Open
Description
a12n-server will require email addresses to be verified before users can log in. There's no UI or email sent via the 'public registration' flow.
So during 'public registration' it should ask users right away to verify their email address with a verification code, so users don't end up in a stuck state.
General approach:"
- Create a new route, such as
/register/verify-email. - This route should serve a template that tells the user something like: "We just sent you an email with a one-time code. Please enter it here to verify you have access to [email address]. This code expires in x minutes"
- The actual verification email should be sent immediately after the user submits the registration form. There already is a function that does this: https://github.com/curveball/a12n-server/blob/main/src/principal-identity/service.ts#L133
- Likewise, to verify the code, there is a function that checks if it's valid and marks the email address as 'verified': https://github.com/curveball/a12n-server/blob/main/src/principal-identity/service.ts#L177
- The page should have an option to re-send the verification email.
- The user should be sent to the new
/register/verifiy-emailendpoint after they completed the registration form. Note that there's 2 flows that both should work (Either they set up MFA or they don't.) - Lastly, the registration controller has a 'firstRun' flag. Users should not get redirected to this form if they are in the firstRun flow, and instead we assume that the email address is already verified. (We trust the first user basically). This is already the case today, but an edge-case to be aware of!