Verify user manually not working

SymfonyCasts / verify-email-bundle

Simple, stylish Email Verification for Symfony

https://symfonycasts.com

MIT License

414 stars 34 forks source link

Verify user manually not working #185

Closed Dumorya closed 7 months ago

Dumorya commented 7 months ago

Hi,

I added a feature to my Symfony app, so the admin can manually verify a user (if the user didn't receive the email for example). The problem is that if the user is verified manually and the user tries to log in, we get the "The presented password is invalid" error message (although the password is correct).

I want to precise that the authentification system works well except this particular case.

Can you let me know if you can reproduce the issue?

The bundle is up-to-date (1.17.0), and I'm using PHP 8.2, Symfony 7, and composer 2.4.2.

Thank you,

Clara

jrushlow commented 7 months ago

Hmm. I'm thinking of any possible problems that would cause that. A couple things:

Did you use make:registration to generate the registration & email verification?
Assuming you did, if you query the user object in question - is isVerified set to true in persistence?
Is the user able to login using their password?

This bundle doesn't directly need a user password to verify an email address. But the user does need to be authenticated unless you elected to allow anonymous authentication by answering yes to: https://github.com/symfony/maker-bundle/blob/main/src/Maker/MakeRegistrationForm.php#L153

jrushlow commented 7 months ago

I just re-read your question and noticed you said the user was verified manually. I'm not 100% sure what you mean by that. If you set the User::isVerified to true in persistence, without the user clicking on the email link - and the user is not able to login - then I believe the issue is outside the scope of VerifyEmailBundle. That sounds more like an authentication issue.

Dumorya commented 7 months ago

Did you use make:registration to generate the registration & email verification?

Yes

Assuming you did, if you query the user object in question - is isVerified set to true in persistence?

Yes

Is the user able to login using their password?

Yes

If you set the User::isVerified to true in persistence, without the user clicking on the email link - and the user is not able to login

That's the case

That sounds more like an authentication issue.

Oh, okay... :')

Thank you for your quick answer.

jrushlow commented 7 months ago

No worries... Ya, this sounds like it's an authentication issue (password mismatch) that I can't help you with without having eyes on the code.

One thing I will point out, VerifyEmailBundle does not have any influence on what a "unverified" vs "verified" user can/can not do in your app. E.g. can an unverified user login, can they access the "dashboard", etc... those are implementation details that we purposely left out.

One last little nugget I can leave you with - if you create an account -> manually set isVerified -> try to login. If you cannot login, theres a potential bug lurking in your codebase. If you can login, the user in question probably needs to reset their password.

Hope this helps, let us know if we can help ya with anything else!