apache · AsyncAssassin · Jun 4, 2026
diff --git a/docs/docs.go b/docs/docs.go
@@ -12096,6 +12096,9 @@ const docTemplate = `{
                 },
                 "allow_password_login": {
                     "type": "boolean"
+                },
+                "require_email_verification": {
+                    "type": "boolean"
                 }
             }
         },
@@ -12116,6 +12119,9 @@ const docTemplate = `{
                 },
                 "allow_password_login": {
                     "type": "boolean"
+                },
+                "require_email_verification": {
+                    "type": "boolean"
                 }
             }
         },

diff --git a/docs/swagger.json b/docs/swagger.json
@@ -12069,6 +12069,9 @@
                 },
                 "allow_password_login": {
                     "type": "boolean"
+                },
+                "require_email_verification": {
+                    "type": "boolean"
                 }
             }
         },
@@ -12089,6 +12092,9 @@
                 },
                 "allow_password_login": {
                     "type": "boolean"
+                },
+                "require_email_verification": {
+                    "type": "boolean"
                 }
             }
         },

diff --git a/docs/swagger.yaml b/docs/swagger.yaml
@@ -2516,6 +2516,8 @@ definitions:
         type: boolean
       allow_password_login:
         type: boolean
+      require_email_verification:
+        type: boolean
     type: object
   schema.SiteLoginResp:
     properties:
@@ -2529,6 +2531,8 @@ definitions:
         type: boolean
       allow_password_login:
         type: boolean
+      require_email_verification:
+        type: boolean
     type: object
   schema.SiteMCPReq:
     properties:

diff --git a/i18n/en_US.yaml b/i18n/en_US.yaml
@@ -2241,6 +2241,10 @@ ui:
         title: Email registration
         label: Allow email registration
         text: Turn off to prevent anyone creating new account through email.
+      email_verification:
+        title: Email verification
+        label: Require email verification
+        text: When enabled, users must verify their email address before using the site.
       allowed_email_domains:
         title: Allowed email domains
         text: Email domains that users must register accounts with. One domain per line. Ignored when empty.
@@ -2485,4 +2489,3 @@ ui:
     copied: Copied
     external_content_warning: External images/media are not displayed.
 
-
diff --git a/internal/controller/user_controller.go b/internal/controller/user_controller.go
@@ -279,6 +279,7 @@ func (uc *UserController) UserRegisterByEmail(ctx *gin.Context) {
 		handler.HandleResponse(ctx, errors.BadRequest(reason.EmailIllegalDomainError), nil)
 		return
 	}
+	applyEmailVerificationSetting(req, siteInfo)
 	req.IP = ctx.ClientIP()
 	isAdmin := middleware.GetUserIsAdminModerator(ctx)
 	if !isAdmin {
@@ -305,6 +306,10 @@ func (uc *UserController) UserRegisterByEmail(ctx *gin.Context) {
 	}
 }
 
+func applyEmailVerificationSetting(req *schema.UserRegisterReq, siteInfo *schema.SiteLoginResp) {
+	req.SkipEmailVerification = !siteInfo.RequireEmailVerification
+}
+
 // UserVerifyEmail godoc
 // @Summary UserVerifyEmail
 // @Description UserVerifyEmail

diff --git a/internal/controller/user_controller_test.go b/internal/controller/user_controller_test.go
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package controller
+
+import (
+	"testing"
+
+	"github.com/apache/answer/internal/schema"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestApplyEmailVerificationSetting(t *testing.T) {
+	req := &schema.UserRegisterReq{}
+	applyEmailVerificationSetting(req, &schema.SiteLoginResp{RequireEmailVerification: false})
+	assert.True(t, req.SkipEmailVerification)
+
+	req = &schema.UserRegisterReq{}
+	applyEmailVerificationSetting(req, &schema.SiteLoginResp{RequireEmailVerification: true})
+	assert.False(t, req.SkipEmailVerification)
+}
diff --git a/internal/migrations/init.go b/internal/migrations/init.go
@@ -226,9 +226,10 @@ func (m *Mentor) initSiteInfoGeneralData() {
 
 func (m *Mentor) initSiteInfoLoginConfig() {
 	loginConfig := map[string]any{
-		"allow_new_registrations":   true,
-		"allow_email_registrations": true,
-		"allow_password_login":      true,
+		"allow_new_registrations":    true,
+		"allow_email_registrations":  true,
+		"allow_password_login":       true,
+		"require_email_verification": true,
 	}
 	loginConfigDataBytes, _ := json.Marshal(loginConfig)
 	_, m.err = m.engine.Context(m.ctx).Insert(&entity.SiteInfo{

diff --git a/internal/migrations/migrations.go b/internal/migrations/migrations.go
@@ -109,6 +109,7 @@ var migrations = []Migration{
 	NewMigration("v1.8.1", "ai feat", aiFeat, true),
 	NewMigration("v2.0.1", "change avatar type to text", updateAvatarType, false),
 	NewMigration("v2.0.2", "add reasoning content to ai conversation record", addAIConversationReasoningContent, false),
+	NewMigration("v2.0.3", "add require email verification login setting", addRequireEmailVerification, true),
 }
 
 func GetMigrations() []Migration {

diff --git a/internal/migrations/v30.go b/internal/migrations/v30.go
@@ -302,10 +302,11 @@ func splitLegalMenu(ctx context.Context, x *xorm.Engine) error {
 		PrivacyPolicyParsedText:    oldSiteLegal.PrivacyPolicyParsedText,
 	}
 	siteLogin := &schema.SiteLoginResp{
-		AllowNewRegistrations:   oldSiteLogin.AllowNewRegistrations,
-		AllowEmailRegistrations: oldSiteLogin.AllowEmailRegistrations,
-		AllowPasswordLogin:      oldSiteLogin.AllowPasswordLogin,
-		AllowEmailDomains:       oldSiteLogin.AllowEmailDomains,
+		AllowNewRegistrations:    oldSiteLogin.AllowNewRegistrations,
+		AllowEmailRegistrations:  oldSiteLogin.AllowEmailRegistrations,
+		AllowPasswordLogin:       oldSiteLogin.AllowPasswordLogin,
+		AllowEmailDomains:        oldSiteLogin.AllowEmailDomains,
+		RequireEmailVerification: true,
 	}
 	siteGeneral := &schema.SiteGeneralReq{
 		Name:             oldSiteGeneral.Name,

diff --git a/internal/migrations/v34.go b/internal/migrations/v34.go
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package migrations
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/apache/answer/internal/base/constant"
+	"github.com/apache/answer/internal/entity"
+	"xorm.io/xorm"
+)
+
+func addRequireEmailVerification(ctx context.Context, x *xorm.Engine) error {
+	loginSiteInfo := &entity.SiteInfo{}
+	exist, err := x.Context(ctx).Where("type = ?", constant.SiteTypeLogin).Get(loginSiteInfo)
+	if err != nil {
+		return fmt.Errorf("get login config failed: %w", err)
+	}
+	if !exist {
+		return nil
+	}
+
+	content, err := backfillRequireEmailVerification(loginSiteInfo.Content)
+	if err != nil {
+		return fmt.Errorf("backfill login config failed: %w", err)
+	}
+	loginSiteInfo.Content = content
+	_, err = x.Context(ctx).ID(loginSiteInfo.ID).Cols("content").Update(loginSiteInfo)
+	if err != nil {
+		return fmt.Errorf("update login config failed: %w", err)
+	}
+	return nil
+}
+
+func backfillRequireEmailVerification(content string) (string, error) {
+	if strings.TrimSpace(content) == "" {
+		content = "{}"
+	}
+
+	loginConfig := map[string]json.RawMessage{}
+	if err := json.Unmarshal([]byte(content), &loginConfig); err != nil {
+		return "", err
+	}
+	if loginConfig == nil {
+		loginConfig = map[string]json.RawMessage{}
+	}
+
+	requireEmailVerification, exists := loginConfig["require_email_verification"]
+	if !exists || bytes.Equal(bytes.TrimSpace(requireEmailVerification), []byte("null")) {
+		loginConfig["require_email_verification"] = json.RawMessage("true")
+	} else {
+		var value bool
+		if err := json.Unmarshal(requireEmailVerification, &value); err != nil {
+			return "", err
+		}
+		loginConfig["require_email_verification"] = requireEmailVerification
+	}
+
+	data, err := json.Marshal(loginConfig)
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}