starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-11 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

What's the purpose of Verify Email? #1865

New Issue
Closed
opened 2025-10-09 17:33:36 +03:00 by OVERLORD · 15 comments
OVERLORD commented 2025-10-09 17:33:36 +03:00
Owner
Copy Link

Originally created by @pdarcos on GitHub.

Hi guys,

I noticed the verify email message is present when you first log in, but I don't see what the purpose is for this in bitwarden_rs

"Verify your account's email address to unlock access to all features"

Is this a leftover from bitwarden? What other features are there?

Thanks

Originally created by @pdarcos on GitHub. Hi guys, I noticed the verify email message is present when you first log in, but I don't see what the purpose is for this in bitwarden_rs "Verify your account's email address to unlock access to all features" Is this a leftover from bitwarden? What other features are there? Thanks
OVERLORD commented 2025-10-09 17:33:38 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

I think this was answered? Going to close, but feel free to reopen if there are more questions regarding this.

@mprasil commented on GitHub: I think this was answered? Going to close, but feel free to reopen if there are more questions regarding this.
OVERLORD commented 2025-10-09 17:33:38 +03:00
Author
Owner
Copy Link

@tomuta commented on GitHub:

I think the initial motivation was to have that in place together with domain whitelist so that users won't be able to log in until they verify they own email matching the whitelist.

Well, that might be a bitwarden_rs-only enhancement. The SIGNUPS_DOMAINS_WHITELIST list in combination with SIGNUPS_VERIFY=true and SIGNUPS_ALLOWED=true allows an organization to create/delete accounts with e.g. their corporate email address so long they have access to their emails. This also prevents them from impersonating someone else (though that would pose little harm unless you use organizations to share passwords).

The "stock" email verification however actually serves another purpose: It prevents someone else from deleting your account pretending to have lost the password. If you create an account and either mistyped your email address or you do not remember your password, and you also haven't verified your email, then you (or anyone else) can actually delete that account instantly. This way you can re-create your account with the correct email address, or with the correct master password. However, if you want to prevent others from doing this, then you need to verify your email after creating the account. This is because the bitwarden model doesn't require upfront email verification, accounts instantly work after creating them. A slight deviation from that model is setting SIGNUPS_VERIFY=true, in which case email verification is forced after creating the account and before being able to log in, which eliminates these drawbacks (but feels like it's shoe-horned into the stock bitwarden model).

@tomuta commented on GitHub: > I think the initial motivation was to have that in place together with domain whitelist so that users won't be able to log in until they verify they own email matching the whitelist. Well, that might be a bitwarden_rs-only enhancement. The `SIGNUPS_DOMAINS_WHITELIST` list in combination with `SIGNUPS_VERIFY=true` and `SIGNUPS_ALLOWED=true` allows an organization to create/delete accounts with e.g. their corporate email address so long they have access to their emails. This also prevents them from impersonating someone else (though that would pose little harm unless you use organizations to share passwords). The "stock" email verification however actually serves another purpose: It prevents someone else from deleting your account pretending to have lost the password. If you create an account and either mistyped your email address or you do not remember your password, and you also haven't verified your email, then you (or anyone else) can actually delete that account instantly. This way you can re-create your account with the correct email address, or with the correct master password. However, if you want to prevent others from doing this, then you need to verify your email after creating the account. This is because the bitwarden model doesn't require upfront email verification, accounts instantly work after creating them. A slight deviation from that model is setting `SIGNUPS_VERIFY=true`, in which case email verification is forced after creating the account and before being able to log in, which eliminates these drawbacks (but feels like it's shoe-horned into the stock bitwarden model).
OVERLORD commented 2025-10-09 17:33:38 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

I think the initial motivation was to have that in place together with domain whitelist so that users won't be able to log in until they verify they own email matching the whitelist.

@mprasil commented on GitHub: I think the initial motivation was to have that in place together with domain whitelist so that users won't be able to log in until they verify they own email matching the whitelist.
OVERLORD commented 2025-10-09 17:33:40 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

It can also be a special check for the admins to maybe force ppl to verify there e-mail within x hours or so. That is something we could create if we wanted.

I can't remember features not working when not verified in the official self-hosted or cloud version. But not sure.

@BlackDex commented on GitHub: It can also be a special check for the admins to maybe force ppl to verify there e-mail within x hours or so. That is something we could create if we wanted. I can't remember features not working when not verified in the official self-hosted or cloud version. But not sure.
OVERLORD commented 2025-10-09 17:33:41 +03:00
Author
Owner
Copy Link

@Zauberfisch commented on GitHub:

My initial guess was that the "send me my masterpassword hint" feature would only send you an email if your email address is confirmed. Same for "new login from ...." notifications.

But I just tested that, and that's not the case. Unconfirmed accounts still get both types of emails.

I think keeping the confirmation of emails makes sense, because of the 2 reasons above. And the email sending part should be fixed to only send emails to confirmed addresses.

@Zauberfisch commented on GitHub: My initial guess was that the "send me my masterpassword hint" feature would only send you an email if your email address is confirmed. Same for "new login from ...." notifications. But I just tested that, and that's not the case. Unconfirmed accounts still get both types of emails. I think keeping the confirmation of emails makes sense, because of the 2 reasons above. And the email sending part should be fixed to only send emails to confirmed addresses.
OVERLORD commented 2025-10-09 17:33:43 +03:00
Author
Owner
Copy Link

@Zauberfisch commented on GitHub:

ah, right. Sorry, just woke up then and wasn't thinking straight.

But I am still not sure about your statement though. How can I delete someoneelses Account that is not verified?
Doesn't the delete thing always send a link?

@Zauberfisch commented on GitHub: ah, right. Sorry, just woke up then and wasn't thinking straight. But I am still not sure about your statement though. How can I delete someoneelses Account that is not verified? Doesn't the delete thing always send a link?
OVERLORD commented 2025-10-09 17:33:43 +03:00
Author
Owner
Copy Link

@Zauberfisch commented on GitHub:

@mprasil is this issue resolved though?
As far as I can tell even what @tomuta said is just brainstorming ideas. The actual feature currently has no effect.
Therefore I believe it would be beneficial to keep this issue open.

@Zauberfisch commented on GitHub: @mprasil is this issue resolved though? As far as I can tell even what @tomuta said is just brainstorming ideas. The actual feature currently has no effect. Therefore I believe it would be beneficial to keep this issue open.
OVERLORD commented 2025-10-09 17:33:44 +03:00
Author
Owner
Copy Link

@tomuta commented on GitHub:

That's the purpose of verify email. Once verified, someone else cannot delete your account, but until you do, anyone can.

@tomuta commented on GitHub: That's the purpose of verify email. Once verified, someone else cannot delete your account, but until you do, anyone can.
OVERLORD commented 2025-10-09 17:33:44 +03:00
Author
Owner
Copy Link

@tomuta commented on GitHub:

No, if the email address hasn't been verified, deleting the account is instant and does not trigger any email to be sent. Account deletion is instant. You can test this behavior on bitwarden.com with a free account.

@tomuta commented on GitHub: No, if the email address hasn't been verified, deleting the account is instant and does not trigger any email to be sent. Account deletion is instant. You can test this behavior on bitwarden.com with a free account.
OVERLORD commented 2025-10-09 17:33:45 +03:00
Author
Owner
Copy Link

@Zauberfisch commented on GitHub:

yeah, just confirmed. I can delete accounts that do not have verified the email address.

@Zauberfisch commented on GitHub: yeah, just confirmed. I can delete accounts that do not have verified the email address.
OVERLORD commented 2025-10-09 17:33:46 +03:00
Author
Owner
Copy Link

@Zauberfisch commented on GitHub:

ok, I did some more testing:

  • create account, delete via #/recover-delete (not logged in) (NOT verified)

    I receive a delete link via email. deleting without email is not possible

  • create account, verify, delete via #/recover-delete (not logged in)

    I receive a delete link via email. deleting without email is not possible

  • create account, login, delete via account settings (NOT verified)

    Account is deleted immediately without any email

  • create account, login, verify, delete via account settings

    Account is deleted immediately without any email

so clearly, the verify email system has no effect on account deletion

@Zauberfisch commented on GitHub: ok, I did some more testing: - create account, delete via `#/recover-delete` (not logged in) (NOT verified) > I receive a delete link via email. deleting without email is not possible - create account, verify, delete via `#/recover-delete` (not logged in) > I receive a delete link via email. deleting without email is not possible - create account, login, delete via account settings (NOT verified) > Account is deleted immediately without any email - create account, login, verify, delete via account settings > Account is deleted immediately without any email so clearly, the verify email system has no effect on account deletion
OVERLORD commented 2025-10-09 17:33:46 +03:00
Author
Owner
Copy Link

@tomuta commented on GitHub:

You can delete your account on the /#/recover-delete page, e.g. on bitwarden.com: https://vault.bitwarden.com/#/recover-delete

If you type in an email address that hasn't been verified, it should delete the account instantly (and it will not send an email!). Otherwise, it will send an email with a link to confirm the deletion request.

@tomuta commented on GitHub: You can delete your account on the /#/recover-delete page, e.g. on bitwarden.com: https://vault.bitwarden.com/#/recover-delete If you type in an email address that hasn't been verified, it should delete the account instantly (and it will not send an email!). Otherwise, it will send an email with a link to confirm the deletion request.
OVERLORD commented 2025-10-09 17:33:47 +03:00
Author
Owner
Copy Link

@sombatos commented on GitHub:

Is there any way to hide this "VERIFY EMAIL" block via CSS for example when running Bitwarden using docker?

@sombatos commented on GitHub: Is there any way to hide this "VERIFY EMAIL" block via CSS for example when running Bitwarden using docker?
OVERLORD commented 2025-10-09 17:33:47 +03:00
Author
Owner
Copy Link

@tomuta commented on GitHub:

Hm I must have remembered this wrong. You are right, it always sends an email, whether verified or not. Looking at bitwarden_rs, that's what we do as well.

@tomuta commented on GitHub: Hm I must have remembered this wrong. You are right, it always sends an email, whether verified or not. Looking at bitwarden_rs, that's what we do as well.
OVERLORD commented 2025-10-09 17:33:47 +03:00
Author
Owner
Copy Link

@Zauberfisch commented on GitHub:

uhm. I have not tested bitwarden.com. I only tested bitwarden_rs

@Zauberfisch commented on GitHub: uhm. I have not tested bitwarden.com. I only tested bitwarden_rs
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1865
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?