Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • pleroma pleroma
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 671
    • Issues 671
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 101
    • Merge requests 101
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • PleromaPleroma
  • pleromapleroma
  • Issues
  • #1985

Registration leads to a 403 when account activation required

When you register an account on Pleroma and activation is required, the /api/v1/accounts endpoint returns a 200 with a bearer token.

PleromaFE tries to use the bearer token returned to login passing it to /api/v1/accounts/verify_credentials which fails with a 403. (edit: a 403 without the correct response. See comments.)

The registration worked, but to the user it looks broken and we do not provide any mechanism to tell an app or FE that the registration was successful and that they need to check for an activation email. (edit: returning the correct 403 is the first step!)

I don't know what the procedure should be, but I think we shouldn't return a bearer token if it can't even be used yet. That shouldn't happen until the account activation. We should also hint that the account activation is required. I don't know how Mastodon is doing this yet or if they do anything at all to solve this.

Edited Jul 23, 2020 by feld
Assignee
Assign to
Time tracking