Add email link same device/browser setting docs #1044
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mzhong9723
force-pushed
the
mz/core-1979-email-link-protection-docs
branch
from
58ff990
to
345bc19
Compare
|
Hey, here’s your docs preview: https://clerk.com/docs/pr/1044 |
mzhong9723
changed the title
S3Prototype
reviewed
May 15, 2024
S3Prototype
approved these changes
May 15, 2024
S3Prototype
reviewed
May 15, 2024
zythosec
approved these changes
May 17, 2024
mzhong9723
force-pushed
the
mz/core-1979-email-link-protection-docs
branch
from
9a8c48a
to
77c6b6a
Compare
|
Hey, here’s your docs preview: https://clerk.com/docs/pr/1044 |
mzhong9723
force-pushed
the
mz/core-1979-email-link-protection-docs
branch
from
77c6b6a
to
ccab59c
Compare
mzhong9723
changed the title
|
Hey, here’s your docs preview: https://clerk.com/docs/pr/1044 |
mzhong9723
force-pushed
the
mz/core-1979-email-link-protection-docs
branch
from
ccab59c
to
f9517bd
Compare
|
Hey, here’s your docs preview: https://clerk.com/docs/pr/1044 |
| @@ -20,7 +20,7 @@ function handleEmailLinkVerification( | |||
|
|
|||
| When users click on email links they get redirected to the URL that was provided during email link verification flow initialization. The URL will contain a couple of important query parameters added by Clerk. These are called `__clerk_status` and `__clerk_created_session`. | |||
|
|
|||
| The `__clerk_status` query parameter is the outcome of the verification and can take three values: **verified**, **failed** or **expired**. | |||
| The `__clerk_status` query parameter is the outcome of the verification and can take four values: **verified**, **failed**, **expired**, or **client_mismatch**. **client_mismatch** can only be a verification outcome if [Require the same device or browser](/docs/security/email-link-protection) is turned on for sign-ins or sign-ups. | |||
There was a problem hiding this comment.
Suggested change
| The `__clerk_status` query parameter is the outcome of the verification and can take four values: **verified**, **failed**, **expired**, or **client_mismatch**. **client_mismatch** can only be a verification outcome if [Require the same device or browser](/docs/security/email-link-protection) is turned on for sign-ins or sign-ups. | |
| The `__clerk_status` query parameter is the outcome of the verification and accepts the following values: `verified`, `failed`, `expired`, or `client_mismatch`. `client_mismatch` can only be a verification outcome if the [**Require the same device or browser**](/docs/security/email-link-protection) setting is turned on for sign-ins or sign-ups. |
Comment on lines
27
to
31
| To configure this security setting, go to [Email, Phone, and Username](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) section of the Clerk Dashboard. | ||
|
|
||
| To enable this protection for sign-ups, go to **Contact information** > **Email address**. Open the modal and make sure **Require the same device and browser** is enabled under the **Email verification link** checkbox. | ||
|
|
||
| To enable this protection for sign-ins, go to **Authentication strategies** > **Email verification link**. Ensure **Require the same device and browser** is toggled on in the configuration modal. |
There was a problem hiding this comment.
Is there a way I can test this in the Dashboard? It's not currently there, and I don't see it in staging either.
Suggested change
| To configure this security setting, go to [Email, Phone, and Username](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) section of the Clerk Dashboard. | |
| To enable this protection for sign-ups, go to **Contact information** > **Email address**. Open the modal and make sure **Require the same device and browser** is enabled under the **Email verification link** checkbox. | |
| To enable this protection for sign-ins, go to **Authentication strategies** > **Email verification link**. Ensure **Require the same device and browser** is toggled on in the configuration modal. | |
| To configure this security setting, navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) and in the navigation sidebar, select **Email, Phone, Username**. | |
| To enable this protection for **sign-ups**: | |
| 1. In the **Contact information** section, next to **Email address**, select the settings icon. | |
| 1. Under the **Email verification link** checkbox, ensure **Require the same device and browser** is enabled. | |
| To enable this protection for **sign-ins**: | |
| 1. In the **Authentication strategies** section, next to **Email verification link**, select the settings icon. | |
| 1. Ensure **Require the same device and browser** is toggled on. |
There was a problem hiding this comment.
It's enabled in staging now! https://clerkinc.slack.com/archives/CHZ1FBBEG/p1717534767333909
I also updated this section a bit. I realized the previous wording was implying the setting could be turned on for sign-ins only, for example, but it's the same setting for both sign-ins and sign-ups. You can't turn it on only for one or the other. Lmk what you think!
Merged
add additional detail about disabling email link protection
mzhong9723
force-pushed
the
mz/core-1979-email-link-protection-docs
branch
from
f9517bd
to
5e98405
Compare
alexisintech
approved these changes
Jun 6, 2024
|
|
||
| Authentication strategies section: | ||
| 1. In the **Authentication strategies** section, next to **Email verification link**, select the settings icon. | ||
| 2. Ensure **Require the same device and browser** is toggled on. |
There was a problem hiding this comment.
It's a checkbox instead of a toggle. Not sure why that decision was made - do we want to make those consistent in the Dashboard?
Suggested change
| 2. Ensure **Require the same device and browser** is toggled on. | |
| 2. Ensure **Require the same device and browser** is checked. |
In particular, clarify how the require same client setting will affect email link flows.
|
Hey, here’s your docs preview: https://clerk.com/docs/pr/1044 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New documentation for email link require same client setting
handleEmailLinkVerification()documentation to add info about the newclient_mismatchstatus that will be introduced if this setting is turned on🔎 Previews: