(role: applications) missing scope (public)
Hello guys,
I'm getting the following error: (role: applications) missing scope (public) when performing an email verification:
public async verifyUserEmail(userId: string, secret: string): Promise<void> {
await this.accountService.createSession(userId, secret);
await this.accountService.completeVerification(userId, secret); // This call trigger the error.
await this.userService.updateUserLabel(userId, [
AuthProcessLabels.STEP_EMAIL_VERIFIED,
]);
}
// Other class
public async completeVerification(
userId: string,
secret: string
): Promise<void> {
await this.account.updateVerification(userId, secret);
}
Even if the call return an error it still set my account as verified email and the execution status as completed.
For testing purpose, all the permissions are enabled.
This code is being run server side?
Yes on appwrite Function nodejs18 runtime
To send a verification email, I think you can only do this using a session/jwt. I see you are using an API key?
Yes I'm using the dynamic API_KEY of the function:
export const createAppwriteClient = (req: Context["req"]): Client => {
const client = new Client();
client
.setEndpoint(process.env.APPWRITE_FUNCTION_API_ENDPOINT)
.setProject(process.env.APPWRITE_FUNCTION_PROJECT_ID)
.setKey(req.headers["x-appwrite-key"]);
return client;
};
Completing verification does not require an API key
Yes indeed. I have previously try this function on the frontend without it. But here, I'm executing it on the serverless Fucntion of appwrite and getting this error. I don't understand why this error occur at this point. I've created the session just before. Any hint on why (role: applications) missing scope (public) occur ?
thanks
I wasn't able to identify a solution at the SDK level. This might indicate a potential issue within the Appwrite codebase itself. It seems illogical to return a 200 status code while simultaneously throwing an error. Should I open an issue for this @Steven ?
It's not clear to me why such function could not be executed at the Function level while providing an API key since the error seems to means that the request should be made without it.
Working solution (but sounds more like a side effect than an understandable solution):
use await this.account.createSession(userId, secret); instead await this.account.updateVerification(userId, secret) does set the email status as verified.
Again, don't use an API key when calling update verification.
It's 200 because the function itself is fine. Your code is the problem
These are 2 different use cases
I'm sorry but there is a clear lack of documentation on this. When there is a function called createSession that actually validate the email of an user, while the updateVerification function (which is supposed to do so) don't due to a permission problem because I'm running the code on server side with my api key with the node-appwrite package (used for this purpose) instead of calling it on the frontend make no sense. Im not even talking about throwing an error while sending a status 200.
You probably missed the bit in the docs about createSession is not used to verify emails. It is used to verify phone auth and magic url sessions with the relevant token.
For email verification the correct method to use is updateVerification
https://appwrite.io/docs/references/cloud/server-nodejs/account#createSession
Thanks guy for pointing the documentation link.
When we look at the description of account#updateVerification the documentation is saying: Use this endpoint to complete the user email verification process...to verify the user email ownership with the function named updateVerification, at this point is perfectly clear what the function do and what is the expected result of it.
Now, when we look at the description of account#createSession the documentation is saying: Use this endpoint to create a session from token...successful response of authentication flows initiated by token creation. For example, magic URL and phone login. with the function named createSession, at this point it's not clear at all that this function will validate an user email if using the createMagicURLToken function. When I see a createSession function, I expect it to create a session, not do anything else.
What I mean is that it's confusing. It's maybe just me.. who knows. 🤨
For updateVerification, you need to use https://appwrite.io/docs/references/cloud/client-web/account#createVerification first
a verification and session is not the same
a session = a user that has logged in/is logging in verification = mfa, email etc.
As ernest said:
I know that a verification and a session is not the same. This is the whole point of what i'm saying.
As I said before, the there is no reason that the createSession function validate the email of an user, but it does ! Can you explain me why ?
Running this line await this.account.createSession(userId, secret); after using the createMagicURLToken function mark my email verified email
I understand your point, going by the method name alone there is no indication of verification of the account. However, the fact that the verification part is well documented, I don't think it's a big deal.
Magic url and phone auth accounts sessions need to be created and verified with a token. So that's why the 'unified' createSession method exists. In fact, there used to be different methods for creating the session and verifying the account for both phone and magic url such as createPhoneVerification() , updatePhoneVerification() etc (You can refer to the 1.4.x docs)
I encountered the same problem when using functions to verify the email address. Finally, I found that I just needed to delete the 'setKey' method in the client initialization.
