Email verification with new accounts

Hey everyone,

At the moment on my app, users can create an account with any email they wish without any type of verification. I want to implement a way to verify emails on account creation. My idea was to have it so that when a user registers an account, it will send them a "login email" with a link that logs them in to their account (which means the email is verified). It shouldn't let the user access the account if they've not used that link.

This is my current code for my login and register functions:

TypeScript

const handleUserLogin = async (e, credentials) => {
    e.preventDefault()

    try {
        const response = await account.createEmailSession(credentials.email, credentials.password)
        const accountDetails = await account.get()
        setUser(accountDetails)

        navigate('/')
    } catch(error) {
        console.warn(error)
    }
}

TypeScript

const handleUserRegister = async (credentials) => {

    try {
        let response = await account.create(
            ID.unique(),
            credentials.email,
            credentials.password1,
            credentials.name
        )
        
        await account.createEmailSession(credentials.email, credentials.password1)
        const accountDetails = await account.get()
        setUser(accountDetails)
        navigate('/')
    } catch(error) {
        console.warn(error)
    }
}

Does this functionality already exist within Appwrite?

Thank you in advance! 😄

TL;DR

The user wants to implement email verification during account creation on their app. They want to send a verification email that logs users in and verifies their email. The idea is to restrict access to the account if the user hasn't used the verification link. They are using Appwrite and have provided their current login and register functions. They are asking if this functionality already exists within Appwrite. Solution: In Appwrite, users can log in even if their account isn't verified. Access to resources can be restricted to only verified users using permissions. To verify email, the user can call the Appwrite API endpoint for creating and updating verification. The email

Oh btw, setUser() is just a React state that holds the returned account data to be accessed later for getting email, names etc.

In appwrite, you would allow users to log in even if their account isn't verified. You would restrict access to resources to only verified users using permissions. To verify their email, you would call https://appwrite.io/docs/references/cloud/client-web/account#createVerification and then https://appwrite.io/docs/references/cloud/client-web/account#updateVerification after they're redirected to your app from the email

Would I just deny the read permission and add a handler for that so that it asks them to verify their email? If so, how would I differentiate the verification issue from any other reasons why the user may be denied read access.

Is there no way to just check the verification status of an account before I setUser credentials and redirect?

you can grant access to verified users instead of all users. The way I do it is i still setUser(), but then on whatever page they're on after login, I look at the user object to see if they're verified. If not, show a banner with a button that allows them to send verification email

Ah, okay.

So would you still recommend allowing them access to use the app even without verification?

Sort of... essentially, they wouldn't be able to do anything because your UI can hide things because they aren't verified. And server-side, things are restricted to verified users.

Okay, for robustness, even if the UI is hidden, should I still add verification checks for various database interactions from the user?

That's where the server side permissions should suffice

As long as you've restricted it server-side, you're fine

wym?

ie. restricting access to documents to only verified users

Reply to this thread by joining our Discord

Reply on Discord