It is possible to login unconfirmed authenticated users

System Information
  • Strapi Version: 3.6.2
  • Operating System: Deepin 20.2 x86_64
  • Database: sqlite3
  • Node Version: v14.16.1
  • NPM Version: 6.14.12
  • Yarn Version: 1.22.10

When we login using the API(GraphQL), we can get logged in on session even if we are not confirmed yet when we should not get access to the platform if we are not confirmed.

Steps to reproduce the behavior

  1. Register a user from the API(GraphQL), it will be confirmed by default but updated to be unconfirmed.
  2. Check the user was create on the admin panel.
  3. Do login from the API(GraphQL).
  4. See error: it is logged in, the jwt comes even when the user is not confirmed yet.

Expected behavior

It should not be able to login on Strapi while the user is not confirmed.


Code snippets


"dependencies": {
    "knex": "0.21.18",
    "sqlite3": "5.0.0",
    "strapi": "3.6.2",
    "strapi-admin": "3.6.2",
    "strapi-connector-bookshelf": "3.6.2",
    "strapi-plugin-content-manager": "3.6.2",
    "strapi-plugin-content-type-builder": "3.6.2",
    "strapi-plugin-email": "3.6.2",
    "strapi-plugin-graphql": "3.6.2",
    "strapi-plugin-i18n": "3.6.2",
    "strapi-plugin-upload": "3.6.2",
    "strapi-plugin-users-permissions": "3.6.2",
    "strapi-provider-email-amazon-ses": "^3.6.2",
    "strapi-provider-upload-aws-s3": "^3.6.2",
    "strapi-utils": "3.6.2"

Additional context

Our authentication workflow is the next:

  1. A user does registration through in the application through the API(GraphQL).
  2. This user must be unconfirmed till the admin confirm it.
  3. The admin confirm it.
  4. The user can then login on the plartfom.

To enable this behaviour avoiding to send confirmation emails, we just opted by not enable the confirm email workflow but update the newly create user after its registration (afterCreate lifecycle).

The question

Is it normal? We think unconfirmed users should not be logged in on Strapi, but we don’t know if it is the intended behaviour for Strapi authenticated users.


I’m not a strapi expert and I don’t really have an answer to your question. However I have used plenty of applications that let me register and use the site without ever confirming my email address. Maybe there is a way to create another role?

Hi @LuisAlaguna, from my investigations, it looks like this is a legitimate bug. Have you already created an issue on Github?

I think it requires more control workflows instead.

Yeah, i opened it but it was closed.

Hi @LuisAlaguna, share the link and I could take a look at why it was closed.

This is the link: It is possible to login unconfirmed authenticated users. · Issue #10308 · strapi/strapi · GitHub

Hi @LuisAlaguna. I took a look and did more research. The auth route is the only route that will not check if the user is confirmed or not. All subsequent requests will fail despite the login routes working fine. The issue was closed because this was the intended way the login routes would work within Strapi. So yours was more a question of why, as opposed to it being a bug. With that said, my initial investigations were incorrect.

1 Like

Cool, I got it, thank you.

1 Like