From 22801d2d8f97c33d6d795bf0a1c40403b066066b Mon Sep 17 00:00:00 2001
From: dblythy <daniel-blyth@live.com.au>
Date: Thu, 12 Apr 2018 05:39:32 +1000
Subject: [PATCH] Ensure we respond with invalid password even if email is
 unverified (#4708)

---
 src/Routers/UsersRouter.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
index c18be9ae..c2615983 100644
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -103,9 +103,6 @@ export class UsersRouter extends ClassesRouter {
           user = results[0];
         }
 
-        if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {
-          throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
-        }
         return passwordCrypto.compare(password, user.password);
       })
       .then((correct) => {
@@ -117,7 +114,9 @@ export class UsersRouter extends ClassesRouter {
         if (!isValidPassword) {
           throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
         }
-
+        if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {
+          throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
+        }
         // handle password expiry policy
         if (req.config.passwordPolicy && req.config.passwordPolicy.maxPasswordAge) {
           let changedAt = user._password_changed_at;