feat: email verification + delete confirmation + smtp/cors/prod hardening

web/src/pages/LoginPage.tsx

@@ -60,11 +60,19 @@ export default function LoginPage() {
       qc.clear();
       navigate(next || "/", { replace: true });
     } catch (err) {
-      const status = (err as { status?: number })?.status;
+      const status = (err as { status?: number; code?: string })?.status;
+      const code = (err as { code?: string })?.code;
+      if (status === 403 && code === "EMAIL_NOT_VERIFIED") {
+        navigate(
+          `/verify?email=${encodeURIComponent(email)}&next=${encodeURIComponent(next || "/")}`,
+          { replace: true }
+        );
+        return;
+      }
       const message =
         status === 401
           ? "Email or password is incorrect."
-          : status === 400
+        : status === 400
           ? "Enter a valid email and password."
           : err instanceof Error
           ? err.message