-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resetting Password: Automatically logs user in even if the account isn't confirmed. #38
Comments
that's a bug. maybe we should just confirm the users account when they reset their password, as we know they entered a correct email. |
@manukall That sounds awesome! |
I'm just evaluating this as a possible solution for an upcoming Phoenix project (so apologies for the armchair quarterbacking), but the proposed solution feels odd. If I haven't confirmed my email, it seems strange that I could log in at all. Just because I've entered an email, doesn't mean it's mine. That's why the confirmation is required in the first place. In practice, doesn't this mean that anyone who's able to guess an unconfirmed account's email is able to log in as that user? |
@clekstro In order to reset your password, you need to get the confirmation email. Hence, they (1) submit for password reset form, (2) click the link that gets emailed to them, and (3) get brought to a page where they change their password. BTW, in regards to logging in when your email isn't confirmed, a few websites where you're automatically logged in before confirming your email are Github, Facebook, LinkedIn, Twitter. etc. |
@ACPK Appreciate the additional context. I didn't realize from the description above that that was the flow. |
When a user resets their password, it automatically logs them into their account (i.e. doesn't check if their account is confirmed). If they log out and then try to later sign in, they get the message "Account not confirmed yet. Please follow the instructions we sent you by email."
The text was updated successfully, but these errors were encountered: