Email verification fails when multiple users register

[checkmeck]

What happened?

I observed that the email verification fails when multiple users attempt to register within a short period of time.

During my testing, the following occurred: Multiple tokens were generated in the tokens table. Once one user was successfully validated, the entire table was cleared, which caused the verification attempts of the other users—whose tokens were also stored in the table—to fail.

Version Information

ghcr.io/danny-avila/librechat-dev latest 8d938efaacda 2 weeks ago 1.56GB

Steps to Reproduce

1. Register multiple (e.g. 3) users with email [email protected] and do not verify them yet.
2. Validate one of the users -> should complete successfully
3. Try to validate the other users -> did fail in my testing for any of them

What browsers are you seeing the problem on?

No response

Relevant log output

{"level":"debug","message":"[sendEmail] Using SMTP provider","timestamp":"2025-09-05T06:40:45.889Z"}
{"level":"info","message":"[sendVerificationEmail] Verification link issued. [Email: [email protected]]","timestamp":"2025-09-05T06:40:46.384Z"}
{"level":"debug","message":"[sendEmail] Using SMTP provider","timestamp":"2025-09-05T06:41:07.954Z"}
{"level":"info","message":"[sendVerificationEmail] Verification link issued. [Email: [email protected]]","timestamp":"2025-09-05T06:41:08.286Z"}
{"level":"debug","message":"[sendEmail] Using SMTP provider","timestamp":"2025-09-05T06:41:22.010Z"}
{"level":"info","message":"[sendVerificationEmail] Verification link issued. [Email: [email protected]]","timestamp":"2025-09-05T06:41:22.400Z"}
{"level":"info","message":"[verifyEmail] Email verification successful [Email: [email protected]]","timestamp":"2025-09-05T06:42:07.509Z"}
{"level":"debug","message":"X-Forwarded headers detected in OAuth request:","timestamp":"2025-09-05T06:43:39.759Z","x-forwarded-for":"<ip>","x-forwarded-host":"<url>","x-forwarded-proto":"https"}
{"level":"error","message":"[Login] [Login failed] [Username: [email protected]] [Request-IP: <ip>]","timestamp":"2025-09-05T06:43:39.851Z"}
{"level":"warn","message":"[verifyEmail] [Invalid or expired email verification token] [Email: mail1.domain.tld]","timestamp":"2025-09-05T06:57:17.031Z"}

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Hi! Thanks for the detailed report. I've investigated and this is actually working as intended.

What's happening: Email verification tokens expire after 15 minutes for security. MongoDB automatically deletes expired tokens.

Looking at each user:

mail2 ✅ Success

• Registered: 06:41:08
• Verified: 06:42:07 (1 minute later - within 15-minute window)

mail1 ❌ Token Expired

• Registered: 06:40:46
• Attempted verification: 06:57:17 (16.5 minutes later - token already expired)

mail3 ❌ Never Verified

• Registered: 06:41:22
• Attempted login: 06:43:39 (without verifying email first)
• Login failed because email verification is required

The tokens weren't cleared when mail2 verified. Instead:

• mail1's token expired after 15 minutes and was auto-deleted by MongoDB
• mail3 tried to skip email verification entirely

[checkmeck]

Hi, thanks for your fast reply.

The exact logs I posted are reconstructed examples. However, I observed the described behavior yesterday, especially the changes in the database.

In my opinion, the issue I am describing is not related to tokens expiring over time. Here are the logs captured within a 15-minute timeframe:

{"level":"debug","message":"[sendEmail] Using SMTP provider","timestamp":"2025-09-05T07:14:00.334Z"}
{"level":"info","message":"[sendVerificationEmail] Verification link issued. [Email: mail1]","timestamp":"2025-09-05T07:14:00.687Z"}
{"level":"debug","message":"[sendEmail] Using SMTP provider","timestamp":"2025-09-05T07:15:35.615Z"}
{"level":"info","message":"[sendVerificationEmail] Verification link issued. [Email: mail2]","timestamp":"2025-09-05T07:15:35.943Z"}
{"level":"debug","message":"[sendEmail] Using SMTP provider","timestamp":"2025-09-05T07:15:49.284Z"}
{"level":"info","message":"[sendVerificationEmail] Verification link issued. [Email: mail3]","timestamp":"2025-09-05T07:15:49.647Z"}
{"level":"info","message":"[verifyEmail] Email verification successful [Email: mail2]","timestamp":"2025-09-05T07:16:11.647Z"}
{"level":"info","message":"[verifyEmail] Email already verified [Email: mail2]","timestamp":"2025-09-05T07:16:11.743Z"}
{"level":"warn","message":"[verifyEmail] [No email verification data found] [Email: mail1]","timestamp":"2025-09-05T07:16:33.986Z"}
{"level":"warn","message":"[verifyEmail] [No email verification data found] [Email: mail1]","timestamp":"2025-09-05T07:16:34.190Z"}
{"level":"warn","message":"[verifyEmail] [No email verification data found] [Email: mail1]","timestamp":"2025-09-05T07:16:34.223Z"}```

[checkmeck]

I opened a new issue with more details about this behavior #9475

[danny-avila]

Closed by #9477