Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make requirement for verified email optional #1505

Open
matrixbot opened this issue Sep 9, 2024 · 4 comments
Open

Make requirement for verified email optional #1505

matrixbot opened this issue Sep 9, 2024 · 4 comments
Labels
A-Configuration Related on what is configurable and how it can be configured A-Policy Related the policy engine T-Enhancement New feature of request

Comments

@matrixbot
Copy link
Collaborator

This issue was originally created by @hughns at matrix-org/matrix-authentication-service#1505.

Currently all users are required to have a verified email address. This should be configurable in future.
@matrixbot matrixbot added A-Configuration Related on what is configurable and how it can be configured A-Policy Related the policy engine T-Enhancement New feature of request labels Sep 9, 2024
@matrixbot
Copy link
Collaborator Author

This comment was originally posted by @sandhose at matrix-org/matrix-authentication-service#1505 (comment).

It turns out, it only really was an issue because I forgot to mark the imported email as the primary email when doing an upstream oauth registration. This is fixed as part of #1660, which also introduces a new claim import parameter for the email, set_email_verification:

  • never: do not set the imported email as verified
  • always: always set the imported email as verified
  • import: mark the email as verified if the OAuth upstream set the email_verified claim to true (<- this is the default behaviour)

@matrixbot
Copy link
Collaborator Author

This comment was originally posted by @dklimpel at matrix-org/matrix-authentication-service#1505 (comment).

How can I register a local user without verify the email?

  • register via REST
  • verfify via CLI

I am not able to automate this. Either CLI or REST, but both is not possible.

set_email_verification seems only to work for an upstream provider.

@matrixbot
Copy link
Collaborator Author

This comment was originally posted by @sandhose at matrix-org/matrix-authentication-service#1505 (comment).

There are a few ways to work around this:

  • when registering the user through the CLI (mas-cli manage register-user), adding an email with the -e/--email flag should make it verified
  • if the email was added but not verified, it can be verified through the CLI: mas-cli manage verify-email <USERNAME> <EMAIL>
  • the new Admin API doesn't yet support managing user emails, so that should be added and tracked in a new issue (or at least in New REST-like admin API #3057)
  • the old GraphQL API has mutations to add emails and verify them, if you want to dig there

@matrixbot matrixbot mentioned this issue Sep 10, 2024
Open
@sandhose
Copy link
Member

I think we need to rework how email verification works to also accommodate #2881

We should have a separate table which holds ongoing email verifications and use that, same design as the recovery email tickets.

This way, we can make the user_emails table unique on the email address. This will be really annoying in terms of migrations though if there are any duplicates

It also makes adding email verification for account deactivation or email-based 2FA better with this design?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Configuration Related on what is configurable and how it can be configured A-Policy Related the policy engine T-Enhancement New feature of request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sandhose @matrixbot