It is possible to login unconfirmed authenticated users. #10308
Description
Bug report
It is possible to login on Strapi using a unconfirmed unauthenticated user.
Describe the bug
When we login using the API(GraphQL), we can get logged in on session even if we are not confirmed yet when we should not get access to the platform if we are not confirmed.
Steps to reproduce the behavior
- Register a user from the API(GraphQL), it will be confirmed by default but updated to be unconfirmed.
- Check the user was create on the admin panel.
- Do login from the API(GraphQL).
- See error: it is logged in, the
jwtcomes even when the user is not confirmed yet.
Expected behavior
It should not be able to login on Strapi while the user is not confirmed.
Screenshots
Code snippets
package.json:
"dependencies": {
"knex": "0.21.18",
"sqlite3": "5.0.0",
"strapi": "3.6.2",
"strapi-admin": "3.6.2",
"strapi-connector-bookshelf": "3.6.2",
"strapi-plugin-content-manager": "3.6.2",
"strapi-plugin-content-type-builder": "3.6.2",
"strapi-plugin-email": "3.6.2",
"strapi-plugin-graphql": "3.6.2",
"strapi-plugin-i18n": "3.6.2",
"strapi-plugin-upload": "3.6.2",
"strapi-plugin-users-permissions": "3.6.2",
"strapi-provider-email-amazon-ses": "^3.6.2",
"strapi-provider-upload-aws-s3": "^3.6.2",
"strapi-utils": "3.6.2"
},System
- Node.js version:
v14.16.1 - NPM version:
6.14.12 - Strapi version:
3.6.2 - Database:
SQLite - Operating system:
Deepin 20.2 x86_64
Additional context
Our authentication workflow is the next:
- A user does registration through in the application through the API(GraphQL).
- This user must be unconfirmed till the admin confirm it.
- The admin confirm it.
- The user can then login on the plartfom.
To enable this behaviour avoiding to send confirmation emails, we just opted by not enable the confirm email workflow but update the newly create user after its registration (afterCreate lifecycle).