You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Previously Verified Users Deleted After Changing Email Address
Description
If a tenant has enabled Email verification, Verify email when changed, and Delete unverified users, a user who changes their email address will be deleted the next time unverified users are deleted assuming that user's creation date is outside the retention window.
Affects versions
At least 1.37.0 and later
Steps to reproduce
Steps to reproduce the behavior:
Navigate to Tenants > Edit > Email
Enable Verify email and Verify email when changed
Enable Delete unverified users
Locate or create a verified user with a creation date outside the configured Delete after window
Change the user's email address
Wait for the scheduled process to clean unverified users is run
The user is deleted
Expected behavior
Users who have previously verified their email address should not be deleted immediately after an email change. The exact behavior is open for discussion. Some options:
Never delete a previously verified user after an email change
Reset the clock on the deletion. If the retention period is 30 days, the user will be deleted 30 days after an email change if their new email address is not verified within that time.
Allow a separate configuration for user retention after a user change their email address.
Documentation
New enabledInstant on the Tenant and Application APIs
New verifiedInstant on the User and Registration APIs
A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version 1.48.0 please disable Delete unverified users if you currently have enabled Email verification, Verify email when changed and Delete unverified users.
The text was updated successfully, but these errors were encountered:
For our purposes, I think option 1 "Never delete a previously verified user after an email change" is how we thought the Delete unverified users feature worked. If the process worked this way we would be happy. However, I can see how making it configurable could be a good option as well. I can't envision a scenario where we would want to delete a previously verified user via this process, so option 2 isn't great for us.
The current plan is to never delete a user once verified. This feature is really intended to help with spam, so once a user verifies, we assume the user is legitimate and we should not delete them.
The re-verification process will change once we complete the multiple identity work because identities will be immutable so to speak. For example, an email will be immutable, and a change is really an add with a state transition on the former. So in this future state, the existing email will still be verified, and a new email will be pending verification.
Previously Verified Users Deleted After Changing Email Address
Description
If a tenant has enabled
Email verification
,Verify email when changed
, andDelete unverified users
, a user who changes their email address will be deleted the next time unverified users are deleted assuming that user's creation date is outside the retention window.Affects versions
At least 1.37.0 and later
Steps to reproduce
Steps to reproduce the behavior:
Verify email
andVerify email when changed
Delete unverified users
Delete after
windowExpected behavior
Users who have previously verified their email address should not be deleted immediately after an email change. The exact behavior is open for discussion. Some options:
Documentation
enabledInstant
on the Tenant and Application APIsverifiedInstant
on the User and Registration APIsCommunity guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Release Notes
A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version
1.48.0
please disableDelete unverified users
if you currently have enabledEmail verification
,Verify email when changed
andDelete unverified users
.The text was updated successfully, but these errors were encountered: