System Information
-
Strapi Version:
3.6.2 -
Operating System:
Deepin 20.2 x86_64 -
Database:
sqlite3 -
Node Version:
v14.16.1 -
NPM Version:
6.14.12 -
Yarn Version:
1.22.10
When we login using the API(GraphQL), we can get logged in on session even if we are not confirmed yet when we should not get access to the platform if we are not confirmed.
Steps to reproduce the behavior
- Register a user from the API(GraphQL), it will be confirmed by default but updated to be unconfirmed.
- Check the user was create on the admin panel.
- Do login from the API(GraphQL).
- See error: it is logged in, the
jwtcomes even when the user is not confirmed yet.
Expected behavior
It should not be able to login on Strapi while the user is not confirmed.
Screenshots
Code snippets
package.json:
"dependencies": {
"knex": "0.21.18",
"sqlite3": "5.0.0",
"strapi": "3.6.2",
"strapi-admin": "3.6.2",
"strapi-connector-bookshelf": "3.6.2",
"strapi-plugin-content-manager": "3.6.2",
"strapi-plugin-content-type-builder": "3.6.2",
"strapi-plugin-email": "3.6.2",
"strapi-plugin-graphql": "3.6.2",
"strapi-plugin-i18n": "3.6.2",
"strapi-plugin-upload": "3.6.2",
"strapi-plugin-users-permissions": "3.6.2",
"strapi-provider-email-amazon-ses": "^3.6.2",
"strapi-provider-upload-aws-s3": "^3.6.2",
"strapi-utils": "3.6.2"
},
Additional context
Our authentication workflow is the next:
- A user does registration through in the application through the API(GraphQL).
- This user must be unconfirmed till the admin confirm it.
- The admin confirm it.
- The user can then login on the plartfom.
To enable this behaviour avoiding to send confirmation emails, we just opted by not enable the confirm email workflow but update the newly create user after its registration (afterCreate lifecycle).
The question
Is it normal? We think unconfirmed users should not be logged in on Strapi, but we don’t know if it is the intended behaviour for Strapi authenticated users.
Thanks.