fix(teams): skip email verification for admin-created users

Admin-created users are implicitly verified since an admin vouched for
them. Only enforce require_email_verification_for_invites for
self-registered users (auth_provider == "local") at both invitation
creation and acceptance time. This prevents false rejections when
inviting users provisioned via admin API or SSO.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Author: crivetimihai

docs/config.schema.json

@@ -1339,7 +1339,7 @@
     },
     "require_email_verification_for_invites": {
       "default": true,
-      "description": "Require email verification for team invitations",
+      "description": "Require email verification for team invitations (only applies to self-registered users; admin-created users are implicitly verified)",
       "title": "Require Email Verification For Invites",
       "type": "boolean"
     },
@@ -1770,8 +1770,8 @@
     },
     "allowed_origins": {
       "default": [
-        "http://localhost",
-        "http://localhost:4444"
+        "http://localhost:4444",
+        "http://localhost"
       ],
       "items": {
         "type": "string"
@@ -2883,14 +2883,14 @@
     },
     "allowed_mime_types": {
       "default": [
-        "image/jpeg",
-        "application/xml",
-        "text/markdown",
         "text/plain",
-        "text/html",
+        "text/markdown",
         "image/png",
+        "text/html",
+        "image/jpeg",
         "image/gif",
-        "application/json"
+        "application/json",
+        "application/xml"
       ],
       "items": {
         "type": "string"

docs/docs/config.schema.json

@@ -1339,7 +1339,7 @@
     },
     "require_email_verification_for_invites": {
       "default": true,
-      "description": "Require email verification for team invitations",
+      "description": "Require email verification for team invitations (only applies to self-registered users; admin-created users are implicitly verified)",
       "title": "Require Email Verification For Invites",
       "type": "boolean"
     },
@@ -1770,8 +1770,8 @@
     },
     "allowed_origins": {
       "default": [
-        "http://localhost",
-        "http://localhost:4444"
+        "http://localhost:4444",
+        "http://localhost"
       ],
       "items": {
         "type": "string"
@@ -2883,14 +2883,14 @@
     },
     "allowed_mime_types": {
       "default": [
-        "image/jpeg",
-        "application/xml",
-        "text/markdown",
         "text/plain",
-        "text/html",
+        "text/markdown",
         "image/png",
+        "text/html",
+        "image/jpeg",
         "image/gif",
-        "application/json"
+        "application/json",
+        "application/xml"
       ],
       "items": {
         "type": "string"

mcpgateway/config.py

@@ -570,7 +570,7 @@ class Settings(BaseSettings):
     max_teams_per_user: int = Field(default=50, description="Maximum number of teams a user can belong to")
     max_members_per_team: int = Field(default=100, description="Maximum number of members per team")
     invitation_expiry_days: int = Field(default=7, description="Number of days before team invitations expire")
-    require_email_verification_for_invites: bool = Field(default=True, description="Require email verification for team invitations")
+    require_email_verification_for_invites: bool = Field(default=True, description="Require email verification for team invitations (only applies to self-registered users; admin-created users are implicitly verified)")
 
     # Team Governance
     allow_team_creation: bool = Field(default=True, description="Allow users to create organizational teams. Admins can always create teams.")

mcpgateway/services/team_invitation_service.py

@@ -195,10 +195,11 @@ async def create_invitation(self, team_id: str, email: str, role: str, invited_b
                 logger.warning(f"Inviter {invited_by} not found")
                 return None
 
-            # Check email verification requirement for invitee
+            # Check email verification requirement for invitee (only for self-registered users;
+            # admin-created users are implicitly verified since an admin vouched for them)
             if getattr(settings, "require_email_verification_for_invites", True):
                 invitee = self.db.query(EmailUser).filter(EmailUser.email == email).first()
-                if invitee and not invitee.email_verified_at:
+                if invitee and invitee.auth_provider == "local" and not invitee.email_verified_at:
                     raise ValueError("Invitee email address has not been verified")
 
             # Check if inviter is a member of the team with appropriate permissions
@@ -324,9 +325,10 @@ async def accept_invitation(self, token: str, accepting_user_email: Optional[str
                     logger.warning(f"User {accepting_user_email} not found")
                     raise ValueError("User account not found")
 
-                # Check email verification at accept-time
+                # Check email verification at accept-time (only for self-registered users;
+                # admin-created users are implicitly verified since an admin vouched for them)
                 if getattr(settings, "require_email_verification_for_invites", True):
-                    if not user.email_verified_at:
+                    if user.auth_provider == "local" and not user.email_verified_at:
                         raise ValueError("Email address has not been verified")
 
             # Check if team still exists

tests/unit/mcpgateway/test_team_governance_flags.py

@@ -353,6 +353,7 @@ async def test_require_email_verification_for_invites(self):
         mock_invitee = MagicMock(spec=EmailUser)
         mock_invitee.email = "invitee@example.com"
         mock_invitee.email_verified_at = None  # Not verified
+        mock_invitee.auth_provider = "local"  # Self-registered user
 
         mock_inviter_membership = MagicMock(spec=EmailTeamMember)
         mock_inviter_membership.role = "owner"
@@ -488,6 +489,7 @@ async def test_accept_invitation_unverified_email_rejected(self):
         mock_user = MagicMock(spec=EmailUser)
         mock_user.email = "user@example.com"
         mock_user.email_verified_at = None  # Not verified
+        mock_user.auth_provider = "local"  # Self-registered user
         db.query.return_value.filter.return_value.first.return_value = mock_user
 
         with patch("mcpgateway.services.team_invitation_service.settings") as mock_settings: