Accounts.verifyEmail(token, [callback])
im using the acounts package and i dont know if this is intended:
If my user receives an email with the verification link and lets say he does not click it but someone else is on their computer seeing the link, clicks it, and the user automatically gets signed. So ne wrong person has no acces to everything.
Is this intented? any way to stop that?
It's designed that way, yes.
You can simply make sure the user has logged in using their password first before verifying their email.
Any suggestions how to do that “simply”?
In your custom verification flow:
User clicks link in email > Accounts.onEmailVerificationLink() fires > Prompt user to login or re-enter password if already logged in (via previously mentioned callback) > Accounts.verifyEmail()
Something to consider here. If a person has access to that users inbox, they can easily reset any password they want.
The fact that they are already automatically logged into your users inbox is much more of a concern than them being automatically logged into your app.