I’m creating a sign-up and sign-in process for personal accounts and encountered a tricky bug (or an issue in my implementation).
When a user successfully completes the registration process and receives cookies on their computer, they can navigate through the workflow, even accessing areas that should be restricted.
I have one issue that manifests differently depending on whether the user has completed the registration (sign up) process or not:
Before Registration:
If a user enters a random email and password before completing the registration process, they don’t see any error message like “Your credentials are incorrect.”
Expected behavior: The user should receive a message stating that their login/password is incorrect.
After Registration:
If the user has completed the registration process and presumably received cookies, they are considered “logged in.” This allows them to enter an incorrect email and password and still gain access, even though I have set up a check for the user’s presence in the database by email and verified email confirmation.
Expected behavior: The user should receive an error message for incorrect login credentials and should not be allowed to proceed.
How can I fix both of these issues and ensure proper access control for users with valid login credentials, along with an error message when credentials are incorrect?
In my case it shouldn’t have happened since I use e-mail verification method after sign-up (registration). Only after the user has confirmed his e-mail he should have a chance for a successful sign in.
Maybe I’m doing something wrong to get what I want from the system ?
I can confirm that a user gets nothing after he hits the button “Enter” - no message at all. So the user doesn’t have any guidance what to do next and why it’s not working.
That’s the problem because he’s in the middle of nowhere
The Send confirmation email action serves solely for setting the internal User's confirmed email field to true after the user clicks on the emailed link. It does not prevent the User to be logged in. Account | Bubble Docs.
Please verify that
you don’t have a An unhandled error occurs event capturing the error message
the credentials are in fact erroneous
the user is effectively logged in (just set a text on screen that shows under User is logged in condition)
the button the user is clicking is indeed executing a Log the user in action, making use of the exact input fields values provided (erroneous email and password)
Interesting. Then how I can prevent user from being logged w/o email confirmation first ?
I have checked that
I don’t get any error
credentials are incorrect
user isn’t logged in when trying to do that
the button is the same and executing the “sign in action”
**It happens before sign-up process has been performed. After sign-up is performed user can log in even with erroneous credentials ;/ It doesn’t make any sense for me.
If you understand it from Bubble perpective, there is no way. User is logged in as soon as the Sign the user up action is run with the credentials he has input, or as soon as the Log the user in action is run, with correct credentials.
If you understand it as being allowed to see certain parts of your app, you can prevent it. Just use the User's confirmed email field to set conditions on everything you don’t want the unconfirmed-email-user to see.
Yes, @ademiguel, I see. I will add some middle steps for uder in order to prevent him from accessing the resources before e-mail confirmation. Appreciated.
But still I get no message about “invalid credentials” when trying to sign / log in with erroneous credentials. Just nothing happens when I hit the button “Enter”. And this is weird.
I will take a look and play with the settings. Thank you for your responses Much appreciated
Because it’s not an error, it’s just what you have told the code to do. Bubble it’s just skipping the Log the user in action because there’s a conditional instructing to do so.
The simplest solution is to divert the execution in two flows
one for registered users, that will check if they have confirmed their email and log them in, and otherwise will terminate the flow and show a custom error message
another for unregistered users for the Log the user in action to fail with the default error
Other more optimized options might be suitable, but I haven’t invested time to think about them
So you are telling me that there is not two steps inside this action like
Check credentials
If they are correct - check email
But only 1 action: when credentials check is performed only after the condition is “yes”. This logic looks questionable for me from user experience perspective. But OK - it is how it is.
I’ve got your main point - sign in is performed right after sign up automatically. So there is no native email 2FA during registration. So I will go another way with user status which is linked with email confirmation flag.
Thank you so much for ur patience and time. Much appreciated
