I am trying to implement this feature without requiring our clients to do any work:
“When a user attempts to login (and provides valid credentials) but they have not yet verified their email, keep them on the Hosted Login Page (HLP) and present them with a validation message informing them that their email is not yet verified.”
It seems to me after researching this doco however, that this is not possible without significant (and likely very fragile) work:
The problems are essentially:
what I really want to do is fail the login (easy - raise an UnauthorizedError in a rule), but not return an error back to the client (hard)
in order to not take the user back to the client, I am trying to use a redirect in a rule (using the doco above), but it is clearly geared towards completing a successful authentication, not re-trying a non-successful login
So without going into more detail about how it is possible but very hard & fragile to accomplish the above, is this scenario possible using an approach that does not involve issuing a redirect within a rule, and does not provide a (HTTP) response back to the client, so that the user stays on the HLP?