fix(auth): set email_verified_at for admin-created users

Admin-created users are implicitly email-verified since an admin
vouched for them. Set email_verified_at at creation time in the admin
user endpoint instead of checking auth_provider in the invitation
service (auth_provider is "local" for both self-registered and
admin-created users, making it unreliable for distinguishing them).

This fixes Playwright test failures where admin-created users were
rejected by require_email_verification_for_invites checks.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Author: crivetimihai

docs/config.schema.json

@@ -1339,7 +1339,7 @@
     },
     "require_email_verification_for_invites": {
       "default": true,
-      "description": "Require email verification for team invitations (only applies to self-registered users; admin-created users are implicitly verified)",
+      "description": "Require email verification for team invitations",
       "title": "Require Email Verification For Invites",
       "type": "boolean"
     },
@@ -2883,14 +2883,14 @@
     },
     "allowed_mime_types": {
       "default": [
-        "text/plain",
         "text/markdown",
         "image/png",
-        "text/html",
+        "application/json",
         "image/jpeg",
+        "text/plain",
         "image/gif",
-        "application/json",
-        "application/xml"
+        "application/xml",
+        "text/html"
       ],
       "items": {
         "type": "string"

docs/docs/config.schema.json

@@ -1339,7 +1339,7 @@
     },
     "require_email_verification_for_invites": {
       "default": true,
-      "description": "Require email verification for team invitations (only applies to self-registered users; admin-created users are implicitly verified)",
+      "description": "Require email verification for team invitations",
       "title": "Require Email Verification For Invites",
       "type": "boolean"
     },
@@ -2883,14 +2883,14 @@
     },
     "allowed_mime_types": {
       "default": [
-        "text/plain",
         "text/markdown",
         "image/png",
-        "text/html",
+        "application/json",
         "image/jpeg",
+        "text/plain",
         "image/gif",
-        "application/json",
-        "application/xml"
+        "application/xml",
+        "text/html"
       ],
       "items": {
         "type": "string"

mcpgateway/config.py

@@ -570,7 +570,7 @@ class Settings(BaseSettings):
     max_teams_per_user: int = Field(default=50, description="Maximum number of teams a user can belong to")
     max_members_per_team: int = Field(default=100, description="Maximum number of members per team")
     invitation_expiry_days: int = Field(default=7, description="Number of days before team invitations expire")
-    require_email_verification_for_invites: bool = Field(default=True, description="Require email verification for team invitations (only applies to self-registered users; admin-created users are implicitly verified)")
+    require_email_verification_for_invites: bool = Field(default=True, description="Require email verification for team invitations")
 
     # Team Governance
     allow_team_creation: bool = Field(default=True, description="Allow users to create organizational teams. Admins can always create teams.")

mcpgateway/routers/email_auth.py

@@ -697,6 +697,11 @@ async def create_user(user_request: AdminCreateUserRequest, current_user_ctx: di
             granted_by=current_user_ctx.get("email"),
         )
 
+        # Admin-created users are implicitly email-verified (the admin vouched for them)
+        if not user.email_verified_at:
+            user.email_verified_at = utc_now()
+            db.commit()
+
         # If the user was created with the default password, optionally force password change
         if (
             settings.password_change_enforcement_enabled

mcpgateway/services/team_invitation_service.py

@@ -195,11 +195,10 @@ async def create_invitation(self, team_id: str, email: str, role: str, invited_b
                 logger.warning(f"Inviter {invited_by} not found")
                 return None
 
-            # Check email verification requirement for invitee (only for self-registered users;
-            # admin-created users are implicitly verified since an admin vouched for them)
+            # Check email verification requirement for invitee
             if getattr(settings, "require_email_verification_for_invites", True):
                 invitee = self.db.query(EmailUser).filter(EmailUser.email == email).first()
-                if invitee and invitee.auth_provider == "local" and not invitee.email_verified_at:
+                if invitee and not invitee.email_verified_at:
                     raise ValueError("Invitee email address has not been verified")
 
             # Check if inviter is a member of the team with appropriate permissions
@@ -325,10 +324,9 @@ async def accept_invitation(self, token: str, accepting_user_email: Optional[str
                     logger.warning(f"User {accepting_user_email} not found")
                     raise ValueError("User account not found")
 
-                # Check email verification at accept-time (only for self-registered users;
-                # admin-created users are implicitly verified since an admin vouched for them)
+                # Check email verification at accept-time
                 if getattr(settings, "require_email_verification_for_invites", True):
-                    if user.auth_provider == "local" and not user.email_verified_at:
+                    if not user.email_verified_at:
                         raise ValueError("Email address has not been verified")
 
             # Check if team still exists

tests/unit/mcpgateway/test_team_governance_flags.py

@@ -353,7 +353,6 @@ async def test_require_email_verification_for_invites(self):
         mock_invitee = MagicMock(spec=EmailUser)
         mock_invitee.email = "invitee@example.com"
         mock_invitee.email_verified_at = None  # Not verified
-        mock_invitee.auth_provider = "local"  # Self-registered user
 
         mock_inviter_membership = MagicMock(spec=EmailTeamMember)
         mock_inviter_membership.role = "owner"
@@ -489,7 +488,6 @@ async def test_accept_invitation_unverified_email_rejected(self):
         mock_user = MagicMock(spec=EmailUser)
         mock_user.email = "user@example.com"
         mock_user.email_verified_at = None  # Not verified
-        mock_user.auth_provider = "local"  # Self-registered user
         db.query.return_value.filter.return_value.first.return_value = mock_user
 
         with patch("mcpgateway.services.team_invitation_service.settings") as mock_settings: