Emails automatically verified without clicking verification code
-
Hi!
We are running a NodeBB based forum with email verification required for new users. We are using the verified-users group to allow access and restricting access for the non-verified-user group. However, I observed that any non-verified-user I created for testing purpose was after some time moved to verified group despite not having clicked the code sent in the email.
Does anyone have any leads on why this could be happening? How does NodeBB complete the verification? It usually verifies the same time I receive the email. Does it just send the email and count that as verification if it doesn't bounce?
Any help would be highly appreciated!
-
There are 2 functions responsible for confirming user email,
UserEmail.confirmByCodeandUserEmail.confirmByyUidhttps://github.com/NodeBB/NodeBB/blob/master/src/user/email.js#L180-L254.When a user clicks the confirmation link in the email the first one is used. But there are other ways that can confirm the email via confirmByUid (for example an admin doing it from the ACP or a plugin directly confirming it by calling that function). I suggest checking if anything is calling confirmByUid other than the email -> confirm flow.
