Overwrite Strapi's authentication

System Information
  • Strapi Version: v4.9.0
  • Operating System: macOS 14
  • Database: MySQL
  • Node Version: v18.15.0
  • NPM Version: 9.5.0
  • Yarn Version:

I’m trying to integrate my own user verification method. I added an afterCreate handler in the user-permissions lifecycles. This lifecycle handler, sets the user’s “confirmed” field to false and generates a 6-digit code which is sent to the new registered user by email. Then I created a custom API controller to check the code’s validity and set the user’s “confirmed” field to true.

This custom method successfully toggles the user’s “confirmed” field to false or true. The problem comes when I turn off Strapi’s “Enable email confirmation” option under the UI’s advanced settings. Once I turned that off, all new users “confirmed” field is set to true by default, and even if I set “confirmed” field to false, unconfirmed users can still login and enjoy all the same permissions of an authenticated user.

I thought the user’s “confirmed” field would set the user verification status but apparently I’m missing something. Any ideas on how to handle this?

PS: By the way, Strapi’s default authentication method IMO is not mobile friendly. Most native mobile apps today, will send you a registration code instead of an email link. An email link will force you to navigate out of the app, affecting the onboarding flow.