No sign-up confirmation email when login by google

Anvil Q&A
1

My app has a sign-up option to allow people to create their own users. Users created don’t need to be manually enabled by me, but they need to confirm their e-mail.

The User API settings is setup the following way:

image
image1525×298 55.5 KB

image
image1787×172 32.6 KB

So I allow users to sign up, they can be “used right away” (don’t need to be manually enabled), but need to confirm email address by clicking the e-mail. They can also use email + password or sign in with Google.

The problem is that when a user is created by first login in with Sign in With Google, anvil does not send a verification e-mail.

One of my users reported this and I could successfully reproduce:

image
image2412×382 35.9 KB

The first two rows are unimportant.
The third row was created by login with Google. It does not have a password_hash (which is expected), but also has confirmed_email and email_confirmation_key as None .
The last row was created by email + password. It does have a password_hash (also correct), but also has confirmed_email as False and an email_confirmation_key.

This is a problem because that way I can never offer a complete registration without requiring the user to create a password first.

When logging for the first time, even with a login with Google, the registration e-mail should’ve been sent to the user.

2

The purpose of the confirmation email is to make sure the email exists and is one the user has control over. When you allow users to login with Google you’re deferring that to Google (or whatever other third-party you’re allowing them to login with). I’ve never had any issues with the way things currently work (e.g. users have not been able to sign up with fake Gmail addresses).

There seems to be something in your flow that isn’t being explicitly laid out here that is what needs solved when someone uses a Google login. Can you address what you mean by “I can never offer a complete registration without requiring the user to create a password first”?

1 Like
3

What I mean is: if the user does not want me to hold his password (even though is secure), he can use the login with Google, but if he does that, he will not be confirmed. The only way he can be confirmed is if he first creates his account using email + password, which defeats the purpose.

Yes, I do agree with this, but…

Actually, I can’t really say a “but” hehehe. All the reasons I can think of to need confirmation even with the login with Google are not really good, so I think I will just do a branching on the code when logged with Google to not ask the user to check it’s email.

Thanks for your input!

2 Likes