Verification emails only work once; generates error on second use

When a user creates an account, we send a verification email with the URL to verify. We follow the documentation here for the return values:

That was working fine for a while, and now it doesn’t work as documented. The first time the user clicks the verification URL, it works without issue returning

/email_verified?supportSignUp=true&supportForgotPassword=true&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true&code=success

If the user clicks on the same URL again, the documentation link above indicates it should be giving success or failure and a message, but that no longer happens. Instead, the call to

https://auth.mydomain.com/u/email-verification?ticket=v3oORyyWXaUqxW3EQhENF0yeFMzSKDWR#
Request Method: GET

returns
Status Code: 200
but it now has a “preview” showing

Error
Your email address could not be verified.

Back to

and this error is then shown to the user. Why is success and the message parameter no longer being provided? This seems like an Auth0 bug.

1 Like

Hi @chris.bohn ,

I understand that when the user clicks on the link the 2nd time, the error message they get is confusing. That is the expected behavior currently. Please feel free to communicate your concern with our Product team directly via the feedback page.

Thanks!

How is that the expected behavior when it doesn’t match the documentation - Email Template Descriptions

AND it didn’t work like this even a few months ago?

1 Like

Hi @chris.bohn ,

What I meant to say is that as of the current design re-using the verification link will lead to the “Your email address could not be verified” error. If a user receives a new verification link, they will get the “This account is already verified.” message when clicking on the new link.

I am not aware of any recent changes regarding re-using the verification link. Could you please let me know where in this doc has the mismatch? I want to pass your feedback to our Doc team to avoid confusion in the future.

Thank you!

Hi @lihua.zhang,

We are experiencing the same issue. Users seems to be shown the error page, because the email is being marked as verified by a link-scanning service issuing a GET request to the link before the user even gets to the message to click on it.

Hi @qkrenzien,

Welcome to the Auth0 Community!

There is a featured flag that our Product Support team can help you with enabling it to remediate the impact of the link scanning software automatically verifying the user email address. I am happy to create it on your behalf if you like. Please let me know. Thanks!

Hi @lihua.zhang

I did some more testing and can see that scanners pre-clicking links likely not the issue here. It’s likely that a user is clicking the registration link and then not completing the rest of their password setup within our application. So now the only way back to our site is to click the registration link again. Upon doing so they receive the generic error message described by the OP instead of getting redirect to us where we can detect that and provide the user with a better set of next steps.

@lihua.zhang The doc has mismatches here - basically, where we previously could click the same link a second time and get - as documented - This account is already verified. (with success=false) - that doesn’t work now. None of those messages appear in the documentation except the very first one (the first time the URL is used). That is definitely a change in behavior.

Thank you @chris.bohn for providing additional details.

I have passed your feedback on to our documentation team. Also, I am confirming with our internal team if any recent changes in the email verification feature. Please stay tuned for the updates.

1 Like

+1 in the issue. This is definitely a change in auth0 behavior. We observed this change on Oct 7th.
When clicking on re-verification link, we are seeing the Your email address could not be verified. message. This was not the behavior before.

+1 we’ve also noticed this recent change in behaviour and would like to see it fixed with some urgency.

1 Like

@lihua.zhang Is there any update on this? It seems many customers have noticed this unexpected and unannounced change. Collectively it seems we agree this needs to be reverted back to the previous behavior.

Hi @chris.bohn ,

I am confirming with our engineering team on this issue and will provide updates soon. Appreciate your patience meantime.

I received updates from our Engineering team. They are working on the fix. I am waiting on the ETA and will let you know. Appreciate your continued patience :pray:

2 Likes

Thank you @lihua.zhang

Cheers @lihua.zhang - appreciated.

@lihua.zhang Any update on the timing of the fix?

I just followed up with our engineering team for updates and will keep you posted soon.

2 Likes

We are facing the same issue as well. In the meantime, is there any workaround for this?

a recent SF ticket for the same issue https://auth0.lightning.force.com/lightning/r/Case/5001G000015v9qQQAQ/view