Skip to content

core 3: fix email pass custom flow #3036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
alexisintech wants to merge 3 commits into
base: core-3
Choose a base branch
from
Draft

core 3: fix email pass custom flow #3036

alexisintech wants to merge 3 commits into from
+245 −312

Conversation

@alexisintech
Copy link
Member

@alexisintech alexisintech commented Feb 4, 2026

the email-password custom flow guide doesn't have the copy regarding MFA set up nor explanations of the code added, and its meant to be more for basic usage and users that don't have MFA enabled. if users want to enable MFA, they can go to the appropriate guide, so i've updated the code to point them there

@alexisintech alexisintech requested a review from a team as a code owner February 4, 2026 01:26
@vercel
Copy link

vercel bot commented Feb 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-docs Error Error Feb 9, 2026 10:10pm

Request Review

@alexisintech alexisintech mentioned this pull request Feb 4, 2026
Open
8 tasks
@alexisintech alexisintech requested review from dstaley and removed request for a team February 4, 2026 01:27
@dstaley
Copy link
Member

dstaley commented Feb 4, 2026

My thinking here was that with client trust enabled (which is the default for new instances I believe), signing in with email and password on a new client requires the handling of the needs_second_factor status. So if you follow the guide as this PR details you actually won't be able to sign in for the first time; you'd need to also incorporate the logic from the MFA guide. Since this is a default and not something you can turn off I think it makes sense to show that logic in the guide.

@alexisintech
Copy link
Member Author

alexisintech commented Feb 4, 2026
edited
Loading

My thinking here was that with client trust enabled (which is the default for new instances I believe), signing in with email and password on a new client requires the handling of the needs_second_factor status. So if you follow the guide as this PR details you actually won't be able to sign in for the first time; you'd need to also incorporate the logic from the MFA guide. Since this is a default and not something you can turn off I think it makes sense to show that logic in the guide.

ahhh if its for client trust, two things:

  1. the examples are using totp (auth app) or backup codes, both you have to manually enable under "multi-factor auth" in the dash. whereas email codes are probably a better route, because they are auto-enabled if email is enabled, which brings me to point two:
  2. the dash says if the user hasn't configured a second factor, email code (default), phone code, or email link will be used
Screenshot 2026-02-04 at 12 06 05

which is why i believe if we are going to add support for client trust to the custom flows, it should be using email code!
so i'm cool to keep the handling of needs_second_factor, and can add a comment about doing this due to client trust (with a link to that doc), and then using email code there

@alexisintech alexisintech force-pushed the aa/fix-email-pass-custom-flow branch from 1dbe98d to cfac443 Compare February 9, 2026 22:09
@alexisintech alexisintech mentioned this pull request Feb 9, 2026
Closed
@alexisintech alexisintech marked this pull request as draft February 9, 2026 22:18
alexisintech
alexisintech commented Feb 10, 2026
View reviewed changes
docs/guides/development/custom-flows/authentication/email-password.mdx
})

await signUp.verifications.sendEmailCode()
if (!error) {
Copy link
Member Author

@alexisintech alexisintech Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is if the user has "verify at sign up" and "email verification code" enabled
they can have email link enabled - will need to think about this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dstaley dstaley Awaiting requested review from dstaley

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexisintech @dstaley