You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The official docs guide recommends setting session right after OTP code requested https://lucia-auth.com/guides/email-and-password/email-verification-codes
This means if we check auth in our app like this, user becomes authenticated even before we verify his access to email code
My initial guess was to check additionally
user.emailVerified
but user could have his email already verified if this is not the first login.I couldn't find any related practice in Lucia, Oslo, Artic docs, and not in Copenhagen book.
My guess, is that I need to modify a session, to make it "limited" until user inputs code, then he receives full session.
But what is best practice? Maybe docs could be improved for this matter?
Beta Was this translation helpful? Give feedback.
All reactions