Actions - prevent login when email not verified

jakub.sztukowski · August 27, 2021, 4:36pm

I would like to prevent login when user has an not verified email. I know you cannot show errors from rules / actions on the login page.
For my tenant I have several different applications, I would not like to implement this event handler in each of them, so I have an idea to

build an independent webapp that will handle this event
use actions after login

I did a simple action (for simplicity, I omit the topic of token generation and verification):

exports.onExecutePostLogin = async (event, api) => {
if (! event.user.email_verified) {
api.redirect.sendUserTo (“https://mywebapp_for_show_error.com”);
}
};
exports.onContinuePostLogin = async (event, api) => {
if (! event.user.email_verified) {
// Here I would like the login process to start again
}
}

How can I get the flow to check if the email is verified?

john.gateley · August 30, 2021, 2:00pm

Hi @jakub.sztukowski

You are on the right track. I don’t understand your question, though.

Your app at mywebapp_for_show_error.com can either be a simple error page, or it can say “Please check your email and verify it, once you have done that click the continue button”. And the continue button returns to the login flow (via the /continue endpoint).

John

jakub.sztukowski · August 30, 2021, 2:24pm

Hi, thank you for your response.
Yes after user click continue button, I can go back to login flow (/continue) but …sometimes users click the continue button without clicking in verify email . I would like redirect again to mywebapp_for_show_error.com becuse of event.user.email_verified is still false. I can;t do this beause at exports.onContinuePostLogin it doesn’t work. Is there any way to start login flow again?
Jakub

john.gateley · August 31, 2021, 1:07pm

Hi @jakub.sztukowski

You cannot redirect a second time - each login flow is limited to a single redirect.

The easy answer is to fail the login with an unauthorized error, and tell the user to try again after they have verified their email.

The more user friendly but complex answer is to pull the user info before invoking the continue endpoint to make sure they have verified.

John

raul.volmar · March 17, 2022, 10:48am

Hi @jakub.sztukowski

I understand each login flow is limited to a single redirect.
I have an issue where the user enters incorrect email and he will get into infinity loop,
because there is no way to insert a new email and the same old email is used (which user is not able to confirm).

Do you have suggestion how can I improve this so that every time I redirect to /authorize the user has possibility to choose login or sign up again?

Raul

raul.volmar · March 17, 2022, 12:21pm

I actually figured out a way.

Whenever a user has NOT confirmed their email. I logged the user out from oauth0 session BEFORE showing them any response.

To achieve that I redirected user to /v2/logout endpoint and then showed user that they need to verify their email. This way the session is ended on auth0 side and the loop will not accrue.

konrad.sopala · March 17, 2022, 1:02pm

Perfect! Thanks for sharing it with the rest of community!