Why is user w/ unverified email considered authenticated?

sdtf · September 26, 2019, 6:53am

Just trying to get login/logout working on my React app using auth0-spa-js, and I’m experiencing a couple problems:

If I sign up using Auth0, I do not receive any notification that I will be receiving a verification email.
Auth0 seems to consider me authenticated/logged in even though I haven’t yet verified my email.

This doesn’t seem “secure by default” to me. Should people be able to access my site’s secure information without at least proving they own the email they signed up with?

konrad.sopala · September 26, 2019, 9:54am

Hey there @sdtf!

Auth0-js-spa is relatively new SDK of ours and there might be some things that need improvements. Can you bring it to the tool maintainers attention by opening a GitHub issue and then sharing it here with the rest of community, for bigger visibility?

Thank you!

sdtf · September 26, 2019, 5:13pm

Gotcha, just posted a GitHub issue.

konrad.sopala · September 27, 2019, 6:38am

Perfect! Thanks a lot for sharing that @sdtf!

Topic		Replies	Views
Lock, Auth0.js, Auth0 React SDK or Authentication API Help auth0-spa-js , sdks-quickstarts	0	1676	November 7, 2022
Custom e-mail verification and silent auth Help email-verification , user-management	0	335	January 30, 2024
Passwordless login emailVerified status Help auth0 , passwordless , login	2	2017	March 8, 2022
Passwordless Login and Email Verification in one link? Help	4	2080	November 25, 2021
Cannot login immediately after custom signup with universal login using SPA sdk Help login-experience , new-universal-login-experience	0	190	May 3, 2024

Why is user w/ unverified email considered authenticated?

Related Topics