How to let users change their email? SAFELY

scenario

  1. It is a SPA
  2. Using email / password login (not social like Google …)
  3. There is a user who is already logged in, and the person’s email is already verified
  4. The user wants to change the email because the person doesn’t have the access to the email account anymore
  5. There is a link “change your email” on the website
  6. User enters a new email address + login password to protect from account squatting
  7. User gets an email verification to that new address
  8. After verifying the new email address, finally update user’s email via https://auth0.com/docs/api/management/v2?&_ga=2.193962989.1506827512.1587438711-338118595.1586839354#!/Users/patch_users_by_id

If I simply change their email upon their request, the new email can be something different from what they think they own. (e.g. mis-typing can happen abc@example.com => abd@example.com)
Resulting they don’t get emails from us, and/or they can’t login with the new email address (trys to login with abc@example.com when it’s registered with abd@example.com)

If I don’t ask them for their password, somebody who gets access to the website can just take over the account. (e.g. people don’t always intentionally logout every time they leave the computer - may only just close the browser)

The steps would be

  1. somebody opens the website where its credentials are still valid without password
  2. goes to “change your email” and finish verifying the email
  3. goes to the login page, and click “forgot your password” to reset the password

As far as I searched, Auth0.com doesn’t provide this kind of mechanisms out of the box.

The parts I am having trouble trying to figure out are …

  1. entering a new email that can later link to the login user
  2. letting them type in correct password before adding a new email

Autho0.com itself doesn’t let users to change their email at all. Instead, it asks the user to add a new administrator, and delete the old one … so is this even possible with Auth0?


I found these related posts, but they don’t cover my scenario.


  1. entering a new email that can later link to the login user

For this one, maybe I can simply send a random ID to the new email a user enters. When the user enters the same ID on the website, the server can simply use PATCH /api/v2/users/{id} to update the email? I guess.

  1. user clicks “change your email”
  2. browser shows an input for a new email
  3. user enters a new email
  4. browser generates ID, and send a signal to the server, so it sends an email with the ID
  5. user opens the email and find the ID
  6. user comes back to the browser and enters the ID
  7. when the ID matches, send a signal to the server so it changes the user’s email

But I am still left with the password protection onto actually changing the email.