W
Wasp-lang2d ago
IT Father

Mandatory email verification

Hello everyone! Is there any way to enforce email verification before login? The OpenSaaS template somehow allows login without verification. Is there a field in the User entity that is responsible for this?
2 Replies
kapa.ai
kapa.ai2d ago
Hi @IT Father. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Yes, there is a way to enforce email verification before login in Wasp. By default, Wasp requires email verification before allowing a user to log in when using email authentication. However, it seems you've encountered a situation with the OpenSaaS template where this isn't enforced. To ensure email verification is required, you should check for the isEmailVerified field in the User entity. This field is typically used to track whether a user's email has been verified. Here's how you can implement email verification: 1. In your main.wasp file, make sure you have email verification enabled in your auth configuration: 
auth: {
  userEntity: User,
  methods: {
    email: {
      emailVerification: {
        clientRoute: EmailVerificationRoute,
      },
    },
  },
}
auth: {
  userEntity: User,
  methods: {
    email: {
      emailVerification: {
        clientRoute: EmailVerificationRoute,
      },
    },
  },
}
Docs > Auth > Email > Setting Up Email Authentication (https://wasp-lang.dev/docs/auth/email#1-enable-email-authentication-in-mainwasp) 2. When a user signs up, their email should be marked as unverified. You can do this in your custom sign-up action: 
const newUserProviderData = await sanitizeAndSerializeProviderData<'email'>({
  hashedPassword: args.password,
  isEmailVerified: false,
  emailVerificationSentAt: null,
  passwordResetSentAt: null,
})
const newUserProviderData = await sanitizeAndSerializeProviderData<'email'>({
  hashedPassword: args.password,
  isEmailVerified: false,
  emailVerificationSentAt: null,
  passwordResetSentAt: null,
})
Docs > Auth > Email > Creating a Custom Sign-up Action (https://wasp-lang.dev/docs/auth/email#creating-a-custom-sign-up-action) 3. Send a verification email to the user after sign-up: 
const verificationLink = await createEmailVerificationLink(args.email, '/email-verification');
await sendEmailVerificationEmail(args.email, {
  // email content
});
const verificationLink = await createEmailVerificationLink(args.email, '/email-verification');
await sendEmailVerificationEmail(args.email, {
  // email content
});
Docs > Auth > Email > Creating a Custom Sign-up Action (https://wasp-lang.dev/docs/auth/email#creating-a-custom-sign-up-action) 4. In your login logic, check the isEmailVerified field before allowing login. If it's false, prevent login and ask the user to verify their email first. If you're using the default Wasp authentication flow, this should be handled automatically. However, if you're using a custom login action, you'll need to implement this check yourself. If the OpenSaaS template is allowing login without verification, it's possible that it's using a custom login action that doesn't check the isEmailVerified field. You may need to modify this action to enforce email verification. Remember, you can always use the verifyEmail action provided by Wasp to handle the verification process: 
import { verifyEmail } from 'wasp/client/auth'
...
await verifyEmail({ token });
import { verifyEmail } from 'wasp/client/auth'
...
await verifyEmail({ token });
Docs > Auth > Email > API Reference (https://wasp-lang.dev/docs/auth/email#emailverification-emailverificationconfig-) If you're still having issues, you might want to check the specific implementation in the OpenSaaS template and ensure it's correctly using Wasp's email verification features. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @IT Father, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
martinsos
martinsos2d ago
Actually, there is no way to turn it off :D! So I wonder how you got into situation where it is turned off. Might be that OpenSaas turns it off during development to make it easier for you, but in production it is certainly turned on, but I actually don't hitnk we have that on by default. Can you let me know how you got into situation where you can log in without verification?
Want results from more Discord servers?
Add your server