Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better error message for when confirmation token can't be found #583

Closed
danschultzer opened this issue Nov 11, 2020 · 5 comments · Fixed by #618
Closed

Better error message for when confirmation token can't be found #583

danschultzer opened this issue Nov 11, 2020 · 5 comments · Fixed by #618

Comments

@danschultzer
Copy link
Collaborator

Per elixir slack channel, when you click a confirmation URL twice it first shows the flash The email address has been confirmed. and then shows up with a The email address couldn't be confirmed. message. The second time it should instead be something like The email address couldn't be confirmed or may already have been confirmed. or maybe The token could not be found, the email address may already have been confirmed..
@danschultzer danschultzer mentioned this issue Apr 5, 2021
Merged
@danschultzer danschultzer mentioned this issue May 30, 2021
Closed
@sb8244
Copy link

sb8244 commented Jan 28, 2025

Came looking for this issue because it's affecting me heavily.

The way it's implemented leads to a lot of confusion when email firewalls auto-click links to check them. The link becomes used + invalid, and there's no way to associate it back to the user.

Maybe the solution is that the confirmation UI should require a user prompt (change on my end). I'm not sure yet, other than this pops up at least once per week for me right now so I'm going to hack together a fix on my end.

@sb8244
Copy link

sb8244 commented Jan 28, 2025

The solution may just be to override the behavior in the changeset?

  def confirm_email_changeset(input_cs, params) do
    cs = super(input_cs, params)

    if changed?(cs, :email_confirmation_token) && fetch_change!(cs, :email_confirmation_token) == nil do
      Ecto.Changeset.delete_change(cs, :email_confirmation_token)
    else
      cs
    end
  end

If so, then that makes sense from a library perspective and everything is as it should be.

@danschultzer danschultzer mentioned this issue Jan 28, 2025
Open
@danschultzer
Copy link
Collaborator Author

danschultzer commented Jan 28, 2025
edited
Loading

Yeah, this should be improved. I've created #738 to handle the case of signed in user with already confirmed email. If the user doesn't have an email confirmation token then it just returns success. This doesn't address the case of a user not being signed in and confirming their email, but I assume most people are signed in when they click the confirmation email.

To solve it for users not signed in we have to add additional params to be able to load the user despite the confirmation token not existing in the database. Let me know if the above PR will be enough to address it.

@sb8244
Copy link

sb8244 commented Jan 28, 2025

Are users signed in when they confirm their email? I don't know if I did something weird in my app, but users are not signed in during confirmation.

@danschultzer
Copy link
Collaborator Author

Ah you are right. It's only when you change the address. Let me work on the PR so the user id is included in the token and we can look up the user if the token is not valid to check if the user already was confirmed. That should resolve it entirely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add invalid token message to PowEmailConfirmation pow-auth/pow
2 participants
@sb8244 @danschultzer