On this step if I do not click verification link I can’t use old e-mail
because of 429 response “Your account has been blocked after multiple consecutive login attempts”
I go to user management console and that user is not blocked, email was changed and is in pending verification status.
If for example I miss typed my new email on the previous step, how can I use old one?
Sorry, but is there any out-of-the box solution for it? It is normal user flow and it should not have any workarounds.
I understand that you are looking for a way to revert the user’s email address to your original email address.
To do so, you will need to update the user with the original email address by calling the Update a User endpoint.
Alternatively, you can accomplish the same results by changing the email address on the user profile page in the Auth0 Dashboard > User Management > Users > YOUR_USER and pressing the Actions > Change Email option.
In regards to your observations, I have tried the following:
Update user’s email address to new email address
Login using the new email address without verifying the new email address
When trying to log in I received the Wrong email or password message.
And this is to be expected, and the correct error message. I could not get the brute force detection error message to throw, which reads Your account has been blocked after multiple consecutive login attempts.
Thanks, for quick answer, I really appreciate this!
You did all 3 steps correctly, except the expected result.
If I didn’t verify email I expect to use old one and do not have any wrong messages with login with old one.
Imagine you are user and click change email on the website and submitted the new one.
Then you realized that there is a mistake in typing new address, or you forgot password from new email or you thought it would be nice not to change it. Logically you thought you will not verify it and will use old one. But when you try to login, it returned error. What will happen if new address is mistyped?
So I made api call to update user endpoint and after that I need have an ability to login with old one, but I when I verify it - the email should be changed and I can login with new email.
Please correct me if I am wrong, how does it work now? Maybe I misused update user endpoint for email update?
Thank you very much for the time spent on reading this
There are a couple of things here I’d like to point. First, allowing users to change their email is not an option that they can self-serve. It is not a functionality that is available with Auth0 OOTB. Seeing that the only way is through some involvement of the Management API, then the scenario of the user being locked out is to be expected. A revert will be needed.
Second, a forgot password is an option that users can self serve, so in that way, users who lock themselves out can retry the forgot password flow to regain access to their account as many times as needed (sparingly).
