Skip to main content

If you are using our backend SDK that is lesser than the following versions, please visit the older documentation link here.

Allow users to change their email

caution

SuperTokens does not provide the UI for users to update their email, you will need to create the UI and setup a route on your backend to have this functionality.

In this section we will go over how you can create a route on your backend which can update a user's email. Calling this route will check if the new email is valid and not already in use and proceed to update the user's account with the new email. There are two types of flows here:

Flow 1: Update email without verifying the new email.#

In this flow a user is allowed to update their accounts email without verifying the new email id.

Step 1: Creating the /change-email route#

  • You will need to create a route on your backend which is protected by the session verification middleware, this will ensure that only a authenticated user can access the protected route.
  • To learn more about how to use the session verification middleware for other frameworks click here
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express"
import express from "express";

let app = express();

app.post("/change-email", verifySession(), async (req: SessionRequest, res: express.Response) => {
// TODO: see next steps
})

Step 2: Validate the new email and update the account#

  • Validate the input email.
  • Check that the account you are trying to update is not social account.
  • Update the account with the input email.
// the following example uses express
import Passwordless from "supertokens-node/recipe/passwordless";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express"
import express from "express";
import supertokens from "supertokens-node";
import {isEmailChangeAllowed} from "supertokens-node/recipe/accountlinking"

let app = express();

app.post("/change-email", verifySession(), async (req: SessionRequest, res: express.Response) => {

let session = req.session!;
let email = req.body.email;

// Validate the input email
if (!isValidEmail(email)) {
// TODO: handle invalid email error
return
}



// Check that the account to be updated is not a social account
{
let userId = session!.getUserId();
let userAccount = await supertokens.getUser(userId!);
let loginMethod = userAccount?.loginMethods.find(lM => {
return lM.recipeUserId.getAsString() === session.getRecipeUserId().getAsString()
})!

if (loginMethod.recipeId === "thirdparty") {
// TODO: handle error, cannot update email for third party users.
return
}
}

if (!(await isEmailChangeAllowed(session.getRecipeUserId(), email, false))) {
// this can come here if you have enabled the account linking feature, and
// if there is a security risk in changing this user's email.
}

// Update the email
let resp = await Passwordless.updateUser({
recipeUserId: session.getRecipeUserId(),
email: email,
});

if (resp.status === "OK") {
// TODO: send successfully updated email response
return
}
if (resp.status === "EMAIL_ALREADY_EXISTS_ERROR") {
// TODO: handle error that email exists with another account.
return
}
if (resp.status === "EMAIL_CHANGE_NOT_ALLOWED_ERROR") {
// This is possible if you have enabled account linking.
// See our docs for account linking to know more about this.
// TODO: tell the user to contact support.
}
throw new Error("Should never come here");

})

function isValidEmail(email: string) {
let regexp = new RegExp(
/^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
);
return regexp.test(email);
}

Flow 2: Updating email after verifying the new email.#

In this flow the user's account is updated once they have verified the new email.

Step 1: Creating the /change-email route#

  • You will need to create a route on your backend which is protected by the session verification middleware, this will ensure that only a authenticated user can access the protected route.
  • To learn more about how to use the session verification middleware for other frameworks click here
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express"
import express from "express";

let app = express();

app.post("/change-email", verifySession(), async (req: SessionRequest, res: express.Response) => {
// TODO: see next steps
})

Step 2: Validate the email and initiate the email verification flow#

  • Validate the input email
  • Check that the user's account is not a social account.
  • Check if the input email is associated with an account.
  • Check if the input email is already verified.
  • If the email is NOT verified, create and send the verification email.
  • If the email is verified, update the account with the new email.
// the following example uses express
import Passwordless from "supertokens-node/recipe/passwordless";
import EmailVerification from "supertokens-node/recipe/emailverification";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express"
import express from "express";
import supertokens from "supertokens-node";
import { isEmailChangeAllowed } from "supertokens-node/recipe/accountlinking"

let app = express();

app.post("/change-email", verifySession(), async (req: SessionRequest, res: express.Response) => {

let session = req.session!;
let email = req.body.email;

// validate the input email
if (!isValidEmail(email)) {
// TODO: handle error, email is invalid
return
}

// Check if the user's account is not a third party account
{
let userId = session!.getUserId();
let userAccount = await supertokens.getUser(userId);
let loginMethod = userAccount?.loginMethods.find(lM => {
return lM.recipeUserId.getAsString() === session.getRecipeUserId().getAsString()
})!
if (loginMethod.recipeId === "thirdparty") {
// TODO: handle error, cannot update email for third party users.
return
}
}

// Then, we check if the email is verified for this user ID or not.
// It is important to understand that SuperTokens stores email verification
// status based on the user ID AND the email, and not just the email.
let isVerified = await EmailVerification.isEmailVerified(session.getRecipeUserId(), email);

if (!isVerified) {
if (!(await isEmailChangeAllowed(session.getRecipeUserId(), email, false))) {
// this can come here if you have enabled the account linking feature, and
// if there is a security risk in changing this user's email.
return res.status(400).send("Email change not allowed. Please contact support");
}
// Before sending a verification email, we check if the email is already
// being used by another user. If it is, we throw an error.
let user = (await supertokens.getUser(session.getUserId()))!;
for (let i = 0; i < user?.tenantIds.length; i++) {
// Since once user can be shared across many tenants, we need to check if
// the email already exists in any of the tenants.
let usersWithEmail = await supertokens.listUsersByAccountInfo(user.tenantIds[i], {
email
});
for (let y = 0; y < usersWithEmail.length; y++) {
if (usersWithEmail[y].id !== session.getUserId()) {
// TODO handle error, email already exists with another user.
return
}
}
}

// Now we create and send the email verification link to the user for the new email.
await EmailVerification.sendEmailVerificationEmail(session.getTenantId(), session.getUserId(), session.getRecipeUserId(), email);

// TODO send successful response that email verification email sent.
return
}

if (!(await isEmailChangeAllowed(session.getRecipeUserId(), email, true))) {
// this can come here if you have enabled the account linking feature, and
// if there is a security risk in changing this user's email.
return res.status(400).send("Email change not allowed. Please contact support");
}

// Since the email is verified, we try and do an update
let resp = await Passwordless.updateUser({
recipeUserId: session.getRecipeUserId(),
email: email,
});

if (resp.status === "OK") {
// TODO: send successful response that email has been updated
return
}
if (resp.status === "EMAIL_ALREADY_EXISTS_ERROR") {
// TODO: handle error, email already exists for another account
return
}
throw new Error("Should never come here");

})

function isValidEmail(email: string) {
let regexp = new RegExp(
/^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
);
return regexp.test(email);
}
Multi Tenancy
  • Notice that we loop through all the tenants that this user belongs to check that for each of the tenants, there is no other user with the new email. If we did not do this, then calling updateEmailOrPassword would fail because the email is already used by another user in one of the tenants that this user belongs to. So in that case, we do not want to go through the verification process either.
  • We also pass in the tenantId of the current session when calling the sendEmailVerificationEmail function, so that the link generated will open the the tenant's UI that the user is currently interacting with.
  • When calling updateEmailOrPassword, it will return EMAIL_ALREADY_EXISTS_ERROR if the new email exists in any of the tenants that the user ID is a part of.

Step 3: Override the verifyEmailPost API to update the user's account on successful email verification#

  • Update the accounts email on successful email verification.
import SuperTokens from "supertokens-node";
import EmailVerification from "supertokens-node/recipe/emailverification";
import Passwordless from "supertokens-node/recipe/passwordless";
import Session from "supertokens-node/recipe/session";

SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "...",
},
recipeList: [
// other recipes..
EmailVerification.init({
mode: "REQUIRED",
override: {
apis: (oI) => {
return {
...oI,
verifyEmailPOST: async function (input) {
let response = await oI.verifyEmailPOST!(input);
if (response.status === "OK") {
// This will update the email of the user to the one
// that was just marked as verified by the token.
await Passwordless.updateUser({
recipeUserId: response.user.recipeUserId,
email: response.user.email,
});
}
return response;
},
};
},
},
}),
Session.init(),
],
});