Why is user w/ unverified email considered authenticated?

sdtf · September 26, 2019, 6:53am

Just trying to get login/logout working on my React app using auth0-spa-js, and I’m experiencing a couple problems:

If I sign up using Auth0, I do not receive any notification that I will be receiving a verification email.
Auth0 seems to consider me authenticated/logged in even though I haven’t yet verified my email.

This doesn’t seem “secure by default” to me. Should people be able to access my site’s secure information without at least proving they own the email they signed up with?

konrad.sopala · September 26, 2019, 9:54am

Hey there @sdtf!

Auth0-js-spa is relatively new SDK of ours and there might be some things that need improvements. Can you bring it to the tool maintainers attention by opening a GitHub issue and then sharing it here with the rest of community, for bigger visibility?

Thank you!

sdtf · September 26, 2019, 5:13pm

Gotcha, just posted a GitHub issue.

konrad.sopala · September 27, 2019, 6:38am

Perfect! Thanks a lot for sharing that @sdtf!