How do I deny a user that hasn't verified their email address

I need a pointer here… Some docs talk about denying a user that hasn’t verified their email address yet…

If you want to do something other than immediately let a user log in if their username/password is correct, you can add additional logic in login.handler(). For example, if a user’s credentials are correct, but they haven’t verified their email address yet, you can throw an error in this function with the appropriate message and then display it to the user. If the login should proceed, simply return the user that was passed as the only argument to the function: Docs - Authentication : RedwoodJS Docs

The code doesn’t seem to be part of the dbAuth…

I can add a verified boolean to the User record, but what is next?

I can send a welcome email, and include a verify link – I could generate a GUID for the round-trip and store that in the database

But how can I add the route to the dbAuth? I don’t understand where the routing in ./the api is – I’m thinking I can then go from there to logged in [home]

And how can I return a message to display that won’t be treated as an Error ?

Thanks!
Al;

import { nanoid } from 'nanoid'

const nodemailer = require('nodemailer');

import { db } from 'src/lib/db'
import { DbAuthHandler } from '@redwoodjs/api'
import { logger } from 'src/lib/logger'

export const handler = async (event, context) => {

  const forgotPasswordOptions = {
    // handler() is invoked after verifying that a user was found with the given
    // username. This is where you can send the user an email with a link to
    // reset their password. With the default dbAuth routes and field names, the
    // URL to reset the password will be:
    //
    // https://example.com/reset-password?resetToken=${user.resetToken}
    //
    // Whatever is returned from this function will be returned from
    // the `forgotPassword()` function that is destructured from `useAuth()`
    // You could use this return value to, for example, show the email
    // address in a toast message so the user will know it worked and where
    // to look for the email.
    handler: (user) => {

      logger.debug(`sending email via: ${process.env.SMTP_HOST}`)
      let transporter = nodemailer.createTransport({
             host: process.env.SMTP_HOST,
             port: 2525,
             auth: {
                 user: process.env.SMTP_USER,
                 pass: process.env.SMTP_PASS
             }
     })

      const resetLink = `${process.env.REDIRECT_URL}/reset-password?resetToken=${user.resetToken}`
      const message = {
        from: process.env.AUTH_EMAIL_FROM,
        to: user.email,
        subject: "Reset Forgotten Password",
        html: `Here is a link reset your password.  It will expire after 4hrs. <a href="${resetLink}">Reset my Password</>`
      }

      transporter.sendMail(message, (err, info) => {
        if (err) {
          console.log(err)
        } else {
          console.log(info);
        }
      })

      return user
    },

    // How long the resetToken is valid for, in seconds (default is 24 hours)
    expires: 60 * 60 * 4,

    errors: {
      // for security reasons you may want to be vague here rather than expose
      // the fact that the email address wasn't found (prevents fishing for
      // valid email addresses)
      usernameNotFound: 'Username not found',
      // if the user somehow gets around client validation
      usernameRequired: 'Username is required',
    },
  }

  const loginOptions = {
    // handler() is called after finding the user that matches the
    // username/password provided at login, but before actually considering them
    // logged in. The `user` argument will be the user in the database that
    // matched the username/password.
    //
    // If you want to allow this user to log in simply return the user.
    //
    // If you want to prevent someone logging in for another reason (maybe they
    // didn't validate their email yet), throw an error and it will be returned
    // by the `logIn()` function from `useAuth()` in the form of:
    // `{ message: 'Error message' }`
    handler: (user) => {
      if (!user.verified) {
        throw new Error('Please validate your email first!')
      } else {
        return user
      }
    },

    errors: {
      usernameOrPasswordMissing: 'Both username and password are required',
      usernameNotFound: 'Username ${username} not found',
      // For security reasons you may want to make this the same as the
      // usernameNotFound error so that a malicious user can't use the error
      // to narrow down if it's the username or password that's incorrect
      incorrectPassword: 'Incorrect password for ${username}',
    },

    // How long a user will remain logged in, in seconds
    expires: 60 * 60 * 24 * 365 * 10,
  }

  const resetPasswordOptions = {
    // handler() is invoked after the password has been successfully updated in
    // the database. Returning anything truthy will automatically logs the user
    // in. Return `false` otherwise, and in the Reset Password page redirect the
    // user to the login page.
    handler: (user) => {
      return user
    },

    // If `false` then the new password MUST be different than the current one
    allowReusedPassword: true,

    errors: {
      // the resetToken is valid, but expired
      resetTokenExpired: 'resetToken is expired',
      // no user was found with the given resetToken
      resetTokenInvalid: 'resetToken is invalid',
      // the resetToken was not present in the URL
      resetTokenRequired: 'resetToken is required',
      // new password is the same as the old password (apparently they did not forget it)
      reusedPassword: 'Must choose a new password',
    },
  }

  const signupOptions = {
    // Whatever you want to happen to your data on new user signup. Redwood will
    // check for duplicate usernames before calling this handler. At a minimum
    // you need to save the `username`, `hashedPassword` and `salt` to your
    // user table. `userAttributes` contains any additional object members that
    // were included in the object given to the `signUp()` function you got
    // from `useAuth()`.
    //
    // If you want the user to be immediately logged in, return the user that
    // was created.
    //
    // If this handler throws an error, it will be returned by the `signUp()`
    // function in the form of: `{ error: 'Error message' }`.
    //
    // If this returns anything else, it will be returned by the
    // `signUp()` function in the form of: `{ message: 'String here' }`.
    handler: async ({ username, hashedPassword, salt, userAttributes }) => {

      logger.debug(`sending email via: ${process.env.SMTP_HOST}`)
      let transporter = nodemailer.createTransport({
             host: process.env.SMTP_HOST,
             port: 2525,
             auth: {
                 user: process.env.SMTP_USER,
                 pass: process.env.SMTP_PASS
             }
     })

      const verifyLink = `${process.env.REDIRECT_URL}/verify-email?verifyToken=${user.verifyToken}`
      const message = {
        from: process.env.AUTH_EMAIL_FROM,
        to: username,
        subject: "Reset Forgotten Password",
        html: `Welcome, please click this link to <a href="${verifyLink}">Verify Your Email Address</>`
      }

      transporter.sendMail(message, (err, info) => {
        if (err) {
          console.log(err)
        } else {
          console.log(info);
        }
      })

      await db.user.create({
        data: {
          email: username,
          hashedPassword: hashedPassword,
          salt: salt,
          // name: userAttributes.name,
          id: nanoid()
        },
      })

      return { message: 'Thank you for creating your account.  Please go to your email and click the Verify Your Email Address link before logging in.'}
    },

    errors: {
      // `field` will be either "username" or "password"
      fieldMissing: '${field} is required',
      usernameTaken: 'Username `${username}` already in use',
    },
  }

  const authHandler = new DbAuthHandler(event, context, {
    // Provide prisma db client
    db: db,

    // The name of the property you'd call on `db` to access your user table.
    // ie. if your Prisma model is named `User` this value would be `user`, as in `db.user`
    authModelAccessor: 'user',

    // A map of what dbAuth calls a field to what your database calls it.
    // `id` is whatever column you use to uniquely identify a user (probably
    // something like `id` or `userId` or even `email`)
    authFields: {
      id: 'id',
      username: 'email',
      hashedPassword: 'hashedPassword',
      salt: 'salt',
      resetToken: 'resetToken',
      resetTokenExpiresAt: 'resetTokenExpiresAt',
    },

    forgotPassword: forgotPasswordOptions,
    login: loginOptions,
    resetPassword: resetPasswordOptions,
    signup: signupOptions,
  })

  return await authHandler.invoke()
}

Hi there again Al!

There isn’t actually a place on dbAuth for the verification of the account, but you can incorporate it as a service - which I’d assume is the unofficial-recommended way of doing so. You’ll just need to make the service open (@skipAuth). But you could just as easily create your own function and access the database through it.

Every other part of how you’re describing the flow is exactly how I accomplished confirmation as well :slight_smile:

Hello my Friend,

Thanks for the tip, I expect I’ll end up making my own service too.

1 Like

As you noted, there’s a number of things needed to implement a confirm email:

  • generate confirmation token and sent at in user’s profile record
  • send an email
  • accept an incoming request to verify the token and confirm the user
  • apply some auth check to not deny the user access if their account isn’t confirmed

You could create a serverless function for the verifyConfirmationToken and then use that link in your email went sent.

You could in that function do the work to verify th request, check the token for expiration confirm the token is valid, lookup the user by token and then set the confirmedAt or or confirmation flag.

But, you would want to make sure that only the current auth’d user could update the token and confirmation flags.

It doesn’t necessarily need to be part of dbAuth – but that would be a good enhancement:

  • on signup create the confirmation tokens in User
  • provider a hook to send email confirmation
  • provider a verifyConfirmationToken handler
  • update requireAuth check to ensure user account is confirmed