Invalid verification code after login attempt when registration was completed but not verified

[lyleschemmerling]

Invalid verification code after login attempt when registration was completed but not verified

Description

It is possible to get stuck with a dead verification code and no valid one if attempting to log in after registration if the registration sent a verification code and the user tries to log in via a separate browser instance.

Affects versions

• Found in: 1.45.2
• Verified in: 1.47.1

Steps to reproduce

Steps to reproduce the behavior:

1. Have an application with:
   • "Verify registration" set to "enabled"
   • "Form field" - Verification strategy
   • "Gated" - Unverified behavior
2. Register a new user. An email with a verification code should be sent. The user should be on the verification screen.
3. Close the browser or clear all cookies
4. Go to log in to the application. Supply username and password
5. User should see the "Verification required" page asking for a code. No new email is sent.
6. Supply the code from the most recent email. This should be the code sent in Step 2.
7. The code should be invalid.

To resolve:

1. Click "send me another email"
2. User should receive a new email and code.
3. Inputting that into the verification required form should succeed.

Expected behavior

The user should be able to login after registration and supply a valid verification code using the most recent email in their inbox.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

[robotdan]

If you can click "send me another email" and complete the verification, this seems to be working as designed.

The user should be able to login after registration and supply a valid verification code using the most recent email in their inbox

I believe this is the case, as long as you don't clear your cookies. Please clarify if this is not the case.

[lyleschemmerling]

It's not. This is after a user attempts to login again after the initial registration and did not input the verification code. At that point the user will have a single email in their inbox with a code that won't work when supplied on the verification screen, it seems that code is invalidated but no new one was sent. Once the user clicks send me another email they get a new, valid code.

[robotdan]

Close the browser or clear all cookies

This sounds like you are explicitly deleting state in the browser which would indeed affect this workflow, and the server side will not have any way to know of this state change.

Let's plan to discuss to identify if this is a bug, or working as designed.

[lyleschemmerling]

The intent was to simulate if a user walked away from their browser or switched devices before inputting their verification code the first time it was offered. In this scenario, if they get back to the verification code screen again the code the user has in their inbox has been invalidated but no new code was sent.

The issue is that we invalidate the previous code but do not send a new one even though the user has arrived at a screen asking for a verification code, and they have to explicitly click the "send me another email" button to proceed.

[chimericdream]

For some added context, this is happening to a couple of our users. It seems to be reproducible if a user, upon registering, doesn't finish the email verification process (closed the tab too quickly, lazy, simply not paying attention, who knows). In another tab, they attempt to log into an app which requires email verification, which should trigger a new code to be sent. However, it only sends a new code if the user explicitly clicks the "send me another email" button.