Problem statement
What are my options for verifying a user with Actions during the account creation process?
Solution
When verifying users after creation, there are two scenarios to consider while the Verification Email template is enabled.
1. Verifying the user immediately after user creation or sign up and preventing login.
In this scenario, the user gets a Verification Email sent to them automatically.
To prevent unverified users from accessing your app, you need to implement a Post-Login Action to block them. Only after the user has verified their email address are they allowed to proceed onto your app.
//Post-Login Action blocking script
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {
api.access.deny(`Access to ${event.client.name} is not allowed.`);
}
};
2. Verifying the user at a later point in the flow.
In this scenario, you must create the user with verify_email: false
to prevent the automatic Verification Email from being sent to the user.
//Example Create a User request
curl -H "Authorization: Bearer YOUR_TOKEN_HERE" -X POST -H "Content-Type: application/json" -d '{"email":"john.doe@gmail.com","connection":"Username-Password-Authentication","password":"secret","verify_email":false}' https://YOUR_DOMAIN.REGION.auth0.com/api/v2/users
Then at a later point, use the Management APIs Send an email address verification email endpoint to send the user a Verification Email.
You should also consider blocking the user from accessing the application with the Post-Login Action blocking script. Be aware that this scenario works only for user creation and not sign-ups.