account-email-verifier

Email verification step during setup of a MyYukon account.

Built using the Lumen PHP Framework and the Auth0 PHP SDK. Documentation for the framework can be found on the Lumen website.

High level overview

A user creates an account, or logs in at Auth0.
An Action or Rule in Auth0 redirects the user who does not have a verified email address to this application.
This application get a verification ticket from Auth0 and send a verification message.
This application explains the verification requirement and allows the user to optionally send another verification message.
Once email address is verified, the user can resume their log in process.

This application expects to receive user information from a JWT passed as the session_token argument in the request URL.

Inside the session_token, the following values are expected:

email - used to display to the user so they know where the message was sent.
user_id - used with the Auth0 management API to resend the message.
application_id - so the verification message can send the user through to the right place after verification.

Either a Rule or an Action is required to redirect users who have not verified their email address to this application.

An sample Post-Login Action is included, see postlogin-action-enforce-email-verification.js.

The session_token value is signed with a shared secret. Both Auth0 and this application need to know the secret.

The application needs the create:user_tickets create:user_tickets scopes and access to the management API.

e.g.

{
  "client_id": "FtB...MfBymF",
  "audience": "https://dev-0123abc.eu.auth0.com/api/v2/",
  "scope": [
    "create:user_tickets"
  ]
}

The client_id here is the Account email verifier application client ID, not the API client ID.