Bug Description

In internal/graphql/verify_email.go and internal/graphql/verify_otp.go, there is no check for user.RevokedTimestamp. The Login method correctly checks user.RevokedTimestamp != nil and returns an error, but these verification flows skip this check entirely.

Impact

HIGH — A user whose access was revoked can still verify email/OTP and obtain valid authentication tokens, bypassing the revocation.

Fix

Add if user.RevokedTimestamp != nil { return error } check after fetching user in both files.