search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.34k stars 964 forks source link

Resend Verification Email #2892

Open LukaJaj opened 2 years ago

LukaJaj commented 2 years ago

Preflight checklist

Describe your problem

I'm trying to figure out how it would be possible to resend verification email to users who haven't verified their accounts but I was not able to find this functionality with current version of kratos

Describe your ideal solution

it would be nice to include this functionality with verification flow to resend reminder email after some time.

Workarounds or alternatives

build reminder link but in db tokens are hmac decrypted

Version

v0.10.1

Additional Context

No response

aeneasr commented 2 years ago

That's a cool idea! It should also work for the new code flows.

Sytten commented 2 years ago

Agreed since there is not even a way to force kratos to mark the user as verified easily

dantman commented 1 year ago

I would like to see this as an API call so I can add a "This email has not been verified. Resend code." message on the user's profile page.

This is currently not really possible as the verification flow doesn't even let you pre-fill the email for the form.

Edit: Though the ability to pass an email to /self-service/verification/browser is also something I'd like to see and sounds relatively easy.

winston0410 commented 1 year ago

I think this is an issue that needs to be look into, as the current API does not provide any workaround for resending a email, for both recovery and verification flow. I tried to force a resend by removing the flow id, init a new one and do the first call programmatically(bring the state of the flow from choose_method to sent_email), but I will have to build extra features for handling the cooldown for that resend email button. It will be great if all these can be provided out of the box by Ory Kratos.

I imagine we can do this in the config:

    verification:
        resend:
            cooldown: '5m'

and resend email with a POST /self-service/verification/resend

@aeneasr what do you think about this suggestion?

Sytten commented 1 year ago

@winston0410 Are you still interested in implementing it? I asked for some feedback on slack so we can make sure this design is validated.

aeneasr commented 1 year ago

I'd like to start with the end in mind. So what are the use cases where this can be used? I can come up with:

  1. User triggers another verification email: For example when an app shows a banner "Please verify your email" with a link the user clicks.
  2. Verification email is re-sent automatically after X days after registration, because the user is not yet verified

In my view, use case 1 is already possible using the verification flow. And use case 2 can be solved with the example in 1.

Furthermore, 2 is automted so not user-initiated. The chance that the user is in front of the email program at that exact time (before the code times out), is very unlikely.

What other use cases do we have for this that I missed?

Sytten commented 1 year ago

I think case 1 is what is important here? The original use case of the issue as I understand it was:

  1. User signs up with email/password
  2. Kratos sends the verification email
  3. A day passes
  4. Users click on link and it's now expired

Similar issue probably occurs with a code, though I have not tried it myself. I see two possible problems:

  1. verification link / code has expired (defined by methods->link->config->lifespan)
  2. verification flow has expired (defined by flows->verification->lifespan)

Problem 1 can be solved by resolving problem 2 (aka you can't create a new link/code, but you can create a new flow). Though it is a weird behaviour and I remember starting a discussion about that a couple months ago.

Problem 2 is where I would focus the attention. If I understand correctly, it is possible to start a new verification flow for that newly registered user? If so what would be the process? I was imagining something like:

  1. User logs in
  2. Frontend shows: enter the verification code
  3. User enters the expired code and receives an error
  4. Frontend displays a button to get a new code
  5. This triggers some backend call that creates a new verification flow and sends the email
  6. Users enters the new code

Now we would probably want to have a de-bounce period between emails to avoid spam and we probably want to invalidate old codes/links when a new one is sent. I don't know about the internals of kratos enough to see if that is hard to do if we rely on creating a new verification flow each time.

My understanding is that whole process of creating new verification flow is not currently possible? But I might be wrong here, if that is the case it probably warrants a guide.

Benehiko commented 1 year ago

Hi @Sytten

It is possible to create a new verification flow, and can be created multiple times over in cases where the user navigates away or just exists the app. Kratos can also inform your UI that the user has not been verified after login.

In the verification flow the user would need to provide their email address. In a custom UI you can also just pre-fill the email. Once the user has created the verification flow, we provide a resend button which the user can submit to retrieve a new code. image

The previous code would be expired by the resend request. All of these flows are client-side initiated and requires no admin interaction. It is also not needed to have an automated resend process here since the user could always be prompted by the UI to complete the verification process.

https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation

Yiling-J commented 10 months ago

I want to show a resend button on my app's signup page, and active it after 1 minutes. After take a look API, I think the name Complete Verification Flow is a bit misleading, you can use this API to resend the email, just exclude the code field. As the description of email field say:

The email address to verify

If the email belongs to a valid account, a verifiation email will be sent.

If you want to notify the email address if the account does not exist, see the [notify_unknown_recipients flag](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#attempted-verification-notifications)

If a code was already sent, including this field in the payload will invalidate the sent code and re-send a new code.