Change user email

Hello,

I updated user’s email with
PATCH /api/v2/users/{id}

Auth0 Management API v211ln7t6rollup_gaMTcyNjI2OTMzMi4xNjM2MDUwOTMyrollup_ga_F1G3E656YZ*MTYzNjE0MjYxMC45LjEuMTYzNjE0MjcwMC41OQ…#!/Users/patch_users_by_id

and receive verification email with link.

On this step if I do not click verification link I can’t use old e-mail
because of 429 response “Your account has been blocked after multiple consecutive login attempts”
I go to user management console and that user is not blocked, email was changed and is in pending verification status.

If for example I miss typed my new email on the previous step, how can I use old one?

Sorry, but is there any out-of-the box solution for it? It is normal user flow and it should not have any workarounds.

1 Like

Hi @alexander.spodin,

Thanks for reaching out to the Auth0 Community!

I understand that you are looking for a way to revert the user’s email address to your original email address.

To do so, you will need to update the user with the original email address by calling the Update a User endpoint.

Alternatively, you can accomplish the same results by changing the email address on the user profile page in the Auth0 Dashboard > User Management > Users > YOUR_USER and pressing the Actions > Change Email option.

In regards to your observations, I have tried the following:

  1. Update user’s email address to new email address
  2. Login using the new email address without verifying the new email address
  3. When trying to log in I received the Wrong email or password message.

And this is to be expected, and the correct error message. I could not get the brute force detection error message to throw, which reads Your account has been blocked after multiple consecutive login attempts.

If this error does occur, it most certainly involves Brute-Force Protection.

Hoped this helps!

Please let me know if you have any other questions. I’d be happy to help.

Thank you.

Hi, @rueben.tiow ,

Thanks, for quick answer, I really appreciate this!

You did all 3 steps correctly, except the expected result.
If I didn’t verify email I expect to use old one and do not have any wrong messages with login with old one.

Imagine you are user and click change email on the website and submitted the new one.
Then you realized that there is a mistake in typing new address, or you forgot password from new email or you thought it would be nice not to change it. Logically you thought you will not verify it and will use old one. But when you try to login, it returned error. What will happen if new address is mistyped?

So I made api call to update user endpoint and after that I need have an ability to login with old one, but I when I verify it - the email should be changed and I can login with new email.

Please correct me if I am wrong, how does it work now? Maybe I misused update user endpoint for email update?

Thank you very much for the time spent on reading this :slight_smile:

Sorry to bother, but any updates about this?

Could you please tell if I asked this question understandable?

We use java on back-end and React on UI. Any other details needed about this?

Any updates please?
Is my question understandable?

Hi @alexander.spodin,

Thanks for your response.

There are a couple of things here I’d like to point. First, allowing users to change their email is not an option that they can self-serve. It is not a functionality that is available with Auth0 OOTB. Seeing that the only way is through some involvement of the Management API, then the scenario of the user being locked out is to be expected. A revert will be needed.

Second, a forgot password is an option that users can self serve, so in that way, users who lock themselves out can retry the forgot password flow to regain access to their account as many times as needed (sparingly).

I found this How to let users change their email? SAFELY Community Post that addresses your scenario.

Please let me know if there’s anything else I can do to help.

Thank you.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.