mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-04-26 01:35:54 +03:00
[GH-ISSUE #793] What's the purpose of Verify Email? #551
Labels
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/vaultwarden#551
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @pdarcos on GitHub (Jan 1, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/793
Hi guys,
I noticed the verify email message is present when you first log in, but I don't see what the purpose is for this in bitwarden_rs
"Verify your account's email address to unlock access to all features"
Is this a leftover from bitwarden? What other features are there?
Thanks
@Zauberfisch commented on GitHub (Jan 2, 2020):
My initial guess was that the "send me my masterpassword hint" feature would only send you an email if your email address is confirmed. Same for "new login from ...." notifications.
But I just tested that, and that's not the case. Unconfirmed accounts still get both types of emails.
I think keeping the confirmation of emails makes sense, because of the 2 reasons above. And the email sending part should be fixed to only send emails to confirmed addresses.
@mprasil commented on GitHub (Jan 2, 2020):
I think the initial motivation was to have that in place together with domain whitelist so that users won't be able to log in until they verify they own email matching the whitelist.
@BlackDex commented on GitHub (Jan 3, 2020):
It can also be a special check for the admins to maybe force ppl to verify there e-mail within x hours or so. That is something we could create if we wanted.
I can't remember features not working when not verified in the official self-hosted or cloud version. But not sure.
@tomuta commented on GitHub (Jan 5, 2020):
Well, that might be a bitwarden_rs-only enhancement. The
SIGNUPS_DOMAINS_WHITELISTlist in combination withSIGNUPS_VERIFY=trueandSIGNUPS_ALLOWED=trueallows an organization to create/delete accounts with e.g. their corporate email address so long they have access to their emails. This also prevents them from impersonating someone else (though that would pose little harm unless you use organizations to share passwords).The "stock" email verification however actually serves another purpose: It prevents someone else from deleting your account pretending to have lost the password. If you create an account and either mistyped your email address or you do not remember your password, and you also haven't verified your email, then you (or anyone else) can actually delete that account instantly. This way you can re-create your account with the correct email address, or with the correct master password. However, if you want to prevent others from doing this, then you need to verify your email after creating the account. This is because the bitwarden model doesn't require upfront email verification, accounts instantly work after creating them. A slight deviation from that model is setting
SIGNUPS_VERIFY=true, in which case email verification is forced after creating the account and before being able to log in, which eliminates these drawbacks (but feels like it's shoe-horned into the stock bitwarden model).@mprasil commented on GitHub (Jan 29, 2020):
I think this was answered? Going to close, but feel free to reopen if there are more questions regarding this.
@Zauberfisch commented on GitHub (Jan 29, 2020):
@mprasil is this issue resolved though?
As far as I can tell even what @tomuta said is just brainstorming ideas. The actual feature currently has no effect.
Therefore I believe it would be beneficial to keep this issue open.
@Zauberfisch commented on GitHub (Jan 29, 2020):
yeah, just confirmed. I can delete accounts that do not have verified the email address.
@tomuta commented on GitHub (Jan 29, 2020):
That's the purpose of verify email. Once verified, someone else cannot delete your account, but until you do, anyone can.
@Zauberfisch commented on GitHub (Jan 29, 2020):
ah, right. Sorry, just woke up then and wasn't thinking straight.
But I am still not sure about your statement though. How can I delete someoneelses Account that is not verified?
Doesn't the delete thing always send a link?
@tomuta commented on GitHub (Jan 30, 2020):
No, if the email address hasn't been verified, deleting the account is instant and does not trigger any email to be sent. Account deletion is instant. You can test this behavior on bitwarden.com with a free account.
@tomuta commented on GitHub (Jan 30, 2020):
You can delete your account on the /#/recover-delete page, e.g. on bitwarden.com: https://vault.bitwarden.com/#/recover-delete
If you type in an email address that hasn't been verified, it should delete the account instantly (and it will not send an email!). Otherwise, it will send an email with a link to confirm the deletion request.
@Zauberfisch commented on GitHub (Jan 30, 2020):
ok, I did some more testing:
#/recover-delete(not logged in) (NOT verified)#/recover-delete(not logged in)so clearly, the verify email system has no effect on account deletion
@tomuta commented on GitHub (Jan 30, 2020):
Hm I must have remembered this wrong. You are right, it always sends an email, whether verified or not. Looking at bitwarden_rs, that's what we do as well.
@Zauberfisch commented on GitHub (Jan 30, 2020):
uhm. I have not tested bitwarden.com. I only tested bitwarden_rs
@sombatos commented on GitHub (Dec 21, 2020):
Is there any way to hide this "VERIFY EMAIL" block via CSS for example when running Bitwarden using docker?