Which frontend SDK do you use?

supertokens-web-js / mobile

supertokens-auth-react

Protecting API and website routes

Protecting API routes

Add checking to all API routes

Set mode to REQUIRED in the EmailVerification config

NodeJS

import SuperTokens from 'supertokens-node';
import EmailVerification from "supertokens-node/recipe/emailverification";
import Session from "supertokens-node/recipe/session";

SuperTokens.init({
    appInfo: {
        apiDomain: "...",
        appName: "...",
        websiteDomain: "..."
    },
    recipeList: [
        EmailVerification.init({
            // This means that verifySession will now only allow calls if the user has verified their email
            mode: "REQUIRED",
        }),
        Session.init()
    ]
});

GoLang

import (
    "github.com/supertokens/supertokens-golang/recipe/emailverification"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evmodels"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    supertokens.Init(supertokens.TypeInput{
        RecipeList: []supertokens.Recipe{
            emailverification.Init(evmodels.TypeInput{
                // This means that VerifySession will now only allow calls if the user has verified their email
                Mode: evmodels.ModeRequired,
            }),
            session.Init(&sessmodels.TypeInput{}),
        },
    })
}

Python

from supertokens_python import init, InputAppInfo
from supertokens_python.recipe import session
from supertokens_python.recipe import emailverification

init(
    app_info=InputAppInfo(
        api_domain="...", app_name="...", website_domain="..."),
    framework='...',  
    recipe_list=[
        # This means that VerifySession will now only allow calls if the user has verified their email
        emailverification.init(mode='REQUIRED'),
        session.init()
    ]
)

Disable email verification for specific routes (for REQUIRED mode)

NodeJS

Express

import { verifySession } from "supertokens-node/recipe/session/framework/express";
import express from "express";
import { SessionRequest } from "supertokens-node/framework/express";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let app = express();

app.post(
    "/update-blog",
    verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key),
    }),
    async (req: SessionRequest, res) => {
        // All validator checks have passed and the user has a verified email address
    }
);

Hapi

import Hapi from "@hapi/hapi";
import { verifySession } from "supertokens-node/recipe/session/framework/hapi";
import {SessionRequest} from "supertokens-node/framework/hapi";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let server = Hapi.server({ port: 8000 });

server.route({
    path: "/update-blog",
    method: "post",
    options: {
        pre: [
            {
                method: verifySession({
                    overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key),
                }),
            },
        ],
    },
    handler: async (req: SessionRequest, res) => {
        // All validator checks have passed and the user has a verified email address
    }
})

Fastify

import Fastify from "fastify";
import { verifySession } from "supertokens-node/recipe/session/framework/fastify";
import { SessionRequest } from "supertokens-node/framework/fastify";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let fastify = Fastify();

fastify.post("/update-blog", {
    preHandler: verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key),
    }),
}, async (req: SessionRequest, res) => {
    // All validator checks have passed and the user has a verified email address
});

Koa

import { verifySession } from "supertokens-node/recipe/session/framework/awsLambda";
import { SessionEvent } from "supertokens-node/framework/awsLambda";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

async function updateBlog(awsEvent: SessionEvent) {
    // All validator checks have passed and the user has a verified email address
};

exports.handler = verifySession(updateBlog, {
    overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key)
});

Loopback

import KoaRouter from "koa-router";
import { verifySession } from "supertokens-node/recipe/session/framework/koa";
import {SessionContext} from "supertokens-node/framework/koa";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let router = new KoaRouter();

router.post("/update-blog", verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key)
    }), async (ctx: SessionContext, next) => {
    // All validator checks have passed and the user has a verified email address
});

AWS Lambda / Netlify

import { inject, intercept } from "@loopback/core";
import { RestBindings, MiddlewareContext, post, response } from "@loopback/rest";
import { verifySession } from "supertokens-node/recipe/session/framework/loopback";
import Session from "supertokens-node/recipe/session";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

class SetRole {
    constructor(@inject(RestBindings.Http.CONTEXT) private ctx: MiddlewareContext) { }
    @post("/update-blog")
    @intercept(verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key)
    }))
    @response(200)
    async handler() {
        // All validator checks have passed and the user has a verified email address
    }
}

Next.js

import { superTokensNextWrapper } from 'supertokens-node/nextjs'
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

export default async function setRole(req: SessionRequest, res: any) {
    await superTokensNextWrapper(
        async (next) => {
            await verifySession({
                overrideGlobalClaimValidators: async (globalValidators) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key)
            })(req, res, next);
        },
        req,
        res
    )
    // All validator checks have passed and the user has a verified email address
}

NestJS

import { Controller, Post, UseGuards, Request, Response, Session } from "@nestjs/common";
import { SessionContainer, SessionClaimValidator } from "supertokens-node/recipe/session";
import { AuthGuard } from './auth/auth.guard';
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

@Controller()
export class ExampleController {
  @Post('example')
  @UseGuards(new AuthGuard({
    overrideGlobalClaimValidators: async (globalValidators: SessionClaimValidator[]) => globalValidators.filter(v => v.id !== EmailVerificationClaim.key)
  }))
  async postExample(@Session() session: SessionContainer): Promise<boolean> {
    // All validator checks have passed and the user has a verified email address
    return true;
  }
}

GoLang

Chi

import (
    "net/http"

    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    _ = http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        session.VerifySession(&sessmodels.VerifySessionOptions{
            OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
                filtered := []claims.SessionClaimValidator{}
                for _, v := range globalClaimValidators {
                    // we keep all claim validators except for
                    // the email verification claim validator.
                    if v.ID != evclaims.EmailVerificationClaim.Key {
                        filtered = append(filtered, v)
                    }
                }
                return filtered, nil
            },
        }, exampleAPI).ServeHTTP(rw, r)
    })
}

func exampleAPI(w http.ResponseWriter, r *http.Request) {
    // TODO: session is verified and all validators have passed..
}

net/http

import (
    "net/http"

    "github.com/gin-gonic/gin"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    router := gin.New()

    // Wrap the API handler in session.VerifySession
    router.POST("/likecomment", verifySession(&sessmodels.VerifySessionOptions{
        OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
            filtered := []claims.SessionClaimValidator{}
            for _, v := range globalClaimValidators {
                // we keep all claim validators except for
                // the email verification claim validator.
                if v.ID != evclaims.EmailVerificationClaim.Key {
                    filtered = append(filtered, v)
                }
            }
            return filtered, nil
        },
    }), exampleAPI)
}

// This is a function that wraps the supertokens verification function
// to work the gin
func verifySession(options *sessmodels.VerifySessionOptions) gin.HandlerFunc {
    return func(c *gin.Context) {
        session.VerifySession(options, func(rw http.ResponseWriter, r *http.Request) {
            c.Request = c.Request.WithContext(r.Context())
            c.Next()
        })(c.Writer, c.Request)
        // we call Abort so that the next handler in the chain is not called, unless we call Next explicitly
        c.Abort()
    }
}

func exampleAPI(c *gin.Context) {
    // TODO: session is verified and all claim validators pass.
}

Gin

import (
    "net/http"

    "github.com/go-chi/chi"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    r := chi.NewRouter()

    // Wrap the API handler in session.VerifySession
    r.Post("/likecomment", session.VerifySession(&sessmodels.VerifySessionOptions{
        OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
            filtered := []claims.SessionClaimValidator{}
            for _, v := range globalClaimValidators {
                // we keep all claim validators except for
                // the email verification claim validator.
                if v.ID != evclaims.EmailVerificationClaim.Key {
                    filtered = append(filtered, v)
                }
            }
            return filtered, nil
        },
    }, exampleAPI))
}

func exampleAPI(w http.ResponseWriter, r *http.Request) {
    // TODO: session is verified and all claim validators pass.
}

Mux

import (
    "net/http"

    "github.com/gorilla/mux"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    router := mux.NewRouter()

    // Wrap the API handler in session.VerifySession
    router.HandleFunc("/likecomment", session.VerifySession(&sessmodels.VerifySessionOptions{
        OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
            filtered := []claims.SessionClaimValidator{}
            for _, v := range globalClaimValidators {
                // we keep all claim validators except for
                // the email verification claim validator.
                if v.ID != evclaims.EmailVerificationClaim.Key {
                    filtered = append(filtered, v)
                }
            }
            return filtered, nil
        },
    }, exampleAPI)).Methods(http.MethodPost)
}

func exampleAPI(w http.ResponseWriter, r *http.Request) {
    // TODO: session is verified and all claim validators pass.
}

Python

FastAPI

from supertokens_python.recipe.session.framework.fastapi import verify_session
from supertokens_python.recipe.emailverification import EmailVerificationClaim
from supertokens_python.recipe.session import SessionContainer
from fastapi import Depends

@app.post('/like_comment')  
async def like_comment(session: SessionContainer = Depends(
        verify_session(
            # We keep all validators except for the EmailVerification ones
            override_global_claim_validators=lambda global_validators, session, user_context: [
                validators for validators in global_validators if validators.id != EmailVerificationClaim.key]
        )
)):
    # All validator checks have passed and the user has a verified email address
    pass

Flask

from supertokens_python.recipe.session.framework.flask import verify_session
from supertokens_python.recipe.emailverification import EmailVerificationClaim

@app.route('/update-jwt', methods=['POST'])  
@verify_session(
    # We keep all validators except for the EmailVerification ones
    override_global_claim_validators=lambda global_validators, session, user_context: [
        validators for validators in global_validators if validators.id != EmailVerificationClaim.key]
)
def like_comment():
    # All validator checks have passed and the user has a verified email address
    pass

Django

from supertokens_python.recipe.session.framework.django.asyncio import verify_session
from django.http import HttpRequest
from supertokens_python.recipe.emailverification import EmailVerificationClaim

@verify_session(
    # We keep all validators except for the EmailVerification ones
    override_global_claim_validators=lambda global_validators, session, user_context: [
        validators for validators in global_validators if validators.id != EmailVerificationClaim.key]
)
async def like_comment(request: HttpRequest):
    # All validator checks have passed and the user has a verified email address
    pass

Add checking to a single route (for OPTIONAL mode)

NodeJS

Express

import { verifySession } from "supertokens-node/recipe/session/framework/express";
import express from "express";
import { SessionRequest } from "supertokens-node/framework/express";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let app = express();

app.post(
    "/update-blog",
    verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()],
    }),
    async (req: SessionRequest, res) => {
        // All validator checks have passed and the user has a verified email address
    }
);

Hapi

import Hapi from "@hapi/hapi";
import { verifySession } from "supertokens-node/recipe/session/framework/hapi";
import {SessionRequest} from "supertokens-node/framework/hapi";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let server = Hapi.server({ port: 8000 });

server.route({
    path: "/update-blog",
    method: "post",
    options: {
        pre: [
            {
                method: verifySession({
                    overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()],
                }),
            },
        ],
    },
    handler: async (req: SessionRequest, res) => {
        // All validator checks have passed and the user has a verified email address
    }
})

Fastify

import Fastify from "fastify";
import { verifySession } from "supertokens-node/recipe/session/framework/fastify";
import { SessionRequest } from "supertokens-node/framework/fastify";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let fastify = Fastify();

fastify.post("/update-blog", {
    preHandler: verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()],
    }),
}, async (req: SessionRequest, res) => {
    // All validator checks have passed and the user has a verified email address
});

Koa

import { verifySession } from "supertokens-node/recipe/session/framework/awsLambda";
import { SessionEvent } from "supertokens-node/framework/awsLambda";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

async function updateBlog(awsEvent: SessionEvent) {
    // All validator checks have passed and the user has a verified email address
};

exports.handler = verifySession(updateBlog, {
    overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()]
});

Loopback

import KoaRouter from "koa-router";
import { verifySession } from "supertokens-node/recipe/session/framework/koa";
import {SessionContext} from "supertokens-node/framework/koa";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

let router = new KoaRouter();

router.post("/update-blog", verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()]
    }), async (ctx: SessionContext, next) => {
    // All validator checks have passed and the user has a verified email address
});

AWS Lambda / Netlify

import { inject, intercept } from "@loopback/core";
import { RestBindings, MiddlewareContext, post, response } from "@loopback/rest";
import { verifySession } from "supertokens-node/recipe/session/framework/loopback";
import Session from "supertokens-node/recipe/session";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

class SetRole {
    constructor(@inject(RestBindings.Http.CONTEXT) private ctx: MiddlewareContext) { }
    @post("/update-blog")
    @intercept(verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()]
    }))
    @response(200)
    async handler() {
        // All validator checks have passed and the user has a verified email address
    }
}

Next.js

import { superTokensNextWrapper } from 'supertokens-node/nextjs'
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

export default async function setRole(req: SessionRequest, res: any) {
    await superTokensNextWrapper(
        async (next) => {
            await verifySession({
                overrideGlobalClaimValidators: async (globalValidators) => [...globalValidators, EmailVerificationClaim.validators.isVerified()]
            })(req, res, next);
        },
        req,
        res
    )
    // All validator checks have passed and the user has a verified email address
}

NestJS

import { Controller, Post, UseGuards, Request, Response, Session } from "@nestjs/common";
import { SessionContainer, SessionClaimValidator } from "supertokens-node/recipe/session";
import { AuthGuard } from './auth/auth.guard';
import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";

@Controller()
export class ExampleController {
  @Post('example')
  @UseGuards(new AuthGuard({
    overrideGlobalClaimValidators: async (globalValidators: SessionClaimValidator[]) => [...globalValidators, EmailVerificationClaim.validators.isVerified()]
  }))
  async postExample(@Session() session: SessionContainer): Promise<boolean> {
    // All validator checks have passed and the user has a verified email address
    return true;
  }
}

GoLang

Chi

import (
    "net/http"

    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    _ = http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        session.VerifySession(&sessmodels.VerifySessionOptions{
            OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
                globalClaimValidators = append(globalClaimValidators, evclaims.EmailVerificationClaimValidators.IsVerified(nil, nil))
                return globalClaimValidators, nil
            },
        }, exampleAPI).ServeHTTP(rw, r)
    })
}

func exampleAPI(w http.ResponseWriter, r *http.Request) {
    // TODO: session is verified and all validators have passed..
}

net/http

import (
    "net/http"

    "github.com/gin-gonic/gin"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    router := gin.New()

    // Wrap the API handler in session.VerifySession
    router.POST("/likecomment", verifySession(&sessmodels.VerifySessionOptions{
        OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
            globalClaimValidators = append(globalClaimValidators, evclaims.EmailVerificationClaimValidators.IsVerified(nil, nil))
            return globalClaimValidators, nil
        },
    }), exampleAPI)
}

// This is a function that wraps the supertokens verification function
// to work the gin
func verifySession(options *sessmodels.VerifySessionOptions) gin.HandlerFunc {
    return func(c *gin.Context) {
        session.VerifySession(options, func(rw http.ResponseWriter, r *http.Request) {
            c.Request = c.Request.WithContext(r.Context())
            c.Next()
        })(c.Writer, c.Request)
        // we call Abort so that the next handler in the chain is not called, unless we call Next explicitly
        c.Abort()
    }
}

func exampleAPI(c *gin.Context) {
    // TODO: session is verified and all claim validators pass.
}

Gin

import (
    "net/http"

    "github.com/go-chi/chi"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    r := chi.NewRouter()

    // Wrap the API handler in session.VerifySession
    r.Post("/likecomment", session.VerifySession(&sessmodels.VerifySessionOptions{
        OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
            globalClaimValidators = append(globalClaimValidators, evclaims.EmailVerificationClaimValidators.IsVerified(nil, nil))
            return globalClaimValidators, nil
        },
    }, exampleAPI))
}

func exampleAPI(w http.ResponseWriter, r *http.Request) {
    // TODO: session is verified and all claim validators pass.
}

Mux

import (
    "net/http"

    "github.com/gorilla/mux"
    "github.com/supertokens/supertokens-golang/recipe/emailverification/evclaims"
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/claims"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    router := mux.NewRouter()

    // Wrap the API handler in session.VerifySession
    router.HandleFunc("/likecomment", session.VerifySession(&sessmodels.VerifySessionOptions{
        OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
            globalClaimValidators = append(globalClaimValidators, evclaims.EmailVerificationClaimValidators.IsVerified(nil, nil))
            return globalClaimValidators, nil
        },
    }, exampleAPI)).Methods(http.MethodPost)
}

func exampleAPI(w http.ResponseWriter, r *http.Request) {
    // TODO: session is verified and all claim validators pass.
}

Python

FastAPI

from supertokens_python.recipe.session.framework.fastapi import verify_session
from supertokens_python.recipe.emailverification import EmailVerificationClaim
from supertokens_python.recipe.session import SessionContainer
from fastapi import Depends

@app.post('/like_comment')  
async def like_comment(session: SessionContainer = Depends(
        verify_session(
            # We add the EmailVerificationClaim's is_verified validator
            override_global_claim_validators=lambda global_validators, session, user_context: global_validators + \
            [EmailVerificationClaim.validators.is_verified()]
        )
)):
    # All validator checks have passed and the user has a verified email address
    pass

Flask

from supertokens_python.recipe.session.framework.flask import verify_session
from supertokens_python.recipe.emailverification import EmailVerificationClaim

@app.route('/update-jwt', methods=['POST'])  
@verify_session(
    # We add the EmailVerificationClaim's is_verified validator
    override_global_claim_validators=lambda global_validators, session, user_context: global_validators + \
    [EmailVerificationClaim.validators.is_verified()]
)
def like_comment():
    # All validator checks have passed and the user has a verified email address
    pass

Django

from supertokens_python.recipe.session.framework.django.asyncio import verify_session
from django.http import HttpRequest
from supertokens_python.recipe.emailverification import EmailVerificationClaim

@verify_session(
    # We add the EmailVerificationClaim's is_verified validator
    override_global_claim_validators=lambda global_validators, session, user_context: global_validators + \
    [EmailVerificationClaim.validators.is_verified()]
)
async def like_comment(request: HttpRequest):
    # All validator checks have passed and the user has a verified email address
    pass

Protecting frontend routes

ReactJS

If using REQUIRED mode

Wrapping your website routes using <SessionAuth /> should be enough for this to work. If the user's email is not verified, SuperTokens will automatically redirect the user to the email verification screen.

If using OPTIONAL mode

import React from "react";
import { SessionAuth, useSessionContext } from 'supertokens-auth-react/recipe/session';
import { EmailVerificationClaim } from 'supertokens-auth-react/recipe/emailverification';

const VerifiedRoute = (props: React.PropsWithChildren<any>) => {
    return (
        <SessionAuth>
            <InvalidClaimHandler>
                {props.children}
            </InvalidClaimHandler>
        </SessionAuth>
    );
}

function InvalidClaimHandler(props: React.PropsWithChildren<any>) {
    let sessionContext = useSessionContext();
    if (sessionContext.loading) {
        return null;
    }

    if (sessionContext.invalidClaims.some(i => i.validatorId === EmailVerificationClaim.id)) {
        return <div>You cannot access this page because your email address is not verified.</div>
    }

    // We show the protected route since all claims validators have
    // passed implying that the user has verified their email.
    return <div>{props.children}</div>;
}

Above we are creating a generic component called VerifiedRoute which enforces that its child components can only be rendered if the user has a verified email address.

In the VerifiedRoute component, we use the SessionAuth wrapper to ensure that the session exists. The EmailVerificationClaim validator is automatically added to the <SessionAuth> component if the EmailVerification recipe has been initialized.

Finally, we check the result of the validation in the InvalidClaimHandler component which displays "You cannot access this page because your email address is not verified." if the EmailVerificationClaim validator failed.

If all validation passes, we render the props.children component.

note

You can extend the VerifiedRoute component to check for other types of validators as well. This component can then be reused to protect all of your app's components (In this case, you may want to rename this component to something more appropriate, like ProtectedRoute).

Manually checking verification status

If you want to have more complex access control, you can either create your own validator, or you can get the boolean from the session as follows, and check it yourself:

import Session from "supertokens-auth-react/recipe/session";
import {EmailVerificationClaim} from "supertokens-auth-react/recipe/emailverification"

function ProtectedComponent() {
    let claimValue = Session.useClaimValue(EmailVerificationClaim)
    if (claimValue.loading || !claimValue.doesSessionExist) {
        return null;
    }
    let isEmailVerified = claimValue.value;
    if (isEmailVerified !== undefined && isEmailVerified) {
        //...
    } else {
        //...
    }
}

Angular

Via NPM

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {

        let validationErrors = await Session.validateClaims();

        if (validationErrors.length === 0) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or one of the validators failed.
    // so we do not allow access to this page.
    return false
}

We call the validateClaims function. If you initialized the EmailVerification recipe, this will include the EmailVerificationClaim validator in the globalValidators.

Checking validation error

In case the validationErrors array is not empty, you can loop through the errors to know which claim has failed:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute() {
    let validationErrors = await Session.validateClaims(/*{...}*/);
    for (const err of validationErrors) {
        if (err.validatorId === EmailVerificationClaim.id) {
            // email verification claim check failed
        } else {
            // some other claim check failed (from the global validators list)
        }
    }
}

Manually checking verification status

If you want to have more complex access control, you can either create your own validator, or you can get the boolean from the session as follows, and check it yourself:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {
        let isVerified = await Session.getClaimValue({claim: EmailVerificationClaim});
        if (isVerified) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or the user has not verified their email address
    return false
}

Via Script Tag

async function shouldLoadRoute(): Promise<boolean> {
    if (await supertokensSession.doesSessionExist()) {

        let validationErrors = await supertokensSession.validateClaims();

        if (validationErrors.length === 0) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or one of the validators failed.
    // so we do not allow access to this page.
    return false
}

We call the validateClaims function. If you initialized the EmailVerification recipe, this will include the EmailVerificationClaim validator in the globalValidators.

Checking validation error

In case the validationErrors array is not empty, you can loop through the erros to know which claim has failed:

async function shouldLoadRoute() {
    let validationErrors = await supertokensSession.validateClaims(/*{...}*/);
    for (const err of validationErrors) {
        if (err.validatorId === supertokensEmailVerification.EmailVerificationClaim.id) {
            // email verification claim check failed
        } else {
            // some other claim check failed
        }
    }
}

Manually checking verification status

If you want to have more complex access control, you can either create your own validator, or you can get the boolean from the session as follows, and check it yourself:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {
        let isVerified = await Session.getClaimValue({claim: EmailVerificationClaim});
        if (isVerified) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or the user has not verified their email address
    return false
}

Vue

import SuperTokens from 'supertokens-react-native';

async function checkIfEmailIsVerified() {
    if (await SuperTokens.doesSessionExist()) {

        let isVerified: boolean = (await SuperTokens.getAccessTokenPayloadSecurely())["st-ev"].v;

        if (isVerified) {
            // TODO..
        } else {
            // TODO..
        }
    }
}

Plain JavaScript

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {

        let validationErrors = await Session.validateClaims();

        if (validationErrors.length === 0) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or one of the validators failed.
    // so we do not allow access to this page.
    return false
}

We call the validateClaims function. If you initialized the EmailVerification recipe, this will include the EmailVerificationClaim validator in the globalValidators.

Checking validation error

In case the validationErrors array is not empty, you can loop through the errors to know which claim has failed:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute() {
    let validationErrors = await Session.validateClaims(/*{...}*/);
    for (const err of validationErrors) {
        if (err.validatorId === EmailVerificationClaim.id) {
            // email verification claim check failed
        } else {
            // some other claim check failed (from the global validators list)
        }
    }
}

Manually checking verification status

If you want to have more complex access control, you can either create your own validator, or you can get the boolean from the session as follows, and check it yourself:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {
        let isVerified = await Session.getClaimValue({claim: EmailVerificationClaim});
        if (isVerified) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or the user has not verified their email address
    return false
}

React Native

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {

        let validationErrors = await Session.validateClaims();

        if (validationErrors.length === 0) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or one of the validators failed.
    // so we do not allow access to this page.
    return false
}

We call the validateClaims function. If you initialized the EmailVerification recipe, this will include the EmailVerificationClaim validator in the globalValidators.

Checking validation error

In case the validationErrors array is not empty, you can loop through the errors to know which claim has failed:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute() {
    let validationErrors = await Session.validateClaims(/*{...}*/);
    for (const err of validationErrors) {
        if (err.validatorId === EmailVerificationClaim.id) {
            // email verification claim check failed
        } else {
            // some other claim check failed (from the global validators list)
        }
    }
}

Manually checking verification status

If you want to have more complex access control, you can either create your own validator, or you can get the boolean from the session as follows, and check it yourself:

import Session from "supertokens-web-js/recipe/session";
import { EmailVerificationClaim } from "supertokens-web-js/recipe/emailverification";

async function shouldLoadRoute(): Promise<boolean> {
    if (await Session.doesSessionExist()) {
        let isVerified = await Session.getClaimValue({claim: EmailVerificationClaim});
        if (isVerified) {
            // user has verified their email address
            return true;
        }
    }
    // either a session does not exist, or the user has not verified their email address
    return false
}