fix: require email verification for password signup

[BunsDev]

Motivation

• Prevent account pre-hijacking by ensuring email/password signups cannot create usable sessions for unverified emails and by requiring email verification before invitation acceptance or promotion.

Description

• Disabled immediate auto-sign-in and enabled email verification in the Better-Auth emailAndPassword config by setting autoSignIn: false and requireEmailVerification: true in apps/web/src/lib/server/auth/index.ts and wired a verification callback that sends a verification email.
• Added an EmailVerificationEmail template and sendEmailVerificationEmail helper in packages/email and exported it from packages/email/src/index.ts.
• Updated portal signup flows (apps/web/src/components/auth/portal-auth-form.tsx and portal-auth-form-inline.tsx) to pass a callbackURL when calling authClient.signUp.email, stop after signup, and show a “Check your email” verification state instead of redirecting into an active session.
• Hardened invitation logic by rejecting invites for existing users with emailVerified === false in apps/web/src/lib/server/functions/admin.ts and requiring session.user.emailVerified when accepting an invitation in apps/web/src/lib/server/functions/invitations.ts.

Testing

• Ran git diff --check with no issues.
• Attempted bun run typecheck, which could not complete in this environment due to missing type packages (registry access produced 403s), so full typecheck/tests were not executable here.

---

Codex Task

[Copilot]

Pull request overview

This PR hardens the authentication and invitation flows to mitigate account pre-hijacking by requiring email verification for password-based signups and gating invitation promotion/acceptance on emailVerified.

Changes:

• Enabled email verification + disabled immediate session creation for email/password signups in the Better Auth server config, including a verification-email callback.
• Added a new email verification template and a sendEmailVerificationEmail helper to the shared email package.
• Updated portal signup UI to stop after password signup and show a “Check your email” state, and blocked invitation send/accept flows for unverified users.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
packages/email/src/templates/email-verification.tsx	Adds the React Email template used for verification emails.
packages/email/src/index.ts	Adds sendEmailVerificationEmail helper and exports the new template.
apps/web/src/lib/server/functions/invitations.ts	Requires session.user.emailVerified before accepting invitations.
apps/web/src/lib/server/functions/admin.ts	Blocks sending invitations to existing users whose email is not verified.
apps/web/src/lib/server/auth/index.ts	Disables auto-sign-in on password signup, requires verification, and wires verification email sending.
apps/web/src/components/auth/portal-auth-form.tsx	Updates full-page portal auth UX to show a verify-email state after password signup and pass callbackURL.
apps/web/src/components/auth/portal-auth-form-inline.tsx	Updates inline portal auth UX similarly (verify-email state + callbackURL).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.