GraphQL: verifyEmail with emailed token

[MichaelJCole]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

This REST endpoint to handle email verification links doesn't seem to have a matching GraphQL mutation

Steps to reproduce

Read the docs, spend a few days getting logins to work using GraphQL.

Actual Outcome

Complete the job with a REST endpoint :-)

Expected Outcome

A complete GraphQL API for managing users, w/o the need for the /parse REST API. Maybe there's a reason for this I don't understand.

Environment

"resolutions": {
"graphql": "^14.7.0"
},
"dependencies": {
"dotenv": "^8.2.0",
"express": "^4.17.1",
"graphql": "^14.7.0",
"graphql-tag": "^2.11.0",
"nodemon": "^2.0.6",
"parse-server": "^4.4.0",
"parse-server-aws-ses": "^1.0.0"
}

[MichaelJCole]

Ok, I think it's just not documented. The GraphQL Guide might be improved with this documentation - what do you think?

This needed my attention because I need to configure my nginx reverse proxy to proxy the /app path.

---

When the email verification link is clicked in the user's email client, it (probably) opens a browser to GET a Parse REST API endpoint which verifies the emailed link:

${config.publicServerURL}/apps/:appId/verify_email?username=some@user.name&token=1234567890

On success or failure, the REST API 302 forwards the browser to locations specified when starting the server:

var api = new ParseServer({
  ...otherOptions
  emailAdapter: {},
  customPages: {
    invalidLink: 'http://yourpage/link_invalid.html',
    verifyEmailSuccess: 'http://yourpage/verify_email_success.html',
    choosePassword: 'http://yourpage/new_password.html',
    passwordResetSuccess: 'http://yourpage/sucess.html'
  }
});

These are URL's to pages in your front-end application. Your application must complete the user's interactions.

---

[mtrezza]

Thanks for reporting.

If you think the documentation can be improved, please let us know where you would expect to see which information by opening an issue in the docs repo. If you want to go even further, we would gladly review your PR for the docs change.

I'm closing this as it does not seem to be a Parse Server issue. Feel free to comment if you have any questions and we can re-open this issue.

[MichaelJCole]

Hi @mtrezza, thanks for the reply and invite. I haven't get gotten email verifications to work in my app. I have been digging through the code to get this far.

I think the missing GraphQL mutation makes the GraphQL API incomplete. I'd rather handle this interaction in the router of my front-end web app.

Since that's not available (and I'm still evaluating Parse), I'm happy to use the REST endpoint, but it's not working. I configured Parse to send the email (see below). It sent the email. I clicked the link:

https://www.danger.team/apps/dramawithfriends/verify_email?token=nXTt5eHdbeS2fHl3Cx3zMxdul&username=test1%40michaelcole.com

Parse responds:

Cannot GET /apps/dramawithfriends/verify_email

www.danger.team` has A records to 127.0.0.1, where nginx reverse proxies to localhost:1337. That URL also gives the same response:

http://localhost:1337/apps/dramawithfriends/verify_email?token=nXTt5eHdbeS2fHl3Cx3zMxdul&username=test1%40michaelcole.com

Cannot GET /apps/dramawithfriends/verify_email

I don't see anything in the Parse logs.

Here's the server config I pulled from the documentation:

const parseServer = new ParseServer({
    appId: process.env.APPLICATION_ID,
    masterKey: process.env.MASTER_KEY,
    databaseURI: process.env.DATABASE_URI,
    serverURL: process.env.SERVER_URL,  // ends with '/parse'
  
    // Email: https://github.com/parse-community/parse-server#email-verification-and-password-reset
    verifyUserEmails: true,
    preventLoginWithUnverifiedEmail: false, // defaults to false
    publicServerURL: process.env.PUBLIC_SERVER_URL || process.env.SERVER_URL,
    appName: 'Drama With Friends',
    emailAdapter: {...},
    customPages: {
      invalidLink: `${process.env.PUBLIC_SERVER_URL}/hello/invalid-link`,
      verifyEmailSuccess: `${process.env.PUBLIC_SERVER_URL}/hello/verified`,
  
      choosePassword: `${process.env.PUBLIC_SERVER_URL}/hello/resetPassword`,
      passwordResetSuccess: `${process.env.PUBLIC_SERVER_URL}/hello/passwordSaved`,
    },
    accountLockout: {
      duration: 5, // duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. Set it to a value greater than 0 and less than 100000.
      threshold: 3, // threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. Set it to an integer value greater than 0 and less than 1000.
    },
    passwordPolicy: {
      validatorPattern: /^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.{8,})/, // enforce password with at least 8 char with at least 1 lower case, 1 upper case and 1 digit
      validationError: 'Password must contain lowercase, uppercase, and at least 1 digit.',
      doNotAllowUsername: true, // optional setting to disallow username in passwords
      resetTokenValidityDuration: 24*60*60, // expire after 24 hours
    }
  })

[mtrezza]

I think the missing GraphQL mutation makes the GraphQL API incomplete. I'd rather handle this interaction in the router of my front-end web app.

@Moumouls Can I get your opinion on whether this could be a Parse Server GraphQL issue? Or does this seem like specific to the custom architecture?

[MichaelJCole]

Hi, guys, thanks for looking.

About the REST verification url, I posted a question in the forum.

http://localhost:1337/apps/dramawithfriends/verify_email?token=nXTt5... goes straight to the express app setup as described in the GraphQL guide. So there's no infrastructure in between. I mentioned it in case my Parse server configuration is emailing broken URLs. The Playground works, so I assumed it was setup correctly.

Do you have an example email verification link? Maybe the link is malformed?

If this was available as a GraphQL mutation, it would be done already :-)

[Moumouls]

Here we have two things:

• 1. Lack of documentation on how email verification works, currently on sign up user receive an email with a link that redirect to a pre defined html page managed by parse server and then call automatically the verify endpoint with the token in the URL. So developer must have a correct email adapter and valid public server url to get this work.
• 2. And yes if a developer wants to customize this workflow and use GraphQL API to verify email with the emailed token (currently i don't know how you can intercept the token...), the GraphQL verifyEmail mutation do not exist currently to support this workflow.

@MichaelJCole i think the feature pretty simple to implement, would you to give a try to send a PR to support verifyEmail via GraphQL API ? 😄

There are some example of similar implementations into the GraphQL folder (user mutation). 😉

[MichaelJCole]

@Moumouls thank you!

re: docs and feature, I may come back to this after I get Parse to work for my application. I haven't put any data in it yet. I'm still at logins.

re: the URL, it was malformed. This won't work:

http://localhost:1337/apps/dramawithfriends/verify_email?token=nXTt5...

This is worked:

http://localhost:1337/parse/apps/dramawithfriends/verify_email?token=nXTt5...