I’m trying achieve a setup where users create an account using email/password and then verify their email address using a one-time password. Using a custom UI.
My initial approach was to hit the /dbconnections/signup route passing connection: email. On successful account creation, I would hit /passwordless/start passing connection: email. And then finally authenticate the user with their OTP, which sets the user record’s email_verified property to true.
What I found when trying to set this up is that upon creation of a user via the /signup route, auth0 automatically sends an email verification / authentication link to the email address used.
Is there any way to configure this so that it sends a code instead of a link?
I don’t want to force MFA for every authentication, I just want to use a code instead of a link for the one-time email verification. Can this be achieved through a rule or something?
At the moment we only support email verification via a code, not a link. When users click the link the email would be verified. This is a very good idea, though, and I recommend that you reach out to our Product team directly here, to let them know about this: Auth0: Secure access for everyone. But not just anyone.
To go at this from a different angle, how might I disable the automatic email that gets sent upon user creation? When I post to the /signup/ route, upon successful user creation, an email gets sent to the user with a magic link and message saying it expires within 3 hours. I don’t have any rules in place to facilitate this, so I assume it’s default behavior. Can that behavior be changed?
Just closing the loop on this for posterity’s sake.
What seems obvious to me now but didn’t when I posted this is that the user created by specifying connection: 'email' cannot ever be logged in with a username/password. The endpoint accepts those values but they are disregarded when the connection is set to ‘email.’ So my ideal flow was never going to work. I have resorted to using the new Universal Hosted Login experience.