How to prevent sending double emails for a new user?

[oredavids]

Your question

How can I prevent having to send a new user 2 emails?

What are you trying to do

I have a multi-tenant application where users need an email invitation for signup before they can sign-in later(with either Google or Email providers). This means that for a user that chooses Email; they receive a second email from the application in order to sign-in which is less user-friendly than I'd like. I want to merge both steps into a single email such that the single email is sufficient to signup and perform Email sign-in.

In order to do that I am considering the following options:

1. Highjacking the sendVerificationRequest function. I could programmatically make a request to the Email provider after completing the user's signup(without sending an email) and customize the sendVerificationRequest function to include the token in what will serve as a signup/sign-in email. This has the adverse effect of locking the user into only being able to use Email sign-in going forward.

2. Manually create a token for the user after signup email. The idea here is that I will introduce a custom endpoint where requests for a new user, wishing to sign-in, is sent. The endpoint will create an entry for the user in the verification_requests table and then redirect the user's request(modified to include the manual token) to the Email provider URL.

Is this(preventing double emails) worth doing? Are the options listed above recommended or is there a better approach?

[iaincollins]

I think some sort of invitation API would be a good way to support doing this sort of thing.

We did have an issue (or two) where we talked about this in the past, it might have been auto-closed by the bot since then though.

Would be great if someone could dig the issue out and tag it here, will track it!

[kriscarle]

Hi, in case it helps, I've implemented an invite process in my app, this is mostly code copied from the next-auth source https://gist.github.com/kriscarle/8a9df0272e627ea31fb4c322b27467b3

[davevilela]

createVerificationRequest no longer exists...

[balazsorban44]

It does, only it is part of the Adapter now, and is called createVerificationToken:

https://next-auth.js.org/tutorials/creating-a-database-adapter

Take a look at this for different implementations: https://github.com/nextauthjs/adapters/tree/main/packages

[kriscarle]

Yes, my example needs an upgrade to work with the changes in version 4. I'll share once I've done that.

Happy to discuss how to turn this into a PR. The challenge is you need a roles structure to only allow admins to initiate the invite process so it becomes app specific. This workflow is also limited to apps that only use the Email provider and want to prevent multiple emails (avoiding the "I've added you" email). For other providers, or combining Email with other choices, a better workflow may be to give users an invite code or link and then check for that code in the signin callback so only approved users can create accounts.