already verified." };
+      }
+      const firebaseData = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(firebaseUser.uid);
+      if (!firebaseData) {
+        strapi2.log.warn(`⚠️ [sendVerificationEmail] No firebase-user-data record for: ${email2}`);
+        return { message: "If an account with that email exists, a verification link has been sent." };
+      }
+      strapi2.log.info(
+        `✅ [sendVerificationEmail] User found: ${JSON.stringify({
+          firebaseUID: firebaseUser.uid,
+          email: firebaseUser.email,
+          emailVerified: firebaseUser.emailVerified
+        })}`
+      );
+      const tokenService2 = strapi2.plugin("firebase-authentication").service("tokenService");
+      const token = await tokenService2.generateVerificationToken(firebaseData.documentId, email2);
+      const verificationLink = `${verificationUrl}?token=${token}`;
+      strapi2.log.info(`✅ [sendVerificationEmail] Verification link generated for ${email2}`);
+      strapi2.log.info(`[sendVerificationEmail] Attempting to send verification email to: ${email2}`);
+      await strapi2.plugin("firebase-authentication").service("emailService").sendVerificationEmail(firebaseUser, verificationLink);
+      strapi2.log.info(`✅ [sendVerificationEmail] Verification email sent successfully to: ${email2}`);
+      return {
+        message: "If an account with that email exists, a verification link has been sent."
+      };
+    } catch (error2) {
+      strapi2.log.error(
+        `❌ [sendVerificationEmail] ERROR: ${JSON.stringify({
+          email: email2,
+          message: error2.message,
+          code: error2.code,
+          name: error2.name,
+          stack: error2.stack
+        })}`
+      );
+      return {
+        message: "If an account with that email exists, a verification link has been sent."
+      };
+    }
+  },
+  /**
+   * Verify email with token - public endpoint
+   * Validates the token and marks the user's email as verified in Firebase
+   */
+  async verifyEmail(token) {
+    strapi2.log.info(`[verifyEmail] Starting email verification with token`);
+    if (!token) {
+      throw new ValidationError$1("Verification token is required");
+    }
+    const tokenService2 = strapi2.plugin("firebase-authentication").service("tokenService");
+    const validationResult = await tokenService2.validateVerificationToken(token);
+    if (!validationResult.valid) {
+      strapi2.log.warn(`[verifyEmail] Token validation failed: ${validationResult.error}`);
+      throw new ValidationError$1(validationResult.error || "Invalid verification link");
+    }
+    const { firebaseUID, firebaseUserDataDocumentId, email: tokenEmail } = validationResult;
+    try {
+      const firebaseUser = await strapi2.firebase.auth().getUser(firebaseUID);
+      if (tokenEmail && firebaseUser.email !== tokenEmail) {
+        strapi2.log.warn(
+          `[verifyEmail] Email changed: token email ${tokenEmail} != current email ${firebaseUser.email}`
+        );
+        await tokenService2.invalidateVerificationToken(firebaseUserDataDocumentId);
+        throw new ValidationError$1(
+          "Email address has changed since verification was requested. Please request a new verification link."
+        );
+      }
+      if (firebaseUser.emailVerified) {
+        strapi2.log.info(`[verifyEmail] User ${firebaseUser.email} is already verified`);
+        await tokenService2.invalidateVerificationToken(firebaseUserDataDocumentId);
+        return {
+          success: true,
+          message: "Email is already verified."
+        };
+      }
+      await strapi2.firebase.auth().updateUser(firebaseUID, {
+        emailVerified: true
+      });
+      try {
+        const firebaseUserDataService2 = strapi2.plugin("firebase-authentication").service("firebaseUserDataService");
+        const firebaseUserData2 = await firebaseUserDataService2.getByFirebaseUID(firebaseUID);
+        if (firebaseUserData2?.user?.documentId) {
+          await strapi2.db.query("plugin::users-permissions.user").update({
+            where: { documentId: firebaseUserData2.user.documentId },
+            data: { confirmed: true }
+          });
+          strapi2.log.info(`✅ [verifyEmail] Strapi user confirmed for: ${firebaseUserData2.user.documentId}`);
+        }
+      } catch (strapiUpdateError) {
+        strapi2.log.warn(
+          `[verifyEmail] Failed to update Strapi user confirmed status: ${strapiUpdateError.message}`
+        );
+      }
+      strapi2.log.info(`✅ [verifyEmail] Email verified successfully for: ${firebaseUser.email}`);
+      await tokenService2.invalidateVerificationToken(firebaseUserDataDocumentId);
+      return {
+        success: true,
+        message: "Email verified successfully."
+      };
+    } catch (error2) {
+      strapi2.log.error(
+        `❌ [verifyEmail] ERROR: ${JSON.stringify({
+          firebaseUID,
+          message: error2.message,
+          code: error2.code,
+          name: error2.name
+        })}`
+      );
+      if (error2 instanceof ValidationError$1) {
+        throw error2;
+      }
+      throw new ApplicationError$2("Failed to verify email. Please try again.");
+    }
   }
 });
 const passwordResetTemplate = {
@@ -31275,13 +31583,144 @@ The <%= appName %> Team
 Need help? Contact us at <%= supportEmail %>
 <% } %>
 
+© <%= year %> <%= appName %>. All rights reserved.
+  `.trim()
+};
+const emailVerificationTemplate = {
+  subject: "Verify Your Email - <%= appName %>",
+  html: `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Verify Your Email</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; background-color: #f4f4f4;">
+  <table role="presentation" style="width: 100%; border-collapse: collapse; background-color: #f4f4f4;">
+    <tr>
+      <td align="center" style="padding: 40px 0;">
+        <table role="presentation" style="width: 600px; max-width: 100%; background-color: #ffffff; border-radius: 8px; box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);">
+          <!-- Header -->
+          <tr>
+            <td style="padding: 40px 40px 20px 40px; text-align: center;">
+              <h1 style="margin: 0; font-size: 28px; color: #333333; font-weight: 600;">
+                Verify Your Email Address
+              </h1>
+            </td>
+          </tr>
+
+          <!-- Content -->
+          <tr>
+            <td style="padding: 20px 40px;">
+              <p style="margin: 0 0 20px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                Hello<% if (user.firstName) { %> <%= user.firstName %><% } %>,
+              </p>
+
+              <p style="margin: 0 0 20px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                Thank you for signing up with <strong><%= appName %></strong>! Please verify your email address <strong><%= user.email %></strong> to complete your registration.
+              </p>
+
+              <p style="margin: 0 0 30px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                Click the button below to verify your email:
+              </p>
+
+              <!-- CTA Button -->
+              <table role="presentation" style="width: 100%; border-collapse: collapse;">
+                <tr>
+                  <td align="center" style="padding: 0 0 30px 0;">
+                    <a href="<%= verificationLink %>"
+                       style="display: inline-block; padding: 14px 32px; background-color: #28a745; color: #ffffff; text-decoration: none; font-size: 16px; font-weight: 600; border-radius: 5px; transition: background-color 0.3s;">
+                      Verify Email Address
+                    </a>
+                  </td>
+                </tr>
+              </table>
+
+              <p style="margin: 0 0 20px 0; font-size: 14px; line-height: 1.6; color: #777777;">
+                Or copy and paste this link into your browser:
+              </p>
+
+              <p style="margin: 0 0 30px 0; font-size: 14px; line-height: 1.6; word-break: break-all; color: #28a745;">
+                <%= verificationLink %>
+              </p>
+
+              <!-- Security Notice -->
+              <table role="presentation" style="width: 100%; border-collapse: collapse; background-color: #fff3cd; border-radius: 4px; margin: 0 0 20px 0;">
+                <tr>
+                  <td style="padding: 12px 16px;">
+                    <p style="margin: 0; font-size: 14px; line-height: 1.6; color: #856404;">
+                      <strong>⚠️ Important:</strong> This link will expire in <strong><%= expiresIn %></strong>.
+                      If you didn't create an account with us, you can safely ignore this email.
+                    </p>
+                  </td>
+                </tr>
+              </table>
+
+              <p style="margin: 0 0 20px 0; font-size: 16px; line-height: 1.6; color: #555555;">
+                For security reasons, please do not share this link with anyone.
+              </p>
+            </td>
+          </tr>
+
+          <!-- Footer -->
+          <tr>
+            <td style="padding: 30px 40px 40px 40px; border-top: 1px solid #eeeeee;">
+              <p style="margin: 0 0 10px 0; font-size: 14px; line-height: 1.6; color: #999999; text-align: center;">
+                Best regards,<br>
+                The <%= appName %> Team
+              </p>
+
+              <% if (supportEmail) { %>
+              <p style="margin: 0 0 10px 0; font-size: 12px; line-height: 1.6; color: #999999; text-align: center;">
+                Need help? Contact us at <a href="mailto:<%= supportEmail %>" style="color: #28a745; text-decoration: none;"><%= supportEmail %></a>
+              </p>
+              <% } %>
+
+              <p style="margin: 0; font-size: 12px; line-height: 1.6; color: #999999; text-align: center;">
+                © <%= year %> <%= appName %>. All rights reserved.
+              </p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>
+  `.trim(),
+  text: `
+Verify Your Email Address
+
+Hello<% if (user.firstName) { %> <%= user.firstName %><% } %>,
+
+Thank you for signing up with <%= appName %>! Please verify your email address <%= user.email %> to complete your registration.
+
+To verify your email, please visit the following link:
+
+<%= verificationLink %>
+
+This link will expire in <%= expiresIn %>.
+
+If you didn't create an account with us, you can safely ignore this email.
+
+For security reasons, please do not share this link with anyone.
+
+Best regards,
+The <%= appName %> Team
+
+<% if (supportEmail) { %>
+Need help? Contact us at <%= supportEmail %>
+<% } %>
+
 © <%= year %> <%= appName %>. All rights reserved.
   `.trim()
 };
 const defaultTemplates = {
   passwordReset: passwordResetTemplate,
   magicLink: magicLinkTemplate,
-  passwordChanged: passwordChangedTemplate
+  passwordChanged: passwordChangedTemplate,
+  emailVerification: emailVerificationTemplate
 };
 class TemplateService {
   /**
@@ -31693,6 +32132,114 @@ class EmailService {
       message: "Password changed but confirmation email could not be sent"
     };
   }
+  /**
+   * Send email verification email with three-tier fallback system
+   * Tier 1: Strapi Email Plugin (if configured)
+   * Tier 2: Custom Hook Function (if provided in config)
+   * Tier 3: Development Console Logging (dev mode only)
+   */
+  async sendVerificationEmail(user, verificationLink) {
+    if (!user.email) {
+      throw new ValidationError$1("User does not have an email address");
+    }
+    const variables = {
+      user: {
+        email: user.email,
+        firstName: user.firstName || user.displayName?.split(" ")[0],
+        lastName: user.lastName,
+        displayName: user.displayName,
+        phoneNumber: user.phoneNumber,
+        uid: user.uid
+      },
+      verificationLink,
+      expiresIn: "1 hour"
+    };
+    const settingsService2 = strapi.plugin("firebase-authentication").service("settingsService");
+    const dbConfig = await settingsService2.getFirebaseConfigJson();
+    const customSubject = dbConfig?.emailVerificationEmailSubject;
+    const pluginConfig = strapi.config.get("plugin::firebase-authentication");
+    const appConfig = pluginConfig?.app || {};
+    const completeVariables = {
+      ...variables,
+      appName: appConfig?.name || "Your Application",
+      appUrl: appConfig?.url || process.env.PUBLIC_URL || "http://localhost:3000",
+      supportEmail: appConfig?.supportEmail,
+      year: (/* @__PURE__ */ new Date()).getFullYear(),
+      expiresIn: variables.expiresIn
+    };
+    const templateService2 = strapi.plugin("firebase-authentication").service("templateService");
+    const template = await templateService2.getTemplate("emailVerification");
+    const subjectTemplate = customSubject || template.subject;
+    const compiledSubject = _$1.template(subjectTemplate)(completeVariables);
+    try {
+      const compiledHtml = template.html ? _$1.template(template.html)(completeVariables) : void 0;
+      const compiledText = template.text ? _$1.template(template.text)(completeVariables) : void 0;
+      const emailPlugin = strapi.plugin("email");
+      if (!emailPlugin) {
+        throw new Error("Email plugin not found");
+      }
+      const emailService2 = emailPlugin.service("email");
+      await emailService2.send({
+        to: user.email,
+        subject: compiledSubject,
+        html: compiledHtml,
+        text: compiledText
+      });
+      strapi.log.info(`✅ Email verification sent via Strapi email plugin to ${user.email}`);
+      return {
+        success: true,
+        message: `Verification email sent to ${user.email}`
+      };
+    } catch (tier1Error) {
+      strapi.log.debug(`Strapi email plugin failed: ${tier1Error.message}. Trying fallback options...`);
+    }
+    const customSender = pluginConfig?.sendVerificationEmail;
+    if (customSender && typeof customSender === "function") {
+      try {
+        const compiledHtml = template.html ? _$1.template(template.html)(completeVariables) : void 0;
+        const compiledText = template.text ? _$1.template(template.text)(completeVariables) : void 0;
+        await customSender({
+          to: user.email,
+          subject: compiledSubject,
+          html: compiledHtml,
+          text: compiledText,
+          verificationLink,
+          variables: completeVariables
+        });
+        strapi.log.info(`✅ Email verification sent via custom hook to ${user.email}`);
+        return {
+          success: true,
+          message: `Verification email sent to ${user.email}`
+        };
+      } catch (tier2Error) {
+        strapi.log.error(`Custom hook failed: ${tier2Error.message}. Continuing to next fallback...`);
+      }
+    }
+    if (process.env.NODE_ENV !== "production") {
+      try {
+        strapi.log.info("\n" + "=".repeat(80));
+        strapi.log.info("EMAIL VERIFICATION (Development Mode)");
+        strapi.log.info("=".repeat(80));
+        strapi.log.info(`To: ${user.email}`);
+        strapi.log.info(`Subject: ${compiledSubject}`);
+        strapi.log.info(`Verification Link: ${verificationLink}`);
+        strapi.log.info(`Expires In: 1 hour`);
+        strapi.log.info("=".repeat(80));
+        strapi.log.info("Note: Email not sent - no email service configured");
+        strapi.log.info("Copy the link above and open in your browser to verify");
+        strapi.log.info("=".repeat(80) + "\n");
+        return {
+          success: true,
+          message: "Verification link logged to console (development mode)"
+        };
+      } catch (tier3Error) {
+        strapi.log.error(`Development fallback failed: ${tier3Error.message}`);
+      }
+    }
+    throw new ApplicationError$2(
+      "Email service is not configured. Please configure Strapi email plugin or provide custom sendVerificationEmail function in plugin config."
+    );
+  }
 }
 const emailService = ({ strapi: strapi2 }) => new EmailService();
 const firebaseUserDataService = ({ strapi: strapi2 }) => ({
@@ -32055,7 +32602,7 @@ var TokenExpiredError_1 = TokenExpiredError$1;
 var jws$3 = {};
 var safeBuffer = { exports: {} };
 /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
-(function(module2, exports2) {
+(function(module2, exports$1) {
   var buffer = require$$0__default$5.default;
   var Buffer2 = buffer.Buffer;
   function copyProps(src, dst) {
@@ -32066,8 +32613,8 @@ var safeBuffer = { exports: {} };
   if (Buffer2.from && Buffer2.alloc && Buffer2.allocUnsafe && Buffer2.allocUnsafeSlow) {
     module2.exports = buffer;
   } else {
-    copyProps(buffer, exports2);
-    exports2.Buffer = SafeBuffer;
+    copyProps(buffer, exports$1);
+    exports$1.Buffer = SafeBuffer;
   }
   function SafeBuffer(arg, encodingOrOffset, length) {
     return Buffer2(arg, encodingOrOffset, length);
@@ -32582,7 +33129,12 @@ function jwsSign(opts) {
   return util$1.format("%s.%s", securedInput, signature);
 }
 function SignStream$1(opts) {
-  var secret = opts.secret || opts.privateKey || opts.key;
+  var secret = opts.secret;
+  secret = secret == null ? opts.privateKey : secret;
+  secret = secret == null ? opts.key : secret;
+  if (/^hs/i.test(opts.header.alg) === true && secret == null) {
+    throw new TypeError("secret must be a string or buffer or a KeyObject");
+  }
   var secretStream = new DataStream$1(secret);
   this.readable = true;
   this.header = opts.header;
@@ -32688,7 +33240,12 @@ function jwsDecode(jwsSig, opts) {
 }
 function VerifyStream$1(opts) {
   opts = opts || {};
-  var secretOrKey = opts.secret || opts.publicKey || opts.key;
+  var secretOrKey = opts.secret;
+  secretOrKey = secretOrKey == null ? opts.publicKey : secretOrKey;
+  secretOrKey = secretOrKey == null ? opts.key : secretOrKey;
+  if (/^hs/i.test(opts.algorithm) === true && secretOrKey == null) {
+    throw new TypeError("secret must be a string or buffer or a KeyObject");
+  }
   var secretStream = new DataStream(secretOrKey);
   this.readable = true;
   this.algorithm = opts.algorithm;
@@ -32931,19 +33488,19 @@ var constants$1 = {
 const debug$1 = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {
 };
 var debug_1 = debug$1;
-(function(module2, exports2) {
+(function(module2, exports$1) {
   const {
     MAX_SAFE_COMPONENT_LENGTH: MAX_SAFE_COMPONENT_LENGTH2,
     MAX_SAFE_BUILD_LENGTH: MAX_SAFE_BUILD_LENGTH2,
     MAX_LENGTH: MAX_LENGTH2
   } = constants$1;
   const debug2 = debug_1;
-  exports2 = module2.exports = {};
-  const re2 = exports2.re = [];
-  const safeRe = exports2.safeRe = [];
-  const src = exports2.src = [];
-  const safeSrc = exports2.safeSrc = [];
-  const t2 = exports2.t = {};
+  exports$1 = module2.exports = {};
+  const re2 = exports$1.re = [];
+  const safeRe = exports$1.safeRe = [];
+  const src = exports$1.src = [];
+  const safeSrc = exports$1.safeSrc = [];
+  const t2 = exports$1.t = {};
   let R = 0;
   const LETTERDASHNUMBER = "[a-zA-Z0-9-]";
   const safeRegexReplacements = [
@@ -32996,18 +33553,18 @@ var debug_1 = debug$1;
   createToken("COERCERTLFULL", src[t2.COERCEFULL], true);
   createToken("LONETILDE", "(?:~>?)");
   createToken("TILDETRIM", `(\\s*)${src[t2.LONETILDE]}\\s+`, true);
-  exports2.tildeTrimReplace = "$1~";
+  exports$1.tildeTrimReplace = "$1~";
   createToken("TILDE", `^${src[t2.LONETILDE]}${src[t2.XRANGEPLAIN]}$`);
   createToken("TILDELOOSE", `^${src[t2.LONETILDE]}${src[t2.XRANGEPLAINLOOSE]}$`);
   createToken("LONECARET", "(?:\\^)");
   createToken("CARETTRIM", `(\\s*)${src[t2.LONECARET]}\\s+`, true);
-  exports2.caretTrimReplace = "$1^";
+  exports$1.caretTrimReplace = "$1^";
   createToken("CARET", `^${src[t2.LONECARET]}${src[t2.XRANGEPLAIN]}$`);
   createToken("CARETLOOSE", `^${src[t2.LONECARET]}${src[t2.XRANGEPLAINLOOSE]}$`);
   createToken("COMPARATORLOOSE", `^${src[t2.GTLT]}\\s*(${src[t2.LOOSEPLAIN]})$|^$`);
   createToken("COMPARATOR", `^${src[t2.GTLT]}\\s*(${src[t2.FULLPLAIN]})$|^$`);
   createToken("COMPARATORTRIM", `(\\s*)${src[t2.GTLT]}\\s*(${src[t2.LOOSEPLAIN]}|${src[t2.XRANGEPLAIN]})`, true);
-  exports2.comparatorTrimReplace = "$1$2$3";
+  exports$1.comparatorTrimReplace = "$1$2$3";
   createToken("HYPHENRANGE", `^\\s*(${src[t2.XRANGEPLAIN]})\\s+-\\s+(${src[t2.XRANGEPLAIN]})\\s*$`);
   createToken("HYPHENRANGELOOSE", `^\\s*(${src[t2.XRANGEPLAINLOOSE]})\\s+-\\s+(${src[t2.XRANGEPLAINLOOSE]})\\s*$`);
   createToken("STAR", "(<|>)?=?\\s*\\*");
@@ -35146,6 +35703,125 @@ const tokenService = ({ strapi: strapi2 }) => {
         }
       });
       strapi2.log.debug(`Invalidated reset token for user ${firebaseUserDataDocumentId}`);
+    },
+    // ==================== EMAIL VERIFICATION TOKENS ====================
+    /**
+     * Generate an email verification token for a user
+     * @param firebaseUserDataDocumentId - The documentId of the firebase-user-data record
+     * @param email - The email address at time of request (for change detection)
+     * @returns The JWT token to include in the verification URL
+     */
+    async generateVerificationToken(firebaseUserDataDocumentId, email2) {
+      const signingKey = getSigningKey();
+      const jti = crypto__default.default.randomBytes(32).toString("hex");
+      const payload = {
+        sub: firebaseUserDataDocumentId,
+        purpose: "email-verification",
+        email: email2,
+        jti
+      };
+      const token = jwt.sign(payload, signingKey, {
+        expiresIn: "1h"
+      });
+      const tokenHash = crypto__default.default.createHash("sha256").update(jti).digest("hex");
+      const expiresAt = new Date(Date.now() + 60 * 60 * 1e3);
+      await strapi2.db.query(FIREBASE_USER_DATA_CONTENT_TYPE).update({
+        where: { documentId: firebaseUserDataDocumentId },
+        data: {
+          verificationTokenHash: tokenHash,
+          verificationTokenExpiresAt: expiresAt.toISOString()
+        }
+      });
+      strapi2.log.debug(`Generated verification token for user ${firebaseUserDataDocumentId}`);
+      return token;
+    },
+    /**
+     * Validate an email verification token
+     * @param token - The JWT token from the verification URL
+     * @returns Validation result with user info and email if valid
+     */
+    async validateVerificationToken(token) {
+      const signingKey = getSigningKey();
+      try {
+        const decoded = jwt.verify(token, signingKey);
+        if (decoded.purpose !== "email-verification") {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Invalid token purpose"
+          };
+        }
+        const tokenHash = crypto__default.default.createHash("sha256").update(decoded.jti).digest("hex");
+        const firebaseUserData2 = await strapi2.db.query(FIREBASE_USER_DATA_CONTENT_TYPE).findOne({
+          where: { documentId: decoded.sub }
+        });
+        if (!firebaseUserData2) {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "User not found"
+          };
+        }
+        if (firebaseUserData2.verificationTokenHash !== tokenHash) {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Verification link has already been used or is invalid"
+          };
+        }
+        if (firebaseUserData2.verificationTokenExpiresAt) {
+          const expiresAt = new Date(firebaseUserData2.verificationTokenExpiresAt);
+          if (expiresAt < /* @__PURE__ */ new Date()) {
+            return {
+              valid: false,
+              firebaseUserDataDocumentId: "",
+              firebaseUID: "",
+              error: "Verification link has expired"
+            };
+          }
+        }
+        return {
+          valid: true,
+          firebaseUserDataDocumentId: firebaseUserData2.documentId,
+          firebaseUID: firebaseUserData2.firebaseUserID,
+          email: decoded.email
+        };
+      } catch (error2) {
+        if (error2.name === "TokenExpiredError") {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Verification link has expired"
+          };
+        }
+        if (error2.name === "JsonWebTokenError") {
+          return {
+            valid: false,
+            firebaseUserDataDocumentId: "",
+            firebaseUID: "",
+            error: "Invalid verification link"
+          };
+        }
+        throw error2;
+      }
+    },
+    /**
+     * Invalidate a verification token after use
+     * @param firebaseUserDataDocumentId - The documentId of the firebase-user-data record
+     */
+    async invalidateVerificationToken(firebaseUserDataDocumentId) {
+      await strapi2.db.query(FIREBASE_USER_DATA_CONTENT_TYPE).update({
+        where: { documentId: firebaseUserDataDocumentId },
+        data: {
+          verificationTokenHash: null,
+          verificationTokenExpiresAt: null
+        }
+      });
+      strapi2.log.debug(`Invalidated verification token for user ${firebaseUserDataDocumentId}`);
     }
   };
 };