edgedb-js icon indicating copy to clipboard operation
edgedb-js copied to clipboard
verified publisher icon edgedb

Missing PKCE is success in email verification flow

Open scotttrinh opened this issue 1 year ago • 2 comments

Since end users might verify their email on a different device than the user agent they initiated the sign up (or sign in) flow with, treat this as a success condition. The application will need to detect this case and show a message that confirms that the email is verified, but that the user will need to sign in to complete.

Note: this is a breaking change, so we need to bump the minor (given this is a 0.x release)

scotttrinh avatar Dec 10 '24 12:12 scotttrinh

@jaclarke Sorry about missing this: the built-in UI needed this update, too, so: d6c1053 (#1145)

scotttrinh avatar Dec 11 '24 02:12 scotttrinh

Going to put this back in draft, it's not nearly ready:

  • The core verify methods do not verify emails without a pkce verifier. They should be updated.
  • We don't really have a way to signal that a sign-up -> verify --missing pkce--> sign in is really a sign up with more steps. I plan on adding the identity_id to the sign up response from the server so you can at least create your user before email verification. This will impact this interface.

scotttrinh avatar Dec 16 '24 16:12 scotttrinh