
Hey everyone,
At the moment on my app, users can create an account with any email they wish without any type of verification. I want to implement a way to verify emails on account creation. My idea was to have it so that when a user registers an account, it will send them a "login email" with a link that logs them in to their account (which means the email is verified). It shouldn't let the user access the account if they've not used that link.
This is my current code for my login and register functions:
const handleUserLogin = async (e, credentials) => {
e.preventDefault()
try {
const response = await account.createEmailSession(credentials.email, credentials.password)
const accountDetails = await account.get()
setUser(accountDetails)
navigate('/')
} catch(error) {
console.warn(error)
}
}
const handleUserRegister = async (credentials) => {
try {
let response = await account.create(
ID.unique(),
credentials.email,
credentials.password1,
credentials.name
)
await account.createEmailSession(credentials.email, credentials.password1)
const accountDetails = await account.get()
setUser(accountDetails)
navigate('/')
} catch(error) {
console.warn(error)
}
}
Does this functionality already exist within Appwrite?
Thank you in advance! π

Oh btw, setUser()
is just a React state that holds the returned account data to be accessed later for getting email, names etc.

In appwrite, you would allow users to log in even if their account isn't verified. You would restrict access to resources to only verified users using permissions. To verify their email, you would call https://appwrite.io/docs/references/cloud/client-web/account#createVerification and then https://appwrite.io/docs/references/cloud/client-web/account#updateVerification after they're redirected to your app from the email

Would I just deny the read permission and add a handler for that so that it asks them to verify their email? If so, how would I differentiate the verification issue from any other reasons why the user may be denied read access.
Is there no way to just check the verification status of an account before I setUser
credentials and redirect?

you can grant access to verified users instead of all users. The way I do it is i still setUser(), but then on whatever page they're on after login, I look at the user object to see if they're verified. If not, show a banner with a button that allows them to send verification email

Ah, okay.

So would you still recommend allowing them access to use the app even without verification?

Sort of... essentially, they wouldn't be able to do anything because your UI can hide things because they aren't verified. And server-side, things are restricted to verified users.

Okay, for robustness, even if the UI is hidden, should I still add verification checks for various database interactions from the user?

That's where the server side permissions should suffice

As long as you've restricted it server-side, you're fine

wym?

ie. restricting access to documents to only verified users
Recommended threads
- Google login error: {"message":"Invalid ...
hi, im trying to use google login with account.createOAuth2Session( 'google', 'profevardilla.pages.dev', 'profevardilla.pages.dev'...
- Auth Error
"use client"; import { useEffect } from "react"; import { getSessionCookie } from "@/actions/auth"; import { createBrowserSessionClient } from "@/lib/appwrite-...
- Prevent modifying specific attributes
How do I prevent user to only to be able to modify some of the attributes. Document level security gives full access to update whole document, what are the wor...
