This is immediately sending a 2FA code to the newly created user’s email, as though they requested to login. In the title of the email, I see the name of the Machine to Machine app whose credentials I am using to issue the API call.
I tested this on my end and could not reproduce the same behavior.
When I created a new user with the email connection, there was no 2FA code. I tried this multiple times, and each time, I did not receive any 2FA codes.
It seems like the user is logging in, as you suspected. Could you try checking your logs when you create a new user to see if there are any login events following that?
Hey Rueben! Thanks a bunch for looking into this. I will take a look at the logs when I get home tonight, but I was wondering if the behavior below offers any hints as to what might be going wrong.
Last night, I noticed that if I set the email_verified field to true in the create request, the issue subsides. I’m ok with this solution for now, but it somehow doesn’t seem right to set that field to true since in theory the email I provide might not be a real email address, or the user may never log in.
Sure, that sounds good. I’ll look forward to your next update after you check the logs.
Yes, that’s correct. You should ask the user to verify their email addresses so that only legitimate email addresses can log in.
To clarify, are you referring to the verification or 2FA code emails?
Generally, if you set the email_verified: true, the verification email is not sent. However, the user will receive a verification email if email_verified: false or was not specified.
The 2FA code email will only happen if the user attempts to log in.
I just checked my logs, and it turns out that for some reason, an event of type “Code/Link Sent” is being sent when I call the create API.
I want to share the content of the log but I’m worried about leaking sensitive data.
But basically, when I hit the create API, I see two logs.
One is of type “API Operation” and the description is “Create a user”, and the other is the one I described above, which seems to be the one that is sending the 2FA code.
I checked my application logs, and there doesn’t seem to be anything that’s trying to log the newly created user in.
Thoughts?
Thanks for confirming that I should ask users to verify their email.
Also, yes I was referring to 2FA code.
Update: I also checked the logs for this particular new user, in the “History” tab. There are 0 events logged, and the table says " There are no logs yet."
I have tested creating a passwordless email user and noticed the same behavior in my logs. Specifically, I got an “API Operation” and “Code/link Sent” log after creating the user.
Now, if you would like to prevent the verification email from sending to the user, you will need to add "email_verified": true when creating these users.