We have a client website with frontend registration and login.
All is working well…except for a larger email provider seeming to filter out the login code emails, so they don’t even show up in the spam folder of the person trying to register.
Is there a way to manually confirm registered users from the panel or to retrieve their login code to send it in a standard email?
I am aware, it would be best to try and not get filtered out. But for one thing all the relevant DNS records are set and for another, it is unlikely, that email provider will be willing to look into this issue given their bigness and our client’s website’s smallness.
Since the code is generated and then immediately sent, there is no way to retrieve the code. You would have to store it somewhere to be able to retrieve which in turn would require a custom challenge.
Maybe it would make more sense to let users set a password at creation, but assign a panel role without any permissions or so, then send them a standard email to confirm their email address or what other ways you have to confirm the validity of a user. When validated, assign another role.
How does Kirby know, the user has not confirmed their account via login code?
Was assuming it was tracked in /site/accounts/.logins, but emptying that file and trying to login as a unconfirmed user (after deleting cookies) with email and password only sends out a new login code email (that will again not be received through the mentioned vendor).
Also, I could not find any difference in the user account files of a confirmed and an unconfirmed user, that would enable us to perform (potentially manual) actions on the server level.
There is no such thing as a confirmed or unconfirmed user account. The login via code creates a challenge and while that challenge is pending, they can log in via the code.
To me, it looks like an unconfirmed user (from the outside), as they cannot log in unless using the code they got sent. For the lack of a more suitable term I call them “unconfirmed”. Hopefully I can rephrase as soon as I understand the process better.
Do I gather correctly from your reply, that there is no way to change that challenge’s status other than entering the code?
I have no idea, where that challenge “lives”, that’s why I am trying to learn.
Even when I create an new user in the panel, they are asked for a login code the first time, they are trying to log in. Otherwise that would have been a feasible workaround for users that cannot receive the login code emails.
I assumed so, but maybe my knowledge/understanding is too limited.
Having deleted all cookies in the browser and emptied /site/sessions/, the user still get’s asked for a login code on trying to log in.
So there must be some other place, where the info is stored, that the user still needs to enter the code. No?
Thank you for digging into this, Bruno.
Unfortunately I hardly understand anything in that Vue file. Much less I’d know what to do with it.
Also: The user is not meant to log into the panel, but into the frontend. No Vue should be involved there.
I am still at a loss, on how Kirby knows, that the user needs to log in with a code first.
Any hints are appreciated.
The things is, unless you store the login code somewhere else (i.e. not in the session), then you cannot access it from the Panel.
We recently had the same issue at work, I implemented email 2FA in our application, and also stored the code in the session. But we had the same problem with emails not arriving and refactored to store the code in the database instead, so it can be displayed to customer support in the admin.
