Why is user w/ unverified email considered authenticated?

Just trying to get login/logout working on my React app using auth0-spa-js, and I’m experiencing a couple problems:

  1. If I sign up using Auth0, I do not receive any notification that I will be receiving a verification email.
  2. Auth0 seems to consider me authenticated/logged in even though I haven’t yet verified my email.

This doesn’t seem “secure by default” to me. Should people be able to access my site’s secure information without at least proving they own the email they signed up with?

Hey there @sdtf!

Auth0-js-spa is relatively new SDK of ours and there might be some things that need improvements. Can you bring it to the tool maintainers attention by opening a GitHub issue and then sharing it here with the rest of community, for bigger visibility?

Thank you!

Gotcha, just posted a GitHub issue.

Perfect! Thanks a lot for sharing that @sdtf!

1 Like