I created a post login action that triggers the resend of the verification email when a non-verified user logins.
This is the code of the action (though I don’t think it is relevant):
exports.onExecutePostLogin = async (event, api) => {
const { user } = event;
if (user.email_verified) {
return;
}
const { ManagementClient } = require("auth0");
const client = new ManagementClient({
domain: event.secrets.domain,
clientId: event.secrets.clientId,
clientSecret: event.secrets.clientSecret,
});
// The first time the user signs-in, they can't have `verification_sent_at` in metadata;
// So, I can use this fact to determine this is the first sign-in and interrupt the action execution with an early-exit.
// .. but just before that I store `verification_sent_at` in the metadata, so next time it will be there.
const verificationSent = user.user_metadata.verification_sent_at;
if (!verificationSent) {
console.log("First sign-in for", user.email);
await client.updateUserMetadata(
{ id: user.user_id },
{ verification_sent_at: Date.now() }
);
return;
}
console.log("New sign-in for", user.email);
// If execution reaches this point, it means current user is a user who already signed-in in the past,
// but didn't yet verify their email.
// In a such case I want to send verification email again, but only if `verification_sent_at` is older than the
// time the link in the verification email remains valid.
const ttlVerificationLink = 1000 * 60 * 60 * 24 * 5; // 5 days, in milliseconds
const sentAt = Number(verificationSent);
const now = Date.now();
const isLinkExpired = now - sentAt > ttlVerificationLink;
if (isLinkExpired) {
// Resend the verification email
await client.sendEmailVerification({ user_id: user.user_id });
// Reset the `verification_sent_at` metadata
await client.updateUserMetadata(
{ id: user.user_id },
{ verification_sent_at: Date.now() }
);
console.log("Verification email resent for user:", user.email);
} else {
console.log(
"Current verification email is still valid, sent at",
verificationSent
);
}
};
The code above seems to work fine - I receive the email as expected, only when a non verify user login.
The problem is when I click the verification link contained in the email.
In fact, instead of being redirected to {{ application.callback_domain }}/api/auth/verify-email
, the URL I configured in “Branding / Email Templates / Redirect To”, I get the error below:
What seems even wierder to me, is that despite the error, when I inspect “User Management / Users / Raw JSON” the user appears now as verified "email_verified": true
.
I added some logs on my side, and can confirm the endpoint {{ application.callback_domain }}/api/auth/verify-email
is never called.
Another thing worth to mention is that if I create a new account, and verify it using the first email automatically sent by Auth0, everything works fine.
Any idea what’s going on?