-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Bug Report: email verification #5741
Comments
Thanks for raising this issue @AidenY69 , our team will look into it soon 🙏 |
@AidenY69, thanks for raising this issue! 🙏🏼
I'm not sure what you mean by this since the Create Account API doesn't automatically create a session or send a verification email. 🧐 Regardless, everything is working as expected. Appwrite doesn't require users to be verified, as there are some cases where a developer may not want to require a user to be verified. In addition, in order to call the Create Email Verification API, the user must have a session (be logged in). If I want to require users to be verified before using my app, I would restrict access to documents/storage/etc, to verified users ( |
This is the issue I'm referring to. My whole platform should be restricted to verified users, so for me to do that it would be unnecessarily complex to add that to every section of the code, when instead there should be the ability to create a verification without having a logged in session. Just immediately after registering should be able to create a temporary token that can be used to send that verification email. |
Again, this is done by restricting access to resources to |
What happens if they lose that verification email or it expires? How would they send another one?
How would you prevent someone from requesting a verification email for another user without requiring the user to log in? Would you like any more help, or can this be closed? |
They put their username and credentials in. System checks if they are verified. If not, then a verification email is sent. If they are verified, then they are logged in.
They type their username and password, as if they are logging in, the hurdle happens after that phase, before logging them into the platform. Think of it as foyer. It's not a hard concept, but prioritizes security. |
What you're describing is logging in. Would you like any more help, or can this be closed? |
No. One is logging in and accessing a protected site, such as a SaaS platform for users. The other is allowing users to register and force a verification to occur prior to them accessing the main platform. Closing the issue as it's clear we're aren't going to get anywhere with this. |
👟 Reproduction steps
Signup for an account, you will automatically be logged in, and a verification email will be sent. The website will be fully accessible despite your account not being verified.
👍 Expected behavior
Instead, user should register for the account, but instead of logging it immediately after registering, they are still kept logged out, and the verification email is sent, then when you try logging in, you do a check: is verified = true. that way the user has to verify before even logging into the account.
TLDR: users are creating accounts and using it before their account is verified. There is no way to prevent this right now. Proper solution is to make the user not be able to login until the email is verified. Right now the cookie is what we get after we log in. We need the cookie to authenticate the user on the server side, without it we cannot send a verification email. Therefore it is impossible to prevent users from logging in before they verify their email.
👎 Actual Behavior
Signup for an account, you will automatically be logged in, and a verification email will be sent. The website will be fully accessible despite your account not being verified.
Right now the cookie is what we get after we log in. We need the cookie to authenticate the user on the server side, without it we cannot send a verification email. Therefore it is impossible to prevent users from logging in before they verify their email.
Code used
🎲 Appwrite version
Version 1.3.x
💻 Operating system
Linux
🧱 Your Environment
No response
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: