Customer Account Registration Email Confirmation Flow

[pawel-siejba]

As a customer I want to confirm my account registration so that I can login to my account when confirmation is required.

Not having this essentially breaks GraphQL customer registration flow when the "Require Emails Confirmation" option is turned on. https://docs.magento.com/user-guide/customers/account-options-new.html
Seems pretty urgent since nobody wants anybody to be able to create an account email with somebody else's email.

AC

• GraphQL mutation is added for confirming user account registration from the email link.
• generateCustomerToken mutation is adjusted so that it throws an appropriate error when the user tries to login, but has not confirmed his account/

Proposed Schema

type Mutation {
    customerConfirmRegistration(id: Int!, key: String!): ConfirmOutput @doc(description: "Confirm customer account registration and get access token") @resolver(class: "Magento\\CustomerGraphQl\\Model\\Resolver\\Confirm")
    customerConfirmResend(email: String!): Boolean @doc(description: "Resend customer confirmation email") @resolver(class: "Magento\\CustomerGraphQl\\Model\\Resolver\\ConfirmResend")
}

type ConfirmOutput {
    token: String
}

To enable additional information when the customer tries to login but his account is not confirmed yet, something like this should be done:

--- magento/module-integration/Model/CustomerTokenService.php
+++ magento/module-integration/Model/CustomerTokenService.php
@@ -7,6 +7,7 @@
 namespace Magento\Integration\Model;

 use Magento\Customer\Api\AccountManagementInterface;
+use Magento\Framework\Exception\EmailNotConfirmedException;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Integration\Model\CredentialsValidator;
 use Magento\Integration\Model\Oauth\Token as Token;
@@ -90,6 +91,9 @@
         $this->getRequestThrottler()->throttle($username, RequestThrottler::USER_TYPE_CUSTOMER);
         try {
             $customerDataObject = $this->accountManagement->authenticate($username, $password);
+        } catch (EmailNotConfirmedException $e) {
+            $this->getRequestThrottler()->logAuthenticationFailure($username, RequestThrottler::USER_TYPE_CUSTOMER);
+            throw $e;
         } catch (\Exception $e) {
             $this->getRequestThrottler()->logAuthenticationFailure($username, RequestThrottler::USER_TYPE_CUSTOMER);
             throw new AuthenticationException(

--- /dev/null
+++ magento/module-customer-graph-ql/Exception/GraphQlAuthenticationEmailNotConfirmedException.php
@@ -0,0 +1,32 @@
+<?php
+/**
+ * Copyright © Vaimo Group. All rights reserved.
+ * See LICENSE_VAIMO.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\CustomerGraphQl\Exception;
+
+use GraphQL\Error\ClientAware;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\Framework\Phrase;
+
+class GraphQlAuthenticationEmailNotConfirmedException extends GraphQlAuthenticationException implements ClientAware
+{
+    public const EXCEPTION_CATEGORY = 'graphql-authentication-email-not-confirmed';
+
+    public function __construct(Phrase $phrase, \Exception $cause = null, int $code = 0)
+    {
+        parent::__construct($phrase, $cause, $code);
+    }
+
+    public function isClientSafe(): bool
+    {
+        return true;
+    }
+
+    public function getCategory(): string
+    {
+        return self::EXCEPTION_CATEGORY;
+    }
+}

--- magento/module-customer-graph-ql/Model/Resolver/GenerateCustomerToken.php
+++ magento/module-customer-graph-ql/Model/Resolver/GenerateCustomerToken.php
@@ -8,7 +8,9 @@
 namespace Magento\CustomerGraphQl\Model\Resolver;

 use Magento\Framework\Exception\AuthenticationException;
+use Magento\Framework\Exception\EmailNotConfirmedException;
 use Magento\Framework\GraphQl\Config\Element\Field;
+use Magento\CustomerGraphQl\Exception\GraphQlAuthenticationEmailNotConfirmedException;
 use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\ResolverInterface;
@@ -55,7 +57,10 @@
         try {
             $token = $this->customerTokenService->createCustomerAccessToken($args['email'], $args['password']);
             return ['token' => $token];
-        } catch (AuthenticationException $e) {
+        } catch (EmailNotConfirmedException $e) {
+            throw new GraphQlAuthenticationEmailNotConfirmedException(__($e->getMessage()), $e);
+        }
+        catch (AuthenticationException $e) {
             throw new GraphQlAuthenticationException(__($e->getMessage()), $e);
         }
     }

[paales]

@cpartica This completely covers all the functionality we talked about earlier on Slack.

[paales]

Code snippet how to confirm the customer we've used, should be easily implementable.

type Mutation {
    customerConfirmRegistration(
        customerId: Int!,
        confirmationToken: String!
    ): Boolean
    @resolver(class: "\\ReachDigital\\VerdouwAccountFlow\\Model\\Resolver\\ConfirmCustomer")
    @doc(description: "Confirm the customer account using the confirmation token that the customer received in an email after registering createCustomerV2.")
}

<?php

namespace ReachDigital\VerdouwAccountFlow\Model\Resolver;

use Magento\Customer\Api\AccountManagementInterface;
use Magento\Framework\Exception\LocalizedException;
use Magento\Framework\Exception\NoSuchEntityException;
use Magento\Framework\Exception\State\InputMismatchException;
use Magento\Framework\Exception\State\InvalidTransitionException;
use Magento\Framework\GraphQl\Config\Element\Field;
use Magento\Framework\GraphQl\Exception\GraphQlInputException;
use Magento\Framework\GraphQl\Exception\GraphQlNoSuchEntityException;
use Magento\Framework\GraphQl\Query\ResolverInterface;
use Magento\Framework\GraphQl\Schema\Type\ResolveInfo;

class ConfirmCustomer implements ResolverInterface
{
    private AccountManagementInterface $customerAccountManagement;

    public function __construct(
        AccountManagementInterface $customerAccountManagement
    ) {
        $this->customerAccountManagement = $customerAccountManagement;
    }

    public function resolve(Field $field, $context, ResolveInfo $info, array $value = null, array $args = null): bool
    {
        $customerId = $args['customerId'];
        $token = $args['confirmationToken'];

        try {
            $this->customerAccountManagement->activateById($customerId, $token);
            return true;
        } catch (InvalidTransitionException $e) {
            throw new GraphQlInputException(__('The customer is already confirmed.'));
        } catch (InputMismatchException $e) {
            throw new GraphQlInputException(__('The given confirmationToken is invalid.'));
        } catch (NoSuchEntityException $e) {
            throw new GraphQlNoSuchEntityException(__('The customer was not found.'));
        } catch (LocalizedException $e) {
            throw new GraphQlInputException(__($e->getMessage()), $e);
        }
    }
}

[hnsr]

The above code posted by @paales is available as a module at https://github.com/ho-nl/magento2-ReachDigital_CustomerConfirmationGraphQl

[lano-vargas]

Any progress on this? I'm having the same issue, when create a customer via grapql I don't get any notification that suggest the customer needs a confirmation, it should include in the response if a confirmation is required b4 trying to sign in. Also when trying to sign in via graphql there is again no indication that it needs a confirmation. However from the web url ...customer/account/login/ it properly tell the customer that it needs to confirm first like so:

This account is not confirmed. Click here to resend confirmation email.

[m2-assistant]

Hi @engcom-November. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• 5. Add label Issue: Confirmed once verification is complete.
• 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-November]

Hello @pawel-siejba,

Thank you for the report and collaboration!

Verified this issue on 2.4-develop.
When Require Emails Confirmation is turned on in the admin panel, we are not able to generate customer token using graphql/rest api until the email is confirmed, we get the below message:

"message": "The account sign-in was incorrect or your account is disabled temporarily. Please wait and try again later.",

Instead there should me a message to check if the email is confirmed or not.

Also when creating the customer using the graphql/rest api, there is no indication if email confirmation is required or not.

Hence the issue can be confirmed.

Thank you.