[BUG]: Missing logic in authentication

[ayush00git]

I was just exploring the authentication backend logic and i just came across a serious issue.

• Issue:

The database stores isVerified field for every user to make sure the email he entered is valid, at this step if a user gives a fake email and during the email verification using OTP if he refreshes the page without filling the OTP, his details gets save to the users collection in the database as isVerified = false. And that's totally correct, but if you try logging in with this isVerified = false id, you will still be able to login to your account.

• Major flows in this -

Even if you don't verify your account, you can still login as a user.
Database will get cluttered with fake emails.

• Steps to reproduce -

1. Create a new account, during OTP submission refresh the page without filling in the OTP.
2. Login with the credentials you used for the sign up.
3. You'll be logged in, even the database stores you as isVerified = false.

Changes i propose-
Opt1. For preventing the database from getting cluttered, we can save the user's details in the database after his email is verified not as he signs up.

Opt2. if isVerified = false we can add a logic in login to don't allow users where isVerified = false.

I would recommend going with the Opt1 changes as it would be a permanent solution that we pass the signed jwt token during signup and verify the decoded jwt token during the verification and then save it to the database. This will prevent cluttering of database and only saves the user when isVerified=true.

Opt2. will make things easy isVerified=false users will not be able to log in but the problem will be that they won't be able to verify their account at any moment, because the OTP option comes only after signup and we have to fill it up at the moment only.

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[ayush00git]

Hey @bhavik-mangla @rixitgithub
I think it's a serious bug and a flow in the authentication process.
I am ready with the implementation. Please let me know through which out of 2 approaches should i begin.

[vaishali824]

I’ve gone through this issue and would like to work on it.
The current flow allows users with isVerified = false to log in and also stores unverified users if OTP verification is skipped, which can clutter the database. I propose saving user data only after successful email verification by using a temporary JWT during signup and persisting the user after OTP validation.
If this approach sounds good, I’d be happy to take ownership of this issue and submit a PR.

[ayush00git]

I’ve gone through this issue and would like to work on it. The current flow allows users with isVerified = false to log in and also stores unverified users if OTP verification is skipped, which can clutter the database. I propose saving user data only after successful email verification by using a temporary JWT during signup and persisting the user after OTP validation. If this approach sounds good, I’d be happy to take ownership of this issue and submit a PR.

@vaishali824
Glad you asked before,
actually i'm done with the implementations, just i'm waiting to raise a PR for this, you can have a look into other issues
Thanks : )

[vaishali824]

@ayush00git Thanks for the update! Appreciate you letting me know.
I’ll look into other open issues and contribute there.
Looking forward to reviewing the PR.

[ayush00git]

@vaishali824
Yaa sure, i'll be submitting the PR soon, you can review it ..