Users can bypass email verification

[IndependentCreator]

The auth/verify/email page includes the user's token in the "click here to resend" link. Users can exploit this by extracting the token from the link and using it to become verified, without ever receiving the verification email. Armed with this knowledge, a bad actor could e.g. write a script to automatically register X number of fake users without going through the email verification process.

1. Visit the signup page, e.g. https://sveltekit-auth.uv-ray.com/auth/sign-up
2. Fill in the form, using a fake email address e.g. "bogus-user@example.com"
3. When redirected to https://sveltekit-auth.uv-ray.com/auth/verify/email copy the url from the "click here to resend" link
4. Edit the url to change "resend-email-(token)" to "email-(token)"
5. Visit the url in your browser and notice that your user is now verified

[delay]

While that is true... However a user could also create a ton of free accounts that they verify in other automated ways. For instance with apple or google accounts you can generate email alias addresses that forward to an email address and users could confirm many accounts that way https://www.techlicious.com/blog/gmail-spam-trick-plus-sign/. If a user wants to create fake accounts, there are lots of ways to do it. I will look into updating so the token isn't exposed when I get some free time. If someone wants to submit a PR, I would be happy to take it as I am currently busy with a project.

[IndependentCreator]

In case it's helpful, it looks like lucia has a version 2 in beta now along with email login examples for Astro and SvelteKit

[delay]

I will probably wait until this is released before migrating. Thanks for the heads up!

[delay]

fixed.