When I create a new user in Auth0 (username password authentication) a verification email is sent out to the user.
Without verifying the email the user is still able to sign into Auth0. Actually this is what I want in this particular scenario, however, what is the usual flow in this?
I tried searching for documentation on this verification process on Auth0 but could not find any. Plus if I want the user to verify the mail before signing in how do I configure this? Is this documented somewhere?
As you mentioned, email verification is natively supported in Auth0 when using the username/password authentication. The status of the email verification procedure is tracked through the email_verified property available in the user profile.
By default and inline with what you experienced, authentication is not blocked for non-verified users, however, you can quickly achieve this through a rule (Force email verification):
function (user, context, callback) {
if (!user.email_verified) {
return callback(new UnauthorizedError('Please verify your email before logging in.'));
} else {
return callback(null, user, context);
}
}
As noted in the rule page you can also handle this in the application itself by checking the user profile and conditionally reply based on the email verification flag; this will allow you to provide a more customized experience for non-verified users.