Missing PKCE is success in email verification flow #1145
Conversation
Since end users might verify their email on a different device than the user agent they initiated the sign up (or sign in) flow with, treat this as a success condition. The application will need to detect this case and show a message that confirms that the email is verified, but that the user will need to sign in to complete.
scotttrinh
force-pushed
the
email-verify-can-skip-pkce
branch
from
01428bd to
d6c1053
Compare
|
@jaclarke Sorry about missing this: the built-in UI needed this update, too, so: |
| error: null, | ||
| tokenData: null, | ||
| provider: null, | ||
| isSignUp: false, |
There was a problem hiding this comment.
Actually, this probably should be true, as email verification is part of the sign up flow.
There was a problem hiding this comment.
Oh, good point. I think we should actually use the isSignUp search param here.
There was a problem hiding this comment.
Hmm, actually, I don't think this works as-is: it's impossible to tell the difference between a sign in attempt from an unverified email vs. a successful verification without the PKCE verifier since they have the same shape.
Let me do a little design work here. I think we might need to introduce a discriminant into this callback payload type to make it less ambiguous for the consumer.
|
Going to put this back in draft, it's not nearly ready:
|
Since end users might verify their email on a different device than the user agent they initiated the sign up (or sign in) flow with, treat this as a success condition. The application will need to detect this case and show a message that confirms that the email is verified, but that the user will need to sign in to complete.
Note: this is a breaking change, so we need to bump the minor (given this is a
0.xrelease)