And I have the “verification email after login” in email templates activated with a redirect. This email is sent automatically and it works well.
However, I want to provide a button to resend the email in case it didn’t work or it’s expired. For that, I use the Management API (node-auth0 package) to do something like this:
const auth0 = new Auth0ManagementService()
await auth0.sendEmailVerification({
user_id: user.user_id,
})
This works well since it sends the email again with a new link.
The problem is that, after clicking that link from this second email, it shows this error page:
The email is actually verified when I check it in the dashboard so I have no idea why this error page is shown.
Ideally, it should verify the email and redirect to the same url that I specified in the email template. Or, at least, it should show the default “Your email was verified” screen.
It’s a similar problem to the one a few users recently reported. We’re already investigating that. I will let you know once we have some details to share!
A quick update on this issue: I’ve been working closely with @alonza.spain, inspecting the requests coming to our service. I can confirm that the (admittedly confusing) error message is displayed when there is more than one request to the verification URL. The first requests succeeds (and thus the email is marked as verified) but subsequent ones fail (the “ticket” created is no longer valid) and this error is displayed.
A user clicking twice on the link would be the easiest explanation, but I’m not convinced this is happening on all cases. I initially thought that some email clients or providers might be following the link to do some kind of malware analysis, but could not reproduce a behavior like this. If anyone has found a way to reproduce this behaviors without just clicking twice on the link, I’d be curious to know.
In the meantime, I’ll suggest our Product team to think of better ways of improving the handling of this scenario.
If anyone has found a way to reproduce this behaviors without just clicking twice on the link
Maybe I’m misunderstanding what you mean but I think I already provided a way to reproduce this in the original post.
The first verification email is automatically sent by Auth0, and that works well.
If users try to login into our app but the email is still unverified, we redirect to a screen showing “Please check your inbox and click the link we sent you” (using “Force email verification” rule).
However, since we can’t be sure they actually got the email or not (or maybe they waited too long and it expired), we also provide a UI button in this screen that users can click to resend the verification email again.
This button makes a request to our backend and uses the management API (auth0.sendEmailVerification). They get a new email with a (new?) link, but this link shows the mentioned error even though it actually verifies their email.
I’m having the same issue. it happens when using the “force email verification Rule” the default one provided by the template. So a user gets a mail and when clicking the url, the email is actually being verified but an error appears. looking at Real-time Webtask Logs extension (attached image) i can see that two webtasks rule are being applied, that may be the culprit… Let me know what do you think
function (user, context, callback) {
if (!!user.email_verified) {
return callback(null, user, context);
}
const ManagementClient = require('auth0@2.24.0').ManagementClient;
const management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const emailVerificationParams = {
user_id: user.user_id,
client_id: context.clientID,
};
management.sendEmailVerification(emailVerificationParams, function (err) {
if (err) {
return callback(err);
}
});
return callback(new UnauthorizedError('Please verify your email before logging in. An
email has been sent to you with instructions. After verifying please logout and login
again.'));
}
Thought about a work around by passing the client_id as the params in order to redirect the user to the application uri and login instead of seeing the error message but the url query params are as follows with no state param:
/?supportSignUp=false&supportForgotPassword=false&email=tal.auth%40mycompany.ai&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true&code=success#
in the email template if you delete the Redirect To attribute, than it will work as expected. This is an auth0 bug. Please fix it @dan.woda
This is the final code for the verification enforcement + automatic verification email send on login:
function (user, context, callback) {
if (!!user.email_verified) {
return callback(null, user, context);
}
const ManagementClient = require(‘auth0@2.24.0’).ManagementClient;
const management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const emailVerificationParams = {
user_id: user.user_id,
client_id: context.clientID,
};
management.sendEmailVerification(emailVerificationParams, function (err) {
if (err) {
return callback(err);
}
});
return callback(new UnauthorizedError('Please verify your email before logging in. An email has been sent to you with instructions. After verifying please logout and login again.'));
}
I believe I am also seeing this problem, we have seen several occurrences, across different email providers and users whereby the user is confident they only clicked the link once, but they get the above error message. When checking the logs in Auth0 you can see a successful verification, but then subsequent failure entries in relatively quick succession e.g.
The verification failure log entries contain nothing useful - “unknown error”, our assumption is they are due to the email already being verified, but nothing actually states that.
This is causing a lot of headache for us, are there any insights into a fix or workaround for this?
I have a similar issue. We currently use a simple manual process for signing up users.
In the past, We would create a user in manage portal and they would automatically be sent a verification email and sit with verification pending until they clicked the link in the email. Email templates are unchanged from the default.
As of some time in the past few months we have been getting complaints of new users being sent to the error page shown above when clicking the verification link for the first time. For a time I assumed they must have inadvertently been clicking more than once on the link, but after a time of every user complaining of the same problem I ran a test by signing up a colleague and asking they not click the verification link.
It turns out within about 10 seconds of signup, the logs would showed a successful verification, despite never clicking the verification link. Going back over all recent signups I found the same pattern of successful verification within 5-10 seconds of signup.
Of course, this had the effect that the subsequent attempt to verify by the user clicking the link resulted in error page. My only option at the moment is to disable email verification template until this is sorted.