- It is a SPA
- Using email / password login (not social like Google …)
- There is a user who is already logged in, and the person’s email is already verified
- The user wants to change the email because the person doesn’t have the access to the email account anymore
- There is a link “change your email” on the website
- User enters a new email address + login password to protect from account squatting
- User gets an email verification to that new address
- After verifying the new email address, finally update user’s email via https://auth0.com/docs/api/management/v2?&_ga=2.193962989.1506827512.1587438711-338118595.1586839354#!/Users/patch_users_by_id
If I simply change their email upon their request, the new email can be something different from what they think they own. (e.g. mis-typing can happen firstname.lastname@example.org => email@example.com)
Resulting they don’t get emails from us, and/or they can’t login with the new email address (trys to login with firstname.lastname@example.org when it’s registered with email@example.com)
If I don’t ask them for their password, somebody who gets access to the website can just take over the account. (e.g. people don’t always intentionally logout every time they leave the computer - may only just close the browser)
The steps would be
- somebody opens the website where its credentials are still valid without password
- goes to “change your email” and finish verifying the email
- goes to the login page, and click “forgot your password” to reset the password
As far as I searched, Auth0.com doesn’t provide this kind of mechanisms out of the box.
The parts I am having trouble trying to figure out are …
- entering a new email that can later link to the login user
- letting them type in correct password before adding a new email
Autho0.com itself doesn’t let users to change their email at all. Instead, it asks the user to add a new administrator, and delete the old one … so is this even possible with Auth0?
I found these related posts, but they don’t cover my scenario.