Resending Verification Emails Doesn't Regenerate Token or Expiration #4369
Comments
|
Yep, you can post to /verificationEmailRequest with the following data. {
"email": "[email protected]"
}Note this will only send if the email is not already verified. You can see the code that handles these requests here. I did check and there is not a section in the REST docs regarding this yet, but there is a section on verifying emails. I'll put a PR there and keep this open until the docs are updated. |
|
After upgrading to Parse Server 2.7.1, When I posted to /verificationEmail, I received the verification email. Then, I clicked on the link, and I got an "Invalid Verification Link" message. |
|
The correct post is to /verificationEmailRequest. Still same issue. |
|
I'll take a look at this and see if there's something in particular that's going wrong here. |
|
@jferrer21 running against the latest build of parse server 2.7.1 it looks like triggering a verification email produces an email with a valid link. I would double check that you have enabled email verification in your parse server setup, otherwise this code will throw an undefined error, causing the invalid link page to be shown. I imagine in your that's probably what's going on. Normally when email verification is enabled those emails are sent automatically on a user signing up, this just gives you the option to resend them if they're lost for any reason. |
|
I have the verifyUserEmails: true and I still have the invalid link page. I noticed that when I get the verify link is has a token that never changes. I'm assuming that token is associated with the signup session. Is this correct? |
|
@jferrer21 The email verify token is a randomly generated 25 character string that is created when the first verification email is sent. This is a parameter that is set on your user server side and is independent of any session, it will stay with your user. Depending on your settings it may also have an expiration time as well. The same token is present when you request for additional verification emails, which seems innocuous enough on it's own as it's established the token is persistent once created. What's interesting is this code, which suggests that to the contrary this token is regenerated each time a verification email request is made. I'll need to verify this further, but it's possible that your existing token is expired and that it is not being updated to a new token with a new lifespan. You could verify this by connecing to mongodb directly and viewing the _email_verify_token and _email_verify_token_expires_at values on your _User collection object (assuming you're using mongodb by the way). I can't look at this right now but I'll mark that this need further looking into again. I may be off, but this could be an issue with email verification tokens refreshing as mentioned above. |
|
That was my problem. The _email_verify_token_expires_at was expired. Thank you for pointing me in the right direction. |
|
Np. I'll reclassify as a bug in the meantime as the tokens (and timers) should be regenerated across subsequent verification requests. We can keep this open until that is resolved. |
montymxb
added
type:bug
montymxb
changed the title
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
mtrezza
added
type:question
Hello,
Is there a REST endpoint for resending verification of emails? I don't see anything in the documentation.
Thanks.
The text was updated successfully, but these errors were encountered: