Bug? Signed in without email verification

[IndependentCreator]

Testing locally, I accidentally discovered a way to login without ever clicking on (or even receiving) the confirmation email:

1. Configure your .env with incorrect SMTP login credentials
2. Start the dev server via npm run dev
3. Fill in the sign up fields in the browser and click "Sign Up"
4. Notice the server crashes. Console logs incorrectly report the email was sent successfully before subsequently failing with an SMTP authentication error, e.g.

   E-mail sent successfully!
   log:  {"level":"info","method":"GET","path":"/auth/verify/resend-email-a0455918-de53-4979-9aa4-3d72a06e491b","status":200,"timeInMs":1552,"user":"mrbogus@example.com","userId":"AhXN3CVU2QsGzOP","referer":"/auth/verify/email"}
   log:  {"level":"info","method":"GET","path":"/","status":200,"timeInMs":4056,"user":"mrbogus@example.com","userId":"AhXN3CVU2QsGzOP","referer":"/auth/verify/email"}
   E-mail sent successfully!
   log:  {"level":"info","method":"GET","path":"/auth/verify/resend-email-a0455918-de53-4979-9aa4-3d72a06e491b","status":200,"timeInMs":654,"user":"mrbogus@example.com","userId":"AhXN3CVU2QsGzOP","referer":"/auth/verify/resend-email-a0455918-de53-4979-9aa4-3d72a06e491b"}
   /src/lib/server/email-send.ts:78
           throw new Error(`Error sending email: ${JSON.stringify(err)}`);
           ^
   Error: Error sending email: {"code":"EAUTH","response":"535 Incorrect authentication data","responseCode":535,"command":"AUTH PLAIN"}
   at eval (/src/lib/server/email-send.ts:78:19)

5. Restart the server with npm run dev
6. Return to the browser and click on the "If you did not receive the email, [click here] to resend it" link
7. Notice the server crashes again with an SMTP Auth error
8. Restart the server with npm run dev
9. Return to the browser and visit http://localhost:5173/dashboard
10. Notice under Protected Area, it says "If you are seeing this page, you are logged in."
11. Visit http://localhost:5173/profile and notice that you can see your profile and make changes to it.

[delay]

If you misconfigure your setup, unknown problems can occur. I would suggest making sure everything works, I don’t put extra checks to make sure you configured your system correctly. My recommendation is to setup AWS for production.

[IndependentCreator]

Thanks for the reply. Do you have any concerns that someone could use this behavior to create an exploit that would allow them to register without using a valid email address?

[delay]

If you configure your smtp settings with the correct info, can you replicate this trouble? It would concern me if correctly configuring allowed users to sign in.

[delay]

Oops you are right! thanks for sending this bug report… The problem is resend verification email incorrectly sets verified to true. Thanks very much for reporting this! I thought it was just a configuration issue but actually is a bad bug!

[delay]

It should be fixed now. Thanks once again for reporting this trouble! And sorry for not checking this out better after your first report. Thanks so much for the follow up question, because it enabled me to think more about the problem and determine it shouldn't be happening whether the server was misconfigured or not.

[IndependentCreator]

No worries, I could have been more explicit in the initial report. Thanks for the quick fix and for putting together this example 🙂