Sending email verification request marks email as verified?

[sbar.m...@gmail.com]

It seems the endpoint which requests a verification email to be resent also marks the account as verified even if they don't click the link

Here's my typescript code. I replaced my API keys with '...'. 

Obviously this is a pretty big security flaw because you can then verify accounts which do not belong to you simply by requesting a verification email to be sent.

I just created my back4app account yesterday if there's any concern over what version I'm on.

  /**

   * Re-send verification email

   * @param email The email address to verify

   */

  SendVerificationMail(email: string): Observable<any> {

    return this.httpClient.post(`https://parseapi.back4app.com/verificationEmailRequest`, {

      email

    }, {

      headers: {

        'X-Parse-Application-Id': '...',

        'X-Parse-REST-API-Key': '...',

        'Content-Type': 'application/json'

      }

    });

  }

[sbar.m...@gmail.com]

Oh, I think I may have been confused - it seems opening the email is enough to verify an account, it isn't necessary to actually click the link (I'm assuming some kind of tracker pixel is used and the link is a failsafe?)

[nat...@back4app.com]

Hi,

thanks for reaching out! We will check this behavior with the team :)

At the moment, what I would like to recommend is that you use a trigger to validate this login. Please, take a look at the steps below:

1. Ensure that you are using a Parse Server version equal to or higher the 3.7.2.

Check this going to: Server Settings > Manage Parse Server > Settings.

2. Create a file called main.js and paste the following code:

Parse.Cloud.beforeLogin(async request => {

const { object: user } = request;

if(!user.get('emailVerified')) {

throw new Error('Access denied, please valid your email account!')

}

});

Then, upload the main.js file going to Dashboard > Core > Cloud Code Functions > Click on the '+Add' button, select the file and click on the 'deploy' button.

3. Then, create a new user with the cURL below:

curl -X POST \

-H "X-Parse-Application-Id: APPLICATIO_ID" \

-H "X-Parse-REST-API-Key: REST_KEY" \

--data-urlencode "{\"username\":\"cooldude6\",\"password\":\"p_n7!-e8\",\"phone\":\"415-392-0202\"}" \

https://parseapi.back4app.com/users

4. Now, let's try the login:

curl -X GET \

-H "X-Parse-Application-Id: APPLICATIO_ID" \

-H "X-Parse-REST-API-Key: REST_KEY" \

-H "X-Parse-Revocable-Session: 1" \

-G \

--data-urlencode 'username=cooldude6' \

--data-urlencode 'password=p_n7!-e8' \

https://parseapi.back4app.com/login

The result was:

{"code":141,"error":"Access denied, please valid your email account!"}

Done, for now, it is what you can do to "force" the email validation.

Should you need any further help, please don't hesitate to contact us!

Regards,

[Davi Macêdo]

It is also possible to require the e-mail verification before logging in by adding { "preventLoginWithUnverifiedEmail": true " in your Custom Parse Options under Server Settings.