Actions - prevent login when email not verified

I would like to prevent login when user has an not verified email. I know you cannot show errors from rules / actions on the login page.
For my tenant I have several different applications, I would not like to implement this event handler in each of them, so I have an idea to

  1. build an independent webapp that will handle this event
  2. use actions after login

I did a simple action (for simplicity, I omit the topic of token generation and verification):

exports.onExecutePostLogin = async (event, api) => {
if (! event.user.email_verified) {
api.redirect.sendUserTo (“https://mywebapp_for_show_error.com”);
}
};
exports.onContinuePostLogin = async (event, api) => {
if (! event.user.email_verified) {
// Here I would like the login process to start again
}
}

How can I get the flow to check if the email is verified?

Hi @jakub.sztukowski

You are on the right track. I don’t understand your question, though.

Your app at mywebapp_for_show_error.com can either be a simple error page, or it can say “Please check your email and verify it, once you have done that click the continue button”. And the continue button returns to the login flow (via the /continue endpoint).

John

1 Like

Hi, thank you for your response.
Yes after user click continue button, I can go back to login flow (/continue) but …sometimes users click the continue button without clicking in verify email . I would like redirect again to mywebapp_for_show_error.com becuse of event.user.email_verified is still false. I can;t do this beause at exports.onContinuePostLogin it doesn’t work. Is there any way to start login flow again?
Jakub

Hi @jakub.sztukowski

You cannot redirect a second time - each login flow is limited to a single redirect.

The easy answer is to fail the login with an unauthorized error, and tell the user to try again after they have verified their email.

The more user friendly but complex answer is to pull the user info before invoking the continue endpoint to make sure they have verified.

John

1 Like

Hi @jakub.sztukowski

I understand each login flow is limited to a single redirect.
I have an issue where the user enters incorrect email and he will get into infinity loop,
because there is no way to insert a new email and the same old email is used (which user is not able to confirm).

Do you have suggestion how can I improve this so that every time I redirect to /authorize the user has possibility to choose login or sign up again?

Raul

I actually figured out a way.

Whenever a user has NOT confirmed their email. I logged the user out from oauth0 session BEFORE showing them any response.

To achieve that I redirected user to /v2/logout endpoint and then showed user that they need to verify their email. This way the session is ended on auth0 side and the loop will not accrue.

1 Like

Perfect! Thanks for sharing it with the rest of community!