🐛 Bug Report: email verification

[AidenY69]

👟 Reproduction steps

Signup for an account, you will automatically be logged in, and a verification email will be sent. The website will be fully accessible despite your account not being verified.

👍 Expected behavior

Instead, user should register for the account, but instead of logging it immediately after registering, they are still kept logged out, and the verification email is sent, then when you try logging in, you do a check: is verified = true. that way the user has to verify before even logging into the account.

TLDR: users are creating accounts and using it before their account is verified. There is no way to prevent this right now. Proper solution is to make the user not be able to login until the email is verified. Right now the cookie is what we get after we log in. We need the cookie to authenticate the user on the server side, without it we cannot send a verification email. Therefore it is impossible to prevent users from logging in before they verify their email.

👎 Actual Behavior

Signup for an account, you will automatically be logged in, and a verification email will be sent. The website will be fully accessible despite your account not being verified.

Right now the cookie is what we get after we log in. We need the cookie to authenticate the user on the server side, without it we cannot send a verification email. Therefore it is impossible to prevent users from logging in before they verify their email.

Code used

  sendAccountVerification: protectedProcedure
    .input(z.object({ url: z.string() }))
    .mutation(async ({ ctx, input }) => {
      const { url } = input;
      const cookie = ctx.req.headers.cookie;
      if (!cookie) return;

      const appwrite = new AppwriteClient(cookie);
      try {
        await appwrite.account.createVerification(url);
        const user = await appwrite.account.get();

        log.info(
          { userId: user.$id },
          `Verification email sent to: ${user.email}`
        );
      } catch (e) {
        log.error(e);
      }

      return { success: true };
    }),

🎲 Appwrite version

Version 1.3.x

💻 Operating system

Linux

🧱 Your Environment

No response

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[Haimantika]

Thanks for raising this issue @AidenY69 , our team will look into it soon 🙏

[stnguyen90]

@AidenY69, thanks for raising this issue! 🙏🏼

Signup for an account, you will automatically be logged in, and a verification email will be sent.

I'm not sure what you mean by this since the Create Account API doesn't automatically create a session or send a verification email. 🧐

Regardless, everything is working as expected. Appwrite doesn't require users to be verified, as there are some cases where a developer may not want to require a user to be verified. In addition, in order to call the Create Email Verification API, the user must have a session (be logged in).

If I want to require users to be verified before using my app, I would restrict access to documents/storage/etc, to verified users (Role.users("verified")). When a user logs in, my app can check their status and then, if they aren't verified, show a message saying verification is required and have a button they can click/tap to call the Create Email Verification API.

[AidenY69]

In addition, in order to call the Create Email Verification API, the user must have a session (be logged in).

This is the issue I'm referring to. My whole platform should be restricted to verified users, so for me to do that it would be unnecessarily complex to add that to every section of the code, when instead there should be the ability to create a verification without having a logged in session. Just immediately after registering should be able to create a temporary token that can be used to send that verification email.

[stnguyen90]

@AidenY69,

My whole platform should be restricted to verified users

Again, this is done by restricting access to resources to Role.users("verified") and it should be fine to allow users to log in while not verified since they won't be able to access any documents or files.

[stnguyen90]

@AidenY69,

Just immediately after registering should be able to create a temporary token that can be used to send that verification email.

What happens if they lose that verification email or it expires? How would they send another one?

there should be the ability to create a verification without having a logged in session

How would you prevent someone from requesting a verification email for another user without requiring the user to log in?

Would you like any more help, or can this be closed?

[AidenY69]

What happens if they lose that verification email or it expires? How would they send another one?

They put their username and credentials in. System checks if they are verified. If not, then a verification email is sent. If they are verified, then they are logged in.

How would you prevent someone from requesting a verification email for another user without requiring the user to log in?

They type their username and password, as if they are logging in, the hurdle happens after that phase, before logging them into the platform. Think of it as foyer. It's not a hard concept, but prioritizes security.

[stnguyen90]

@AidenY69,

They put their username and credentials in. System checks if they are verified.

What you're describing is logging in.

Would you like any more help, or can this be closed?

[AidenY69]

What you're describing is logging in.

No. One is logging in and accessing a protected site, such as a SaaS platform for users. The other is allowing users to register and force a verification to occur prior to them accessing the main platform.

Closing the issue as it's clear we're aren't going to get anywhere with this.