diff --git a/server/users/mutations_public.py b/server/users/mutations_public.py
index 88e897c7..98d81519 100644
--- a/server/users/mutations_public.py
+++ b/server/users/mutations_public.py
@@ -61,8 +61,8 @@ class Login(relay.ClientIDMutation):
             magento_token.save()
 
             if not hep_client.is_email_verified(username):
-                # Todo handle unverifed emails
-                pass
+                error = LoginError(field='email_not_verified')
+                return cls(success=False, errors=[error])
 
             try:
                 license = License.objects.get(licensee=user)
diff --git a/server/users/tests/test_login.py b/server/users/tests/test_login.py
index 02158f3c..9b25dcdb 100644
--- a/server/users/tests/test_login.py
+++ b/server/users/tests/test_login.py
@@ -163,20 +163,26 @@ class PasswordResetTests(TestCase):
         result = self.make_login_mutation(ME_DATA['email'], 'test123')
 
         self.assertFalse(result.get('data').get('login').get('success'))
-        # todo check message
+        self.assertEqual(result.get('data').get('login').get('errors')[0].get('field'), 'invalid_credentials')
 
+    @patch.object(HepClient, 'customer_token', return_value={'token': FAKE_TOKEN})
     @patch.object(HepClient, 'is_email_verified', return_value=False)
-    def test_user_with_unconfirmed_email_cannot_login(self, post_fn):
+    @patch.object(HepClient, 'customer_me', return_value=ME_DATA)
+    def test_user_with_unconfirmed_email_cannot_login(self, me_fn, post_fn, token_fn):
         result = self.make_login_mutation(ME_DATA['email'], 'test123')
 
+        user = User.objects.get(email=ME_DATA['email'])
+        token = MagentoToken.objects.get(user=user)
+        self.assertEqual(token.token, FAKE_TOKEN)
+
         self.assertFalse(result.get('data').get('login').get('success'))
-        # todo check message
+        self.assertEqual(result.get('data').get('login').get('errors')[0].get('field'), 'email_not_verified')
 
     ## can login with license and user
     ## can login with no user and license
     # ?can login with no user and local license
     ## cannot login without user
-    # cannot login with user and not verfied
+    ## cannot login with user and not verfied
     # cannot login with user and no license
     # cannot login with user and expired license
     # non 200 error