Stitch JavaScript SDK confirmUser method returns: userpass token is expired or invalid

I’m using Stitch to create a email/password login system. I’m using the Stitch Email/Password provider with the “user confirmation method” setting of “send a confirmation email”.

My app is working to the point where I can submit my app’s register form, then see my entry in the Stitch Users screen as a pending user.

After registering, Stitch sends a confirmation email with a link to “Confirm email”.

I’ve setup my confirmation page according to this guide:
https://docs.mongodb.com/stitch/authentication/userpass/#confirm-a-new-user-s-email-address

In the Chrome dev tools, I can see that the token and token ID are being sent, such as:

{“token”:“token was here”,“tokenId”:“token id was here”}

But, stitch is returning the error:

{“error”:“userpass token is expired or invalid”,“error_code”:“UserpassTokenInvalid”,“link”:“https://stitch.mongodb.com/ groups/link continues”}

Please let me know if you have any troubleshooting advice.

Hi @Ed_Talmadge, welcome!

It’s been a while since you posted this question, have you found a solution yet ?
There are two parts to the error, first is expired token and the second is invalid token. The token is valid within 2 hours, so please make sure that the email that you actioned is the one that is sent by Stitch within the time period.

The second case, is invalid token. Could you post the code snippet that you used to pass token and tokenId to UserPasswordAuthProviderClient to confirm ?

Regards,
Wan.

Thanks Wan. No, I have not found a solution yet. To answer your questions:

There are two parts to the error, first is expired token and the second is invalid token. The token is valid within 2 hours, so please make sure that the email that you actioned is the one that is sent by Stitch within the time period.

After registering, I am immediately opening the confirm user email and clicking the Confirm Email button.

The second case, is invalid token. Could you post the code snippet that you used to pass token and tokenId to UserPasswordAuthProviderClient to confirm ?

Here is the React/Redux action creator I’m using to pass the token and tokenId to UserPasswordAuthProviderClient.
It is using the code example from: https://docs.mongodb.com/stitch/authentication/userpass/#confirm-a-new-user-s-email-address

export const attemptSignupConfirmation = () => async (dispatch: any) => {
  try {
    // Confirm the user's email/password account
    // See: https://docs.mongodb.com/stitch/authentication/userpass/#confirm-a-new-user-s-email-address
    // Parse the URL query parameters
    const url = window.location.search;
    const params = new URLSearchParams(url);
    const token = await params.get("token");
    const tokenId = await params.get("tokenId");
    console.log(`token: ${token}, tokenId: ${tokenId}`);
    if (!token || !tokenId) {
      return;
    }

    // Confirm the user's email/password account
    const emailPassClient = Stitch.defaultAppClient.auth.getProviderClient(
      UserPasswordAuthProviderClient.factory
    );

    await emailPassClient.confirmUser(token, tokenId);
    console.log("dispatch SIGNUP_CONFIRMATION_SUCCESS");
    dispatch({
      type: SIGNUP_CONFIRMATION_SUCCESS
    });
  } catch (err) {
    // dispatch(setAlert(err, "danger"));
    dispatch({
      type: SIGNUP_CONFIRMATION_ERROR
    });
  }
};

Thank you for the code snippet. That looks correct.
Given your code snippet and a valid URL that’s provided by Stitch, the only way I could reproduce the userpass token is expired or invalid is if I tried to execute the same token after it’s been validated/confirm (i.e. executing twice).

If you register a new user email/pwd, and you click the link from the email, does the user status changed to confirmed in Stitch’s Users tab ? If so, there’s a possibility that your React code may have executed/triggered twice.

If you still encountering this issue, could you provide a minimal reproducible example ?

Regards,
Wan.

Thanks again Wan. To answer your questions:

If you register a new user email/pwd, and you click the link from the email, does the user status changed to confirmed in Stitch’s Users tab ?

No

If you still encountering this issue, could you provide a minimal reproducible example ?

Yes, I am still encountering this issue. I will work on a minimal, reproducible example and post it here.

Hi Ed, hope you are well.

I may have encountered the same issue you are having and I may have an answer for you:

When a user registers themselves for the first time they are assigned a status called Pending Confirmation. Once confirmUser(token, tokenId) has been called, the status moves from Pending Confirmation to Pending User Login, but the user still remains in the Pending category.

Subsequent calls to confirmUser(token, tokenId) if the user is already in Pending User Login will result in the error message you mentioned!

All that’s left to do is for the user to login and the user will be confirmed.

Hope that helps!

1 Like