Hi, I set up my app to require email verification, and the verification works. However, when I added a new page (“dashboard”), I noticed that the user can access the page without having email verified.
The steps are:
- User signs up, giving email and password
- User gets redirected to verify email screen.
- User ignores the verification, but instead enters manually an URL for the dashboard in the browser, e.g. https://domain.app/dashboard.
- The user gets access to the dashboard, as the header only checks if user is logged in, but not if they are verified.
Is this a bug or a feature? Can I prevent unverified but logged-in users accessing pages?
Thanks in advance,