Fix: legit logins only

supabase/schema.sql

@@ -200,6 +200,28 @@ begin
 end;
 $$;
 
+create or replace function public.require_confirmed_email()
+returns void
+language plpgsql
+security definer
+set search_path = public, auth
+as $$
+begin
+  if auth.uid() is null then
+    raise exception 'Authentication required';
+  end if;
+
+  if not exists (
+    select 1
+    from auth.users
+    where id = auth.uid()
+      and email_confirmed_at is not null
+  ) then
+    raise exception 'Please confirm your email before playing ranked games';
+  end if;
+end;
+$$;
+
 drop function if exists public.start_hourly_round(text);
 
 create or replace function public.start_hourly_round()
@@ -226,9 +248,7 @@ declare
   current_hour timestamptz := date_trunc('hour', now());
   hourly_word text := public.get_hourly_word(date_trunc('hour', now()));
 begin
-  if auth.uid() is null then
-    raise exception 'Authentication required';
-  end if;
+  perform public.require_confirmed_email();
 
   select *
     into existing_round
@@ -307,9 +327,7 @@ declare
   did_win boolean;
   did_complete boolean;
 begin
-  if auth.uid() is null then
-    raise exception 'Authentication required';
-  end if;
+  perform public.require_confirmed_email();
 
   if normalized_guess !~ '^[a-z]{5}$' then
     raise exception 'Guess must be five letters';
@@ -725,6 +743,7 @@ grant select, update on public.profiles to authenticated;
 grant select on public.wordle_rounds to authenticated;
 grant select on public.wordle_guesses to authenticated;
 grant execute on function public.is_username_available(text) to anon, authenticated;
+grant execute on function public.require_confirmed_email() to authenticated;
 grant execute on function public.start_hourly_round() to authenticated;
 grant execute on function public.submit_guess(uuid, text) to authenticated;
 grant execute on function public.get_user_stats() to authenticated;