From 409b7e8e59f3a72f1344ce79ee3068731c4ef4d7 Mon Sep 17 00:00:00 2001
From: GoodVaibhs <99231451+GoodVaibhs@users.noreply.github.com>
Date: Fri, 19 Jun 2026 20:26:33 -0700
Subject: [PATCH] fix: scope email verification code to the user session

The verification code generated in verify_user() was stored in a module-level global variable, so it was shared across every visitor's request. If two users requested a verification email around the same time, the second request's code silently overwrote the first's, making the first user's code invalid before they could use it.

Store the code in the user's own session instead, consistent with how this route already tracks per-user state (session['username'], session['language']).
---
 app/routes/verify_user.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/app/routes/verify_user.py b/app/routes/verify_user.py
index c1166cdd7..d1123de3f 100755
--- a/app/routes/verify_user.py
+++ b/app/routes/verify_user.py
@@ -48,15 +48,13 @@ def verify_user(code_sent):
         if user.is_verified == "True":
             return redirect("/")
         elif user.is_verified == "False":
-            global verification_code
-
             form = VerifyUserForm(request.form)
 
             if code_sent == "true":
                 if request.method == "POST":
                     code = request.form["code"]
 
-                    if code == verification_code:
+                    if code == session.get("verification_code"):
                         user.is_verified = "True"
                         db.session.commit()
 
@@ -92,6 +90,7 @@ def verify_user(code_sent):
                         server.login(Settings.SMTP_MAIL, Settings.SMTP_PASSWORD)
 
                         verification_code = str(randint(1000, 9999))
+                        session["verification_code"] = verification_code
 
                         message = EmailMessage()
                         message.set_content(