diff --git a/src/controllers/userController.ts b/src/controllers/userController.ts
index 6ad10ae..868d756 100644
--- a/src/controllers/userController.ts
+++ b/src/controllers/userController.ts
@@ -46,7 +46,6 @@ import rabbitmq from "../rabbitmq/rabbitmq";
 import verifyCaptcha from "../utils/recaptcha";
 import EmailVerification from "../models/emailVerification";
 import UserPendingEmailChange from "../models/userPendingEmailChange";
-import UserPendingPayment from "../models/userPendingPayment";
 import StoreServiceActivity from "../models/storeServiceActivity";
 import StoreService from "../models/storeService";
 import StoreServiceActivityUsers from "../models/storeServiceActivityUsers";
@@ -238,6 +237,7 @@ export async function Login(req: Request, res: Response) {
     // user is on the login page on the first step of the login process
     // and only needs to enter their email to get the user state to know what to do next
 
+    /*
     if (password === undefined) {
       // user has signed up but not completed payment
       // happens when user closed stripe checkout before completing payment
@@ -270,7 +270,7 @@ export async function Login(req: Request, res: Response) {
       }
 
       return res.status(200).send({ state: user.state });
-    }
+    } */
 
     // validate recaptcha
 
@@ -330,24 +330,33 @@ export async function Login(req: Request, res: Response) {
       });
     }
 
-    rabbitmq.sendEmail(
-      email,
-      "dashboardSecurityInfoNewAccountLogin",
-      user.language,
-      {
-        os: getUserAgentOS(req),
-        email: email,
-      }
-    );
+    if (user.state === ACCOUNT_STATE.ACTIVE) {
+      // create session
+      saveSession(req, res, user.user_id, rememberMe);
 
-    userLogger.info(user.user_id, "User logged in");
+      rabbitmq.sendEmail(
+        email,
+        "dashboardSecurityInfoNewAccountLogin",
+        user.language,
+        {
+          os: getUserAgentOS(req),
+          email: email,
+        }
+      );
 
-    // create session
-    saveSession(req, res, user.user_id, rememberMe);
+      userLogger.info(user.user_id, "User logged in");
+    } else {
+      res.status(200).send({ state: user.state });
+
+      userLogger.info(
+        user.user_id,
+        "User logged in, but account state is not active"
+      );
+    }
 
     telegramNotification(
       1,
-      `User logged in: user_id: ${user.user_id} email: ${email}`
+      `User logged in: user_id: ${user.user_id} email: ${email} state: ${user.state}`
     );
   } catch (error) {
     logger.error("login error", error as string);
@@ -361,7 +370,7 @@ export async function ForgotPassword(req: Request, res: Response) {
 
     // validate request
 
-    if (!email || !recaptcha || (await isEmailValid(email))) {
+    if (!email || !recaptcha || !(await isEmailValid(email, false))) {
       return res.status(400).send({ err: "invalid request" });
     }
 
@@ -388,7 +397,8 @@ export async function ForgotPassword(req: Request, res: Response) {
     });
 
     if (!user) {
-      return res.status(400).send({ err: "invalid request" });
+      // sending success to prevent email enumeration
+      return res.status(200).send({ msg: "success" });
     }
 
     // create email verification