Verify user emails after signup

[tefkah]

Motivation

Currently we don't verify users emails after/during signup at all, which is bad.
It wasn't really a problem before, as we invited users through their email already, so it wasn't that important.

But now with #1114 landing we for the first time will have public signups to pubpub. We need to check that users own the email they fill in there.

Requirements

• After a user signs up, PubPub sends them an email with a randomly generated code to verify their email address
• When user has not yet verified, they are prompted to verify when trying to access any page while logged in with a page telling them we've sent them a verification email and they should check for it, and a button that allows them to re-send the verification, which creates a new token and invalidates the old one.
• After verification, they are forwarded to the page they were originally trying to access
• If the token has expired, user is shown a page telling them it's expired and a button that allows them to receive a new token.
• Forgot password also functions as verification, in case where user signs up, never completes verification, and deletes verification email

Acceptance Criteria

• Remind @eastofesten: documentation update to Logging In
• When a user signs themselves up via /c/${community}/public/signup, update the publicSignup server action to Create an auth token of type verifyEmail
• Create an auth token of type verifyEmail that expires in 2 hours
• Send a verification email with a link that contains the token. Similar to sendForgotPasswordMail https://github.com/pubpub/platform/blob/main/core/lib/authentication/actions.ts#L132
  • If user visits the link after the token has expired, page should say the token has expired and contain a button labeled "Resend Verification Link" that, when clicked, repeats the creation of token and sending of verification link
• Add a new page /verify which checks the verification token. Similar to (user)/reset/page.tsx https://github.com/pubpub/platform/blob/main/core/app/(user)/reset/page.tsx
• Once verified, forward to the original page they were trying to access
• Add checks to other pages to make sure the user is verified
• Updates forgot password action to verify a user's email if it is not already verified (in case where user forgets verification and returns to signup months later)
• On other pages where a user is added via an email, isVerified is automatically set to true so those users do not need to go through the verification flow

[allisonking]

To be a more granular/check my understanding of the auth setup:

1. When a user signs themselves up via /c/${community}/public/signup, update the publicSignup server action to
   1. Create an auth token of type verifyEmail
      1. does this token expire?
   2. Send a verification email with a link that contains the token. Similar to sendForgotPasswordMail https://github.com/pubpub/platform/blob/main/core/lib/authentication/actions.ts#L132
2. Add a new page /verify which checks the verification token. Similar to (user)/reset/page.tsx https://github.com/pubpub/platform/blob/main/core/app/(user)/reset/page.tsx
3. Once verified, forward to the original page they were trying to access
4. Add checks to other pages to make sure the user is verified

[gabestein]

Awesome, thanks! Added this to ACs, and set a 2-hour expiry for the token.

[allisonking]

ok! and I guess if it expires, do we want a button that will let them issue another verification email?

[allisonking]

Here is my plan but let me know if the flow should look different:

1. User submits this form (currently at /c/{community}/public/signup)

2. We change the text of this page to say something like 'a verification email has been sent, please check your email' with an button to resend the email (or should this redirect to /verify which has the same language?)
3. We create the user with a flag isVerified = false. also create the auth token, which is sent to the user's email. The user is signed in but with a special session type that says they need to verify. This session type only lets them see the /verify page
4. The user clicks the link in their email, which goes to a new /verify page that makes sure the token is right. if it is, then we log them in and set isVerified = true, and change their session type?
5. Make sure the verify email session type can only see the /verify page, and public pages.