Auth0 Home Blog Docs

Email verification link works but shows error page

Hi! I’m having a weird problem with the email verifications.

I have a rule to force email verification like this:

And I have the “verification email after login” in email templates activated with a redirect. This email is sent automatically and it works well.

However, I want to provide a button to resend the email in case it didn’t work or it’s expired. For that, I use the Management API (node-auth0 package) to do something like this:

const auth0 = new Auth0ManagementService()
await auth0.sendEmailVerification({
  user_id: user.user_id,
})

This works well since it sends the email again with a new link.
The problem is that, after clicking that link from this second email, it shows this error page:

The email is actually verified when I check it in the dashboard so I have no idea why this error page is shown.

Ideally, it should verify the email and redirect to the same url that I specified in the email template. Or, at least, it should show the default “Your email was verified” screen.

Any idea? Thanks!

1 Like

Hey there!

It’s a similar problem to the one a few users recently reported. We’re already investigating that. I will let you know once we have some details to share!

2 Likes

Yes, I am having the same issue. I will follow this post for updates

2 Likes

Sure! Will let you know once I have any updates!

Is there any update on this issue. This is still impacting our users.

A quick update on this issue: I’ve been working closely with @alonza.spain, inspecting the requests coming to our service. I can confirm that the (admittedly confusing) error message is displayed when there is more than one request to the verification URL. The first requests succeeds (and thus the email is marked as verified) but subsequent ones fail (the “ticket” created is no longer valid) and this error is displayed.
A user clicking twice on the link would be the easiest explanation, but I’m not convinced this is happening on all cases. I initially thought that some email clients or providers might be following the link to do some kind of malware analysis, but could not reproduce a behavior like this. If anyone has found a way to reproduce this behaviors without just clicking twice on the link, I’d be curious to know.

In the meantime, I’ll suggest our Product team to think of better ways of improving the handling of this scenario.

1 Like

If anyone has found a way to reproduce this behaviors without just clicking twice on the link

Maybe I’m misunderstanding what you mean but I think I already provided a way to reproduce this in the original post.

The first verification email is automatically sent by Auth0, and that works well.
If users try to login into our app but the email is still unverified, we redirect to a screen showing “Please check your inbox and click the link we sent you” (using “Force email verification” rule).
However, since we can’t be sure they actually got the email or not (or maybe they waited too long and it expired), we also provide a UI button in this screen that users can click to resend the verification email again.

This button makes a request to our backend and uses the management API (auth0.sendEmailVerification). They get a new email with a (new?) link, but this link shows the mentioned error even though it actually verifies their email.

@nicolas_sabena Let me know if yo need anything else.

Thanks!