How to handle session in Email verification codes flow?

[bdrtsky]

The official docs guide recommends setting session right after OTP code requested https://lucia-auth.com/guides/email-and-password/email-verification-codes

await generateEmailVerificationCode(userId, email);
await sendVerificationCode(email, verificationCode);

const session = await lucia.createSession(userId, {});
const sessionCookie = lucia.createSessionCookie(session.id);

This means if we check auth in our app like this, user becomes authenticated even before we verify his access to email code

// protected page

export default async function ProtectedPage() {
  const { user } = await validateRequest();
  if (!user) {
    return redirect("/login");
  }

  return (
    <div>
      <h1>Protected Route</h1>
    </div>
  );
}

My initial guess was to check additionally user.emailVerified but user could have his email already verified if this is not the first login.

I couldn't find any related practice in Lucia, Oslo, Artic docs, and not in Copenhagen book.

My guess, is that I need to modify a session, to make it "limited" until user inputs code, then he receives full session.

But what is best practice? Maybe docs could be improved for this matter?

[alrightsure]

Just found this because I was googling the same thing. Also confused on how to handle this.