POW API email confirmation flow

Questions / Help
, ,
1

I’m trying to understand how to redirect users to /registration/edit after sign in / sign up when users haven’t confirmed their email.

I read through Pow API email confirmation flow and Resend email confirmation link | Pow

The powauth article is from 2020 and I don’t know if it is still the correct solution for what I’m trying to achieve.

Here is what I did so far:

Path 1 (suggested by the article linked above):

  • created the controller RegistrationController
  • included the post path in the router

Outcome: User get redirected to /session/new page and a flash message pops up

Path 2:

  • added a backend router and defined after_sign_in_path and after_registration_path to redirect users to a new page /verify-email where I can show the user a message explaining they need to verify their email first.
  • include a button with a link to resend the confirmation email
  • add /verify-email to an unprotected route

Outcome: User gets redirected to the /verify-email page, clicking the link sends the user to the right controller, but there is no current_user in the conn, because the route is not protected. User gets redirected to the /session/new page.

Path 3:

  • added a backend router and defined after_sign_in_path and after_registration_path to redirect users to a new page /verify-email where I can show the user a message explaining they need to verify their email first.
  • include a button with a link to resend the confirmation email
  • add /verify-email to a protected route

Outcome: User get redirected to /session/new page and a flash message pops up

My main questions are:

  1. Should I take path 2 and add the user email (entered in the sign in page) as a hidden field in the verify email page form and try to login the token from the db to resend the email? Even though both routes get (to show the page) and post to resend the email are not protected?

  2. Am I missing something on paths 1 and 3 and that’s why I don’t get redirected to the /registration/edit page after sign?

  3. If path 3 is the best one, do I need to implement my own RequireAuthenticated plug so I have more control and can redirected the user to the post /verify-email route when clicking the resend button?