Is there a way to update user data in the UI?

I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users

https://fusionauth.io/blog/2021/04/01/fusionauth-introduces-simplepass/

I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?

Can you run FusionAuth in Kubernetes?

Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?

Within a lambda, you have access to the user and registration properties. So you'd pull the verified property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.

So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.

Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.

1. user registers
2. JWT issued, with verified set to false because the user isn't verified.
3. User verifies their email
4. User visits API, but is denied because the JWT has stale data.

I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?

OK, we just released 1.18.8 and that is the version you want to use:

In requirements.txt:

fusionauth-client==1.18.8

And then this is the call you want to make (with client_id before redirect_uri) :

 resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)

Hiya,

First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:

My Frontend --> My Backend --> FusionAuth API

There's no password returned from the registration API call.

If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)

The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.

Are there specific security concerns you have around your front end/back end systems that I might be missing?

I haven't seen that before.

Does this happen in your customized version of FusionAuth (where you've added a few applications and users) or the default version?

From looking at the mysqldump man page, maybe try --hex-blob ?

You could try loading the schema from the .sql files ( https://fusionauth.io/direct-download/ ) and loading the data separately (that is, exporting with --no-create-info ). Again, that's a wild guess, not sure what the issue is, but some more investigation seems to make sense.

I end up using a docker image of mailcatcher.

I use the default docker-compose.yml, but use this docker-compose.override.yml:

version: '3'

services:
  mailcatcher:
    image: yappabe/mailcatcher
    ports:
      - "1025:1025"
      - "1080:1080"
    networks:
      - mailcatcher

  search:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.1
    environment:
      cluster.name: fusionauth
      bootstrap.memory_lock: "true"
      discovery.type: single-node
      FUSIONAUTH_SEARCH_MEMORY: ${FUSIONAUTH_SEARCH_MEMORY}
      ES_JAVA_OPTS: ${ES_JAVA_OPTS}
    # Un-comment to access the search service directly
    # ports:
    #  - 9200:9200
    #  - 9300:9300
    networks:
      - search
    restart: unless-stopped
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - es_data:/usr/share/elasticsearch/data

  fusionauth:
    depends_on:
      - search
      - mailcatcher
    environment:
      SEARCH_SERVERS: http://search:9200
      SEARCH_TYPE: elasticsearch
    networks:
      - mailcatcher
      - search

networks:
  search:
    driver: bridge
  mailcatcher:
    driver: bridge

volumes:
  es_data:

Then I configure the SMTP settings to use the hostname mailcatcher and the port 1025. I can then send email and view it in the mailcatcher interface, at localhost:1080.

Here's the relevant dockerfile: https://github.com/yappabe/docker-mailcatcher/blob/master/Dockerfile

Here's more about mailcatcher: https://mailcatcher.me/

Ah, the answer is that Nginx defaults to HTTP/1.0 and if you are on a recent version of FusionAuth, this protocol is not supported by our HTTP server (HTTP 1.1 was, after all, released in 1997 ).

The remedy is to update your Nginx configuration to use a later protocol with this change:

proxy_http_version 1.1;

Hope that helps.

As of 1.62.0, FusionAuth supports pre-verification of emails and phone numbers.

More details:

https://fusionauth.io/docs/lifecycle/manage-users/verification/identity-pre-verification-using-email

https://fusionauth.io/docs/lifecycle/manage-users/verification/identity-pre-verification-using-phone

You have a couple of options.

• If you use the hosted login pages/authorization code grant, disabling all grants in the application settings page will prevent people from logging in.
• If you use the login API and have customer-based API keys, you could turn on the 'require API key for login API' and then disable the customer's API key.
• If you have the Enterprise plan, you could set up an IP ACL for a unroutable IP range.

However, the easiest way to make sure an application cannot be logged into is to deactivate the application.

Is there a way to disable logging into an application without disabling/deleting it?

Per https://github.com/FusionAuth/fusionauth-issues/issues/1810 I'm not clear what my options are.

Lots of options!

• Self-service password recovery — SMS or Email based forgot password flows out of the box, with hosted pages that require no custom UI. If a user's login ID is a phone number, the reset is delivered via SMS automatically.
• API-driven recovery — The full forgot password flow is triggerable via POST /api/user/forgot-password with an email, phone, or username as the login ID, giving teams complete control over the UI and recovery experience.
• Admin and support-assisted recovery — Support staff can trigger resets or force password changes directly from the admin UI, no email required.
• Admins can also remove MFA methods directly from the user record.
• MFA recovery — Recovery codes generated at MFA enrollment let users bypass a lost second factor.
• Self-service MFA configuration — Users can add, remove, and manage their own MFA methods (TOTP, SMS, email) from a hosted self-service account page without any admin involvement. Removing a method requires completing an MFA challenge first, which prevents unauthorized removal. If an admin removes a user's MFA method and the tenant or application policy is set to Required, the user will be prompted to set up MFA again on next login.
• Webhooks and event-driven recovery — FusionAuth fires events like user.login.failed and user.password.reset that your backend can listen to and act on, enabling custom recovery logic, audit trails, and downstream notifications.
• Account linking and IdP recovery — For users who log in via a social or enterprise IdP, FusionAuth can be configured to link that identity to a FusionAuth user record. If the IdP connection is the issue, the user can still go through the standard forgot password flow as long as an phone number or email is on their account, so recovery isn't solely dependent on the IdP being available.

What are account recovery options available with FusionAuth?

You want to use search parameters like those outlined in this sample script.

• use a key limited to POST on /api/user/search
• set accurateTotal on the request
• set numberOfResults to 1 on the request

In the response, look at the total field.

This will let you get exact numbers while reducing load on your instance.

How can I get an exact number of users with some attributes? I'm using elasticsearch.

Beginning in version 1.65.0, FusionAuth offers Complete Registration. Full docs here.

How this would work:

• enable a registration form for the application your users are logging into
• select certain attributes as required. If you are using a basic form, you could select 'birth date'. If you are using an advanced form, you can select whatever profile attributes you need
• set the Registration mode to Complete registration. This setting means that users cannot self-register, but can complete missing information from an existing registration.
• save the application

Now, your admin user can create a user with a minimal amount of data (perhaps just an email address).

The user will, at first login, be prompted to fill out their profile data, including all fields you've marked required.

This is not full progressive registration, but can be useful in certain circumstances.

How can I collect additional profile attributes at login after a user has been created and registered?

I'm using the hosted login pages. My admin user creates an account, but I want to collect other profile attributes from the user afterwards.

@kevin-doran This is a great question to ask FusionAuth support.

Have you opened a ticket?