Verify account, how to skip this step?
Loschcode opened this issue ยท 11 comments
I'm looking for a solution to skip the verify account part because I don't wish to actually send an activation email therefore have accounts automatically confirmed. When I'm sending an updateAccount mutation I get this kind of response:
Please verify your account
I see this option is nowhere to be seen in the settings in the documentation despite being able to deactivate the email dispatch; I either don't understand fully how to deactivate this part or you have very odds ways to setup settings flows...
I'm looking into this for a while thus my issue. Thanks
Being pretty new to the Python world, I've made a workaround by adding this logic after the user creation
user = CustomUser.objects.get(id=user_id)
user.status.verified = True
user.status.save()
Not a perfect solution honestly, but it works for now.
Thanks @Loschcode.
Additionally, if you are doing this in a migration, you will need this dependency.
dependencies = [
...,
('graphql_auth', '0001_initial'),
...
]
Otherwise, as expected, your CustomUser will not have the status field.
Hi @Loschcode,
verification is an important part of the authentication process, not only in this library, generally speaking.
Of course, you can choose and do whatever you want in your project but I'm not sure that a bypass of verification will add value to the library.
Feel free to fork the project and skip the verification part.
cc: @PedroBern
@panosangelopoulos Hello fellow collaborator ๐ I, myself, too find the verification this library provides a bit weird. UserStatus
model is a new, kinda magic thing that you can achieve almost same thing (for the most of use cases) with single is_verified
field on your user model. I'd use if there is a setting to switch current verification method off, i'd use it now.
@ulgens thanks for your message, this topic is getting buzz!
I completely understand the weird part of verification but do you think that the solution will be the option to switch it on or off? I would rather expect a way of resolving the weird part and make it more readable/understandable for the rest of the community instead of switch it off.
Of course, that's my opinion and I'm open to discussing it further.
Generally speaking, the Verification (not-only for a user) is part of the The OAuth 2.0 Authorization Framework
(https://tools.ietf.org/html/rfc6749#section-4.1) but we can of course argue about it.
Why do I think that switching it off isn't the way to go?
Most of them are mentioned => https://ux.stackexchange.com/a/111023.
I agree with its benefits but I don't think "It's the best way (we/everyone say so), so you have to do it." is the best way to go as a maintainer. Not everyone really need that benefit and in some cases, it does more harm than good. I can give two very simple examples here:
- In one of the projects, we already had a data model for keeping verification info. This package brought another method, so I had to add a signal receiver to automatically save it active for each user. Also, I don't remember the exact case now but there were some hardcoded things in the codebase that prevents the user from using several endpoints, so you can't just ignore it and you have to hack your way around.
- Testing. I don't think anybody wants to be have to verify each user in a testing environment, thus the need for a close switch.
@ulgens I got your points and especially the first one, for testing, I think you can skip this verification process in a central point quite easily.
Shall we discuss the best approach to bypassing/switching the verification in this thread?
I think we should discuss the verification in general but i'm more willing to spend my time on graphql-jwt package's issues for now.
Is there an option to skip the verification part after a year?
cc: @PedroBern
I'm not sure about skipping the whole verification part but you avoid sending the activation mail to the user on sign-up and still let them log in
in your settings.py file
paste that
GRAPHQL_AUTH = { "SEND_ACTIVATION_EMAIL": False, }
then use the inbuilt "resend activation mail" mutation to verify them when needed