ExecuteActionsActionTokenHandler verifies email without event or required action removal
#42.875 aperta il 23 set 2025
Metriche repository
- Star
- (34.398 star)
- Metriche merge PR
- (Merge medio 6g 19h) (384 PR mergiate in 30 g)
Descrizione
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
core
Describe the bug
The ExecuteActionsActionTokenHandler sets the user email to be verified
// verify user email as we know it is valid as this entry point would never have gotten here.
user.setEmailVerified(true);
If the user aborts the action, e.g. closing the tab while updating the password, the email is verified, but neither an user event is published nor the required action VERIFY_EMAIL is removed from the user.
Version
26.3.4
Regression
- The issue is a regression
Expected behavior
Whenever the user email is marked as verified, the corresponding user event should be published and the required user action is removed, if it is configured for the user.
Actual behavior
The user email is verified without user event and the required user action is still set on the user.
How to Reproduce?
- create an user, set email as unverified and add the VERIFY_EMAIL required action
- trigger the execute-actions-email with UPDATE_PASSWORD
- click on the link in the email, proceed to the update password tab and close it without submitting a password
- check on user details page, the email is verified, but the required action is still configured and no user event was created
Anything else?
We implemented an event listener, to forward the VERIFY_EMAIL event to our customer api. The customer complained about not receiving events for some users. It turned out that the user got the email and clicked the link, but aborted the process of updating the password. Still the email was marked as verified.