Skip to main content
Have a Wasp app in production? 🐝 We'll send you some swag! πŸ‘•
This is documentation for Wasp 0.11.8, which is no longer actively maintained.
For up-to-date documentation, see the latest version (0.20.0).
Version: 0.11.8

Email

Wasp supports e-mail authentication out of the box, along with email verification and "forgot your password?" flows. It provides you with the server-side implementation and email templates for all of these flows.

[画像:Auth UI]

Using email auth and social auth together

If a user signs up with Google or Github (and you set it up to save their social provider e-mail info on the User entity), they'll be able to reset their password and login with e-mail and password βœ…

If a user signs up with the e-mail and password and then tries to login with a social provider (Google or Github), they won't be able to do that ❌

In the future, we will lift this limitation and enable smarter merging of accounts.

Setting Up Email Authentication​

We'll need to take the following steps to set up email authentication:

  1. Enable email authentication in the Wasp file
  2. Add the user entity
  3. Add the routes and pages
  4. Use Auth UI components in our pages
  5. Set up the email sender

Structure of the main.wasp file we will end up with:

main.wasp
// Configuring e-mail authentication
appmyApp{
auth: { ... }
}

// Defining User entity
entityUser{ ... }

// Defining routes and pages
routeSignupRoute{ ... }
pageSignupPage{ ... }
// ...

1. Enable Email Authentication in main.wasp​

Let's start with adding the following to our main.wasp file:

  • JavaScript
  • TypeScript
main.wasp
appmyApp{
wasp: {
version: "^0.11.0"
},
title: "My App",
auth: {
// 1. Specify the user entity (we'll define it next)
userEntity: User,
methods: {
// 2. Enable email authentication
email: {
// 3. Specify the email from field
fromField: {
name: "My App Postman",
email: "[email protected]"
},
// 4. Specify the email verification and password reset options (we'll talk about them later)
emailVerification: {
clientRoute: EmailVerificationRoute,
},
passwordReset: {
clientRoute: PasswordResetRoute,
},
allowUnverifiedLogin: false,
},
},
onAuthFailedRedirectTo: "/login",
onAuthSucceededRedirectTo: "/"
},
}

Read more about the email auth method options here.

2. Add the User Entity​

When email authentication is enabled, Wasp expects certain fields in your userEntity. Let's add these fields to our main.wasp file:

  • JavaScript
  • TypeScript
main.wasp
// 5. Define the user entity
entityUser{=psl
 id Int@id@default(autoincrement())
 email String?@unique
 password String?
 isEmailVerified Boolean@default(false)
 emailVerificationSentAt DateTime?
 passwordResetSentAt DateTime?
// Add your own fields below
// ...
psl=}

Read more about the userEntity fields here.

3. Add the Routes and Pages​

Next, we need to define the routes and pages for the authentication pages.

Add the following to the main.wasp file:

  • JavaScript
  • TypeScript
main.wasp
// ...

// 6. Define the routes
routeLoginRoute{path: "/login",to: LoginPage}
pageLoginPage{
component: import{Login}from"@client/pages/auth.jsx"
}

routeSignupRoute{path: "/signup",to: SignupPage}
pageSignupPage{
component: import{Signup}from"@client/pages/auth.jsx"
}

routeRequestPasswordResetRoute{path: "/request-password-reset",to: RequestPasswordResetPage}
pageRequestPasswordResetPage{
component: import{RequestPasswordReset}from"@client/pages/auth.jsx",
}

routePasswordResetRoute{path: "/password-reset",to: PasswordResetPage}
pagePasswordResetPage{
component: import{PasswordReset}from"@client/pages/auth.jsx",
}

routeEmailVerificationRoute{path: "/email-verification",to: EmailVerificationPage}
pageEmailVerificationPage{
component: import{EmailVerification}from"@client/pages/auth.jsx",
}

We'll define the React components for these pages in the client/pages/auth.tsx file below.

4. Create the Client Pages​

info

We are using Tailwind CSS to style the pages. Read more about how to add it here.

Let's create a auth.tsx file in the client/pages folder and add the following to it:

  • JavaScript
  • TypeScript
client/pages/auth.jsx
import{LoginForm}from"@wasp/auth/forms/Login";
import{SignupForm}from"@wasp/auth/forms/Signup";
import{VerifyEmailForm}from"@wasp/auth/forms/VerifyEmail";
import{ForgotPasswordForm}from"@wasp/auth/forms/ForgotPassword";
import{ResetPasswordForm}from"@wasp/auth/forms/ResetPassword";
import{Link}from"react-router-dom";

exportfunctionLogin(){
return(
<Layout>
<LoginForm/>
<br/>
<spanclassName="text-sm font-medium text-gray-900">
 Don't have an account yet? <Linkto="/signup">go to signup</Link>.
</span>
<br/>
<spanclassName="text-sm font-medium text-gray-900">
 Forgot your password? <Linkto="/request-password-reset">reset it</Link>
 .
</span>
</Layout>
);
}

exportfunctionSignup(){
return(
<Layout>
<SignupForm/>
<br/>
<spanclassName="text-sm font-medium text-gray-900">
 I already have an account (<Linkto="/login">go to login</Link>).
</span>
</Layout>
);
}

exportfunctionEmailVerification(){
return(
<Layout>
<VerifyEmailForm/>
<br/>
<spanclassName="text-sm font-medium text-gray-900">
 If everything is okay, <Linkto="/login">go to login</Link>
</span>
</Layout>
);
}

exportfunctionRequestPasswordReset(){
return(
<Layout>
<ForgotPasswordForm/>
</Layout>
);
}

exportfunctionPasswordReset(){
return(
<Layout>
<ResetPasswordForm/>
<br/>
<spanclassName="text-sm font-medium text-gray-900">
 If everything is okay, <Linkto="/login">go to login</Link>
</span>
</Layout>
);
}

// A layout component to center the content
exportfunctionLayout({ children }){
return(
<divclassName="w-full h-full bg-white">
<divclassName="min-w-full min-h-[75vh] flex items-center justify-center">
<divclassName="w-full h-full max-w-sm p-5 bg-white">
<div>{children}</div>
</div>
</div>
</div>
);
}

We imported the generated Auth UI components and used them in our pages. Read more about the Auth UI components here.

5. Set up an Email Sender​

To support e-mail verification and password reset flows, we need an e-mail sender. Luckily, Wasp supports several email providers out of the box.

We'll use SendGrid in this guide to send our e-mails. You can use any of the supported email providers.

To set up SendGrid to send emails, we will add the following to our main.wasp file:

  • JavaScript
  • TypeScript
main.wasp
appmyApp{
// ...
// 7. Set up the email sender
emailSender: {
provider: SendGrid,
}
}

... and add the following to our .env.server file:

.env.server
SENDGRID_API_KEY=<your key>

If you are not sure how to get a SendGrid API key, read more here.

Read more about setting up email senders in the sending emails docs.

Conclusion​

That's it! We have set up email authentication in our app. πŸŽ‰

Running wasp db migrate-dev and then wasp start should give you a working app with email authentication. If you want to put some of the pages behind authentication, read the using auth docs.

Login and Signup Flows​

Login​

[画像:Auth UI]

If logging in with an unverified email is allowed, the user will be able to login with an unverified email address. If logging in with an unverified email is not allowed, the user will be shown an error message.

Read more about the allowUnverifiedLogin option here.

Signup​

[画像:Auth UI]

Some of the behavior you get out of the box:

  1. Rate limiting

We are limiting the rate of sign-up requests to 1 request per minute per email address. This is done to prevent spamming.

  1. Preventing user email leaks

If somebody tries to signup with an email that already exists and it's verified, we pretend that the account was created instead of saying it's an existing account. This is done to prevent leaking the user's email address.

  1. Allowing registration for unverified emails

If a user tries to register with an existing but unverified email, we'll allow them to do that. This is done to prevent bad actors from locking out other users from registering with their email address.

  1. Password validation

Read more about the default password validation rules and how to override them in using auth docs.

Email Verification Flow​

By default, Wasp requires the e-mail to be verified before allowing the user to log in. This is done by sending a verification email to the user's email address and requiring the user to click on a link in the email to verify their email address.

Our setup looks like this:

  • JavaScript
  • TypeScript
main.wasp
// ...

emailVerification: {
clientRoute: EmailVerificationRoute,
}

When the user receives an e-mail, they receive a link that goes to the client route specified in the clientRoute field. In our case, this is the EmailVerificationRoute route we defined in the main.wasp file.

The content of the e-mail can be customized, read more about it here.

Email Verification Page​

We defined our email verification page in the auth.tsx file.

[画像:Auth UI]

Password Reset Flow​

Users can request a password and then they'll receive an e-mail with a link to reset their password.

Some of the behavior you get out of the box:

  1. Rate limiting

We are limiting the rate of sign-up requests to 1 request per minute per email address. This is done to prevent spamming.

  1. Preventing user email leaks

If somebody requests a password reset with an unknown email address, we'll give back the same response as if the user requested a password reset successfully. This is done to prevent leaking information.

Our setup in main.wasp looks like this:

  • JavaScript
  • TypeScript
main.wasp
// ...

passwordReset: {
clientRoute: PasswordResetRoute,
}

Request Password Reset Page​

Users request their password to be reset by going to the /request-password-reset route. We defined our request password reset page in the auth.tsx file.

[画像:Request password reset page]

Password Reset Page​

When the user receives an e-mail, they receive a link that goes to the client route specified in the clientRoute field. In our case, this is the PasswordResetRoute route we defined in the main.wasp file.

[画像:Request password reset page]

Users can enter their new password there.

The content of the e-mail can be customized, read more about it here.

Using The Auth​

To read more about how to set up the logout button and how to get access to the logged-in user in our client and server code, read the using auth docs.

API Reference​

Let's go over the options we can specify when using email authentication.

userEntity fields​

  • JavaScript
  • TypeScript
main.wasp
appmyApp{
title: "My app",
// ...

auth: {
userEntity: User,
methods: {
email: {
// We'll explain these options below
},
},
onAuthFailedRedirectTo: "/someRoute"
},
// ...
}

// Using email auth requires the `userEntity` to have at least the following fields
entityUser{=psl
 id Int@id@default(autoincrement())
 email String?@unique
 password String?
 isEmailVerified Boolean@default(false)
 emailVerificationSentAt DateTime?
 passwordResetSentAt DateTime?
psl=}

Email auth requires that userEntity specified in auth contains:

  • optional email field of type String
  • optional password field of type String
  • isEmailVerified field of type Boolean with a default value of false
  • optional emailVerificationSentAt field of type DateTime
  • optional passwordResetSentAt field of type DateTime

Fields in the email dict​

  • JavaScript
  • TypeScript
main.wasp
appmyApp{
title: "My app",
// ...

auth: {
userEntity: User,
methods: {
email: {
fromField: {
name: "My App",
email: "[email protected]"
},
emailVerification: {
clientRoute: EmailVerificationRoute,
getEmailContentFn: import{ getVerificationEmailContent }from"@server/auth/email.js",
},
passwordReset: {
clientRoute: PasswordResetRoute,
getEmailContentFn: import{ getPasswordResetEmailContent }from"@server/auth/email.js",
},
allowUnverifiedLogin: false,
},
},
onAuthFailedRedirectTo: "/someRoute"
},
// ...
}

fromField: EmailFromField required​

fromField is a dict that specifies the name and e-mail address of the sender of the e-mails sent by your app.

It has the following fields:

  • name: name of the sender
  • email: e-mail address of the sender required

emailVerification: EmailVerificationConfig required​

emailVerification is a dict that specifies the details of the e-mail verification process.

It has the following fields:

  • clientRoute: Route: a route that is used for the user to verify their e-mail address. required

    Client route should handle the process of taking a token from the URL and sending it to the server to verify the e-mail address. You can use our verifyEmail action for that.

    • JavaScript
    • TypeScript
    src/pages/EmailVerificationPage.jsx
    import{ verifyEmail }from'@wasp/auth/email/actions';
    ...
    awaitverifyEmail({ token });
    note

    We used Auth UI above to avoid doing this work of sending the token to the server manually.

  • getEmailContentFn: ServerImport: a function that returns the content of the e-mail that is sent to the user.

    Defining getEmailContentFn can be done by defining a file in the server directory.

    • JavaScript
    • TypeScript
    server/email.js
    exportconstgetVerificationEmailContent=({ verificationLink })=>({
     subject:'Verify your email',
     text:`Click the link below to verify your email: ${verificationLink}`,
     html:`
     <p>Click the link below to verify your email</p>
     <a href="${verificationLink}">Verify email</a>
    `,
    })
    This is the default content of the e-mail, you can customize it to your liking.

passwordReset: PasswordResetConfig required​

passwordReset is a dict that specifies the password reset process.

It has the following fields:

  • clientRoute: Route: a route that is used for the user to reset their password. required

    Client route should handle the process of taking a token from the URL and a new password from the user and sending it to the server. You can use our requestPasswordReset and resetPassword actions to do that.

    • JavaScript
    • TypeScript
    src/pages/ForgotPasswordPage.jsx
    import{ requestPasswordReset }from'@wasp/auth/email/actions';
    ...
    awaitrequestPasswordReset({ email });
    src/pages/PasswordResetPage.jsx
    import{ resetPassword }from'@wasp/auth/email/actions';
    ...
    awaitresetPassword({ password, token })
    note

    We used Auth UI above to avoid doing this work of sending the password request and the new password to the server manually.

  • getEmailContentFn: ServerImport: a function that returns the content of the e-mail that is sent to the user.

    Defining getEmailContentFn is done by defining a function that looks like this:

    • JavaScript
    • TypeScript
    server/email.js
    exportconstgetPasswordResetEmailContent=({ passwordResetLink })=>({
     subject:'Password reset',
     text:`Click the link below to reset your password: ${passwordResetLink}`,
     html:`
     <p>Click the link below to reset your password</p>
     <a href="${passwordResetLink}">Reset password</a>
    `,
    })
    This is the default content of the e-mail, you can customize it to your liking.

allowUnverifiedLogin: bool: specifies whether the user can login without verifying their e-mail address​

It defaults to false. If allowUnverifiedLogin is set to true, the user can login without verifying their e-mail address, otherwise users will receive a 401 error when trying to login without verifying their e-mail address.

Sometimes you want to allow unverified users to login to provide them a different onboarding experience. Some of the pages can be viewed without verifying the e-mail address, but some of them can't. You can use the isEmailVerified field on the user entity to check if the user has verified their e-mail address.

If you have any questions, feel free to ask them on our Discord server.

AltStyle γ«γ‚ˆγ£γ¦ε€‰ζ›γ•γ‚ŒγŸγƒšγƒΌγ‚Έ (->γ‚ͺγƒͺγ‚ΈγƒŠγƒ«) /