Confirmation Email Token for a Custom Role - What is this token (it's not JWT)?

For an Authenticated role, the token in the confirmation email is JWT. In a custom role, the token is not a JWT, but something else. What is that token and how can I decode it?

Confirmation tokens used to be JWTs but that proved to be a security risk, they are now just randomly generated tokens with no encoded data in them.

Thanks, then how does it know which user to Confirm when someone uses the link?

1 Like

The token is stored in the database on the user:

Got it. Anyway for me to query for a User using that token? In other words, I’m trying to check if the user already confirmed their account in the case they clicked on the Confirmation link more than once. Right now clicking on the link twice returns “invalid.token” error. Instead of “already confirmed” for example.

When someone clicks the link with a token, it’s validated, the token is deleted from the user and the confirmed boolean is changed from false to true:

If you want to see if a user is confirmed, filtering users by this boolean would be the way to do it.

Yes, but it doesn’t look like there’s way to find out if someone tried to confirm more than once.

No we don’t store a history

Are there plans to remove JWT from an Authenticated Role? In other words, if I go back and assign the Authenticated role to newly registered users, the confirmation email currently includes JWT (which I can decode and get the user ID), but since it’s a security issue, perhaps it will be removed from Authenticated Roles at some point as well?

Not sure what you are asking?

If in the settings on Strapi I assign the “Authenticated” role to a newly Registered user, then the confirmation link in email contains the JWT in the URL. On the other hand, If I assign a newly Registered user a custom Role, then I do get the random string in the confirmation URL.

I’m curious if this is intended behavior?

None of the confirmation codes should be a JWT, you only get the JWT back if they login

(And yes it’s intended that you can locally decrypt the jwt and it gives the user ID)

Confirmation emails aren’t sent when a role changes, not sure if that’s what you were asking.

Sorry, to clarify, in Strapi settings you can change the Role a user is assigned when registering. For example, they can be assigned Authenticated, or any custom Role when registering for the first time.

If I pick the Role assignment to be Authenticated, then the confirmation link a newly registered user receives contains the JWT in the confirmation email.

If I go back and change the Role assignment to be a custom role, then when a newly registered user receives a confirmation email, the confirmation link now contains a random string instead of a JWT.

I hope that clarifies it.

What Strapi version are you on?

Version 3.4.5

Can you test on v3.5.4 (current latest)

I plan to, but it sounds like that isn’t intended behavior anyhow with Authenticated users, so I won’t be doing that anyway. Was curious if the Authenticated role had some special case for this and it doesn’t sound like it. All Roles, regardless, should be receiving the random string now in the confirmation email.

It is not intended no, if that’s happening then we need to get that fixed. (nothing special in that role)