I’ve been trying to tap down a weird issue i’ve seen. On my website we have people signup with a registration form that collects some information about them that we use to compare against a database to see if they’re already a customer of ours or a new one.
We have a testing version of our site where we use a variety of test accounts to test a variety of customer situations to make sure they work correctly. On our test site, we don’t require the email address to be verified because these email addresses aren’t real.
However after a deployment a while ago I started to get alot of complaints about how people were signing up and then when they try to click the link in the verification email they receive they get a verification failed.
Looking at the logs (which only last 2 days so I can’t do much historical checking and just have to sift through new sign ups) I see when it’s a problem, what happens is:
- they sign up
- their email address “changes” (why?)
- their account is unblocked
- they try to verify their email address but it fails.
(you can see the signup, address change, and unblocking all happen in the same minute, and time stamps reveal they happen within miliseconds, while the email verification link happens a bit later when the human user goes to try and verify the email)
However, this has been inconsistent to test. My external site developers try to test this but it always succeeds for them in the verification email working. The interesting thing is they’re all out of the same state that our site and company is based in, and the people/accounts who get this error are signing up from the same state as the company is located in. (which makes sense as we’re a local state only company and all our customers are located in the state we reside in)
This makes me think Auth0 is like treating local signups as safe, but external signups as “untrustworthy” and actually makes hem verify their email address as legitimate.