When a logged-in user calls confirmEmailAndSignIn(), the user ID does not update

[cpatracker]

When we try to retrieve user information after calling $auth->confirmEmailAndSignIn() using $auth->getUserId(), it returns the user ID of the previously logged-in user instead of the newly registered one.

The flow is as follows:

1. User 1 is logged in
2. User 1 tries to register a new account for a friend (User 2) by opening the registration form, entering the required information, and requesting a confirmation link
3. User 1 opens the confirmation link for User 2
4. confirmEmailAndSignIn() is called; User 2’s email is confirmed, and their account is created
5. When we attempt to log information about the new user (User 2) to the logs or database, getUserId() still returns the ID of User 1

Possible workaround
$auth->logOut() can be called during the confirmation link process, but this will log out the user even if they click on an invalid confirmation link

[ocram]

Thanks for your feedback, and sorry for the delay!

The behavior you described is correct, but it’s just due to different expectations and a different specification of what should happen.

So the behavior that is not clearly defined in the documentation is:

What happens when you are already signed in, but you still (successfully) call the method Auth#confirmEmailAndSignIn for another user?

So far, the library just keeps the first user signed in. This also ensures that there are never two different users signed in during one request.

The other user is correctly verified in any case.

But maybe we should throw an error instead and say “you are already logged in”?

[cpatracker]

Thank you for the reply.

My expectation for confirmEmailAndSignIn() is to confirm email and sign in.

If the user was already signed in, sign out and sign in as a new user. When the user made a mistake, for example, using personal e-mail instead of work e-mail, there should be an easy way for him to register and use the system, instead of logging out manually

[ocram]

You can probably get your desired behavior by just using Auth#confirmEmail instead, and, if successful, i.e. if the result contains the new email address (and perhaps the old one), optionally calling Auth#logOut if Auth#check is true, and finally calling Auth#admin#logInAsUserByEmail.