From 0fc132cffb374afbc167f393537090f412d2352e Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 10 Oct 2016 13:12:35 -0400
Subject: [PATCH] Make sure Google email addresses are verified

---
 endpoints/oauthlogin.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/endpoints/oauthlogin.py b/endpoints/oauthlogin.py
index 749baeb20..dbb7171f5 100644
--- a/endpoints/oauthlogin.py
+++ b/endpoints/oauthlogin.py
@@ -113,6 +113,13 @@ def google_oauth_callback():
   if not user_data or not user_data.get('id', None) or not user_data.get('email', None):
     return render_ologin_error('Google')
 
+  if not user_data.get('verified_email', False):
+    return render_ologin_error(
+      'Google',
+      'A verified e-mail address is required for login. Please verify your ' +
+      'e-mail address in Google and try again.',
+    )
+
   username = get_email_username(user_data)
   metadata = {
     'service_username': user_data['email']
@@ -196,6 +203,13 @@ def google_oauth_attach():
   if not user_data or not user_data.get('id', None):
     return render_ologin_error('Google')
 
+  if not user_data.get('verified_email', False):
+    return render_ologin_error(
+      'Google',
+      'A verified e-mail address is required for login. Please verify your ' +
+      'e-mail address in Google and try again.',
+    )
+
   google_id = user_data['id']
   user_obj = current_user.db_user()