Hi Supertokens team, I have two short questions regarding the email verifying process. 1. When the end-user generates multiple verification E-Mails (by e.g. executing EmailVerification.sendVerificationEmail), does it matter which link from the E-Mail is used to verify the user E-Mail address?  2. When the end-user successfully verified their E-Mail, are all "unused" E-Mail verifying links are automatically invalidated? Thanks Daniel

Hey @DanielAtStruggly

Thanks again for the prompt response. I was hoping you would answer like this 👍 Investigating further into the topic of Email verification, I got stumbled about the following documentation snippet (mentioned here https://supertokens.com/docs/emailpassword/custom-ui/enable-email-verification#step-6-verifying-the-email-post-link-clicked): 

If you are calling the above API on page load, there is an edge case in which email clients might open the verification link in the email (for scanning purposes) and consume the token in the URL. This would lead to issues in which an attacker could sign up using someone else's email and end up with a verified status!

Could you please give some more hints/info about that? How is the attacker able to sign up using someone else's email? All the data which should be relevant to verify an email should be located into the token, right?

> Could you please give some more hints/info about that? How is the attacker able to sign up using someone else's email? As an example, Bob may sign up using Alice's email and that will work in case Alice doesn't already have an account in the app. The email verification screen will show up post sign up though, so until the email is verified, Bob can't use the app as Alice anyway. > All the data which should be relevant to verify an email should be located into the token, right? That is correct. But when the link is clicked, you want to check if a session already exists in the browser and if it doesn't you want to show some prompt like "click here to verify your email" before consuming the token from the URL. This will prevent email clients from auto verifying the email as when the email client opens the link, there won't be a valid session and so the UI will ask for a prompt, which email clients don't click.

Thanks, now I got it. The fact that Bob signs up with Alice's email makes the point clear. Awesome!