I am using identity 2 for registration and login in a new MVC solution, i have coded the register to send a confirmation email when someone registers but then i'm still able to log in without verifying (clicking the verify link in email).
I have used the standard code that is provided when Indentity 2 is installed via Nuget. i have also used this example http://www.typecastexception.com/post/2014/04/20/ASPNET-Identity-20-Setting-Up-Account-Validation-and-Two-Factor-Authorization.aspx#Account-Validation:-How-it-works and i get the same.
Am i misunderstanding this? i thought that i wouldn't be able to login until verified as per every other site.
There's nothing about the login process itself that enforces that the email be confirmed. It seems that the sample projects don't care for login purposes, but they do check before allowing a password reset. As a result, you can adapt the code from that to add to your login action if you so desire. Essentially, you'd just do something like:
if (!(await UserManager.IsEmailConfirmedAsync(user.Id)))
{
ModelState.AddModelError("", "E-mail address has not been confirmed");
}
if (ModelState.IsValid)
{
...