Retrieve email confirmation token without sending email

Yes.

(And if all one wanted to do is TEST the confirmation link itself, the link could simply be entered/pasted into an incognito window.)

However (not to belabor the point or re-state the obvious), I was just pointing out that in a production environment, if the user themselves gained access to the confirmation link by any means other than email, then their email address will not have been confirmed/verified.

And I mention this only because I’m still a bit perplexed by statements like the following (which seems to run contrary to what I understand to be the point of email confirmation)…

thanks Steve.

I’m not sure to understand, when you say “gain access to the confirmation link by any means other than email” is there a security risk here?
If I understand correctly, Bubble will generate the token & only send the confirmation link with my SendGrid email (custom) so I don’t understand how it can have a security risk here.

Thanks

As I said, what you described sounds like the correct use.

My other remarks were addressing comments made by the OP which seemed to state that an email did not need to be sent in order to verify someone’s email (which I perceive as a potential source of confusion).

Just as an aside, what’s happening “behind the scenes” when the confirmation link is visited is that the email confirmed field of the corresponding User object is set to “yes”. (BTW, Bubble, I think that field should be renamed email confirmed? in order to make its boolean type more obvious and clarify its purpose.)

In short, @gabriel18, you’re good (based on the description of your intended use).

thanks for the clarification :slight_smile:

The only field I see on the USER object related to this topic is “Onboarding done”.
Not sure if it’s a standard field or if it was created by our web agency.

Definitely not a built-in field, so it was likely added by your agency. But there should be an email confirmed field as described in the docs.

EDIT

That field won’t show up in the data tab, but it is available in dynamic expressions. I guess “property” might be a better term than “field”.

that was my guess that it was a custom field.

Where can I see this “property” email confirmed for all the users please?

In any expression as a property of the Current User

ah ok got it, didn’t know what was called properties, sorry, I’m very new to Bubble.

So I can’t visualize the email confirmed value of a user without using the property?

You can expose any information about any user (or users) by creating the appropriate UI, but that’s a different thread. First, you should check out the Bubble Academy and user manual, and then seek help on the forum if you need clarification.

thanks, I got the idea, like leveraging my test page to expose some of the properties.

Thanks a lot for your help Steve

Hi again Steve,
how are you doing?
I made some progress but I’m having a challenge.

  • I have the automatic email sent to verify the email address when submitting the sign-up form, this works perfectly.

  • On my test page, I display the “email confirmed” property so I can see the value is NO when I create the user & it only changes to YES when the user clicks the verification link in the email, this works perfectly.

  • Now my challenge is to only allow verified users to login in the login page, so I tried to add conditions on the login button to check the “email verified property”. I added a text “Please verify your email first” to be displayed when you click login & your email is not verified so you can’t login but I don’t think I did it correctly to only allow “verified users” & to block & display the message for “unverified users”

I attach the screenshots of my configuration, especially for the workflows. Could you guide me on this please?

Thanks a lot

step_1


step_3

The system won’t know whether or not the user’s email is verified until they log in (because it doesn’t know who the specific user is until they log in).

So instead, just immediately log out any user with an unconfirmed email and display an appropriate message.

EDIT

Alternatively, you could of course simply prevent anyone with an unconfirmed email address from accessing “protected” pages / resources - just depends on the nature of your app and the desired user flow.

thanks, you’re the best.

I modified my workflow on the login page & now it works.
You can only logged-in when you have clicked on the verification link in the email.

FYI, for everyone, here is the workflow I did:

Amazing! So excited to get that last email in our app off of SendGrid!

@grace.hong Was this intended to work alongside inviting other Users to an app? I’m wanting to check two boxes off at once and not only send the Users temp credentials in a welcome email, but also include the link for them to click that will also confirm their email.

I’ve tested this a few ways and so far it only attempts to confirm the email address of the person that initiated the action that creates the email confirmation token.

great feature :v:

Yes - you should be able to confirm the email on behalf of an invited user.

Try using an API workflow which generates the token using “Send confirmation email”, updates the token field on the current user using “Make changes to current user”, and sends the welcome email with the confirmation email URL using “Send email”. If you’d like to customize the email, you can send those customizations in as a few parameters to the API workflow :slight_smile:

On the page inviting users to your app, you can basically “Create an account for someone else” (someone else being the user that’s invited), “Assign a temp password to a user”, “Log the user in”, and schedule the API workflow that you’ve created.

@grace.hong Were existing “default” confirmation email Actions removed?

In a global search for Action Type… Send a Confirmation Email, I see nothing in my application. However, I’m still actively having new confirmation emails sent out through SendGrid.

No, we have not removed those actions. I’d submit a bug report (Support | Bubble) to investigate this further!

I almost overlooked your second to last step “Log the user in”. I’ve added this step, and the email does get confirmed - which is great!

The only thing I don’t like about this is that I have to log out the User who is sending the invitations so that I’m able to generate the token for the newly invited User.

I’m imagining the scenario where someone is wanting to invite several people to their app, and they have to log back into the app every time because their session expires from switching over to the newly created person.

This could be remedied if that person’s password is saved somewhere in the database, so you could quickly log them back in after the workflow is done, but that’s not the best idea.

Am I missing something, or is this the only way to benefit from this new feature when inviting others to an app?