The user sign-up procedure is detailed below:
- A user fills out email and password in Sign up page.
- A new user account is created in Auth0 database.
- A verification email is sent to provided email address.
- The user clicks the link in the Verification email.
- The user’s
is_email_verified
is set to true.
If a malicious user uses someone else’s email address in the first step, an account will be created without any consents.
I understand that the Verification email is implemented as safeguard against such malicious activities.
However, regardless of whether the user clicks the link in the Verification email, an account will be created in Auth0.
Creating accounts unilaterally, regardless of user consent, is a high-risk design that could lead to serious security vulnerabilities.
Ideally, accounts should only be created once the user clicks the link in the Verification email.
Is it possible?