Auth0 Home Blog Docs

Verify user email with password reset rule



I was considering using this rule to cut out a step in my user creation flow. It works as intended the first time user is created, but I think it can create problems with later email verification if the email associated with the user is changed.

  1. User is created, password is reset (so last_password_reset is set)

  2. Suppose the user updates his email after creation (email_verified = false, email is changed)

  3. Email verification ticket/email is sent

  4. User ignores the email from step 2 and logs in
    -> Rule marks the email as verified (since last_password_reset is set and email_verified is false) but it it not

If I am correct, I am looking for a simple way to fix this or at least this case should be cited in the documentation.