Best Practice of Enforcing Email Verification

Last Updated: Sep 19, 2024

Overview

This article details how email verification can be implemented to prevent users from going further after registration and after signing in. It also clarifies whether a user-friendly message can be displayed to explain the reason and offer further instructions.

Applies To

  • Email Verification
  • Best Practice

Solution

Deny Users with Unverified Emails

To force email verification before allowing users to access an application, write a simple post-login Action (see the example below) to check for the email_verified property during a login. If a user does not pass this check, they will be redirected back to the application’s callback endpoint, which can be configured to parse the error and present the appropriate message to these users.

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny(`Please verify your email before logging in.`);
  }
};

For a demonstration, refer to the following video.

Send Verification Email Using Forms For Actions

The Forms For Actions feature has a template for the email verification process (a SendGrid account is required).
It sends a verification email every time the user logs in and the Form is invoked. It works even if the initial verification email expires.
Using Forms For Actions is the most straightforward approach for the email verification process.

Related References