Previously Verified Users Deleted After Changing Email Address

[spwitt]

Previously Verified Users Deleted After Changing Email Address

Description

If a tenant has enabled Email verification, Verify email when changed, and Delete unverified users, a user who changes their email address will be deleted the next time unverified users are deleted assuming that user's creation date is outside the retention window.

Affects versions

At least 1.37.0 and later

Steps to reproduce

Steps to reproduce the behavior:

1. Navigate to Tenants > Edit > Email
2. Enable Verify email and Verify email when changed
3. Enable Delete unverified users
4. Locate or create a verified user with a creation date outside the configured Delete after window
5. Change the user's email address
6. Wait for the scheduled process to clean unverified users is run
7. The user is deleted

Expected behavior

Users who have previously verified their email address should not be deleted immediately after an email change. The exact behavior is open for discussion. Some options:

• Never delete a previously verified user after an email change
• Reset the clock on the deletion. If the retention period is 30 days, the user will be deleted 30 days after an email change if their new email address is not verified within that time.
• Allow a separate configuration for user retention after a user change their email address.

Documentation

• New enabledInstant on the Tenant and Application APIs
• New verifiedInstant on the User and Registration APIs

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Release Notes

A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version 1.48.0 please disable Delete unverified users if you currently have enabled Email verification, Verify email when changed and Delete unverified users.

[jpoiron]

For our purposes, I think option 1 "Never delete a previously verified user after an email change" is how we thought the Delete unverified users feature worked. If the process worked this way we would be happy. However, I can see how making it configurable could be a good option as well. I can't envision a scenario where we would want to delete a previously verified user via this process, so option 2 isn't great for us.

[spwitt]

Thank you for the feedback @jpoiron. We are also leaning toward Option 1.

[robotdan]

The current plan is to never delete a user once verified. This feature is really intended to help with spam, so once a user verifies, we assume the user is legitimate and we should not delete them.

The re-verification process will change once we complete the multiple identity work because identities will be immutable so to speak. For example, an email will be immutable, and a change is really an add with a state transition on the former. So in this future state, the existing email will still be verified, and a new email will be pending verification.

• [Feature] Secure email change, multiple identities, and new identity types #1

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/312
• https://github.com/FusionAuth/fusionauth-app/pull/335