Overview
This article provides steps to implement email verification, preventing users with unverified emails from proceeding post-registration or sign-in. It also covers displaying informative messages to these users.
Applies To
- Email Verification
- Best Practice
Solution
For a demonstration, refer to the following video.
For a demonstration, refer to the following video.
The following methods can be used to enforce email verification. The methods are presented starting with a commonly used approach.
- Use a Post-Login Action to Deny Access: This approach checks the
email_verified
property after a user logs in. If theemail
is not verified, access to the application is denied.- Create a
post-login
Action. - Within the Action, access the
event.user.email_verified
property. - If
event.user.email_verified
isfalse
, use theapi.access.deny()
method. Provide a message that informs the user to verify their email. This action redirects the user back to the application’s callback endpoint. This endpoint must be configured to parse the error and display a user-friendly message.
Example post-login Action:
- Create a
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {
api.access.deny('Please verify your email before logging in.');
}
};
Send Verification Email Using Forms For Actions: The Forms For Actions feature provides a template for the email verification process.
- A SendGrid account is a prerequisite for this method.
- This feature sends a verification email each time the user logs in and the specific Form is invoked.
- It remains effective even if an initial verification email expires.