How to handle email verification after creating a new account?

Question

When I create a new user in Auth0 (username password authentication) a verification email is sent out to the user.

Without verifying the email the user is still able to sign into Auth0. Actually this is what I want in this particular scenario, however, what is the usual flow in this?

I tried searching for documentation on this verification process on Auth0 but could not find any. Plus if I want the user to verify the mail before signing in how do I configure this? Is this documented somewhere?

Answer 1

As you mentioned, email verification is natively supported in Auth0 when using the username/password authentication. The status of the email verification procedure is tracked through the email_verified property available in the user profile.

By default and inline with what you experienced, authentication is not blocked for non-verified users, however, you can quickly achieve this through a rule (Force email verification):

function (user, context, callback) {
  if (!user.email_verified) {
    return callback(new UnauthorizedError('Please verify your email before logging in.'));
  } else {
    return callback(null, user, context);
  }
}

As noted in the rule page you can also handle this in the application itself by checking the user profile and conditionally reply based on the email verification flag; this will allow you to provide a more customized experience for non-verified users.