Auth0 keeps sending confirmation email on every login

_qa100 · June 23, 2022, 5:03pm

Hello,

I have not configured this instance of auth0, but strange thing is happening, whenever anyone logs in, the confirmation email is sent. Besides receiving an email I see this event “Success Verification Email Request” at the Monitoring > Logs page.

How can I find out where is this email triggered from? The email has already been verified, I can check this information from Users page by going to user I logged in as.

The confirmation email is needed as a great feature, for the users that really didn’t verify their email but having email sent after each email is annoying, any ideas where to check, where this might be triggered from?

rueben.tiow · June 24, 2022, 12:40am

Hi @_qa100,

Welcome to the Auth0 Community!

I understand that you have been observing the Verification Email sent every time the user logs in.

From what I can tell, this seems to be triggered from either a Rule or a Post-Login Action since it is happens after each successful login.

With that, could you please check your Rules and Post-Login Actions to see if you have any code in your scripts that is calling the Management API’s Send an email address verification email endpoint?

I am looking forward to your reply.

Thank you!

_qa100 · June 24, 2022, 6:15pm

hi Rueben,

We have few rules, I’ve turned them off one by one to see which one could be causing it. There were two rules which when I turned them off the app wasn’t functioning, one of them is called get role with this code:

function (user, context, callback) {
  const namespace = 'https://myappurl/oauth';

  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/role`] = assignedRoles;
  accessTokenClaims[`${namespace}/role`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;

  callback(null, user, context);
}

Another one is called “Set basic role to a new users” with this code:

function setRolesToUser(user, context, callback) {
	const ManagementClient = require('auth0@2.27.0').ManagementClient;

  const management = new ManagementClient({
    token: auth0.accessToken,
    domain: auth0.domain
  });

  const count = context.stats && context.stats.loginsCount ? context.stats.loginsCount : 0;
  if (count > 1) {
    return callback(null, user, context);
  }

  const params =  { id : user.user_id};
  const data = { "roles" : ["xxx"]};

  management.users.assignRoles(params, data, function (err, user) {
    if (err) {
      // Handle error.
      console.log(err);
    }
    console.log("success");
    callback(null, user, context);
  });

}

With regards to Post login actions, I only see Login in the Flows link. That is what I see

Is there anything else I can have a look, isn’t there some kind of audit/log to be able to see the caller of this email verification endpoint?

rueben.tiow · June 27, 2022, 5:01pm

Hi @_qa100,

Thank you for your response.

After inspecting your Rules and Actions, I did not find any code involving a verification email being sent.

In this situation, could you please send me a direct message of your tenant and the application name you are using?

I would like to investigate this further.

Thank you.