Skip to main content

Review collection does not require user email re-verification

ab-001218 · ecommerce-reviews.schema-seo.review-email-reauth
Severity: lowactive

Why it matters

Forcing re-verification on already-authenticated users tanks review submission rates — every extra step compounds drop-off, and CAPTCHA or email re-confirmation on an active session signals distrust of your own auth system. Submissions fall, aggregate ratings shrink, and schema.org AggregateRating eligibility suffers from thin review counts. The friction also pushes users to third-party review platforms where the data leaves your control.

Severity rationale

Low because the flow still works, but unnecessary verification steps measurably depress submission completion rates.

Remediation

Trust the active session in api/reviews/submit and skip CAPTCHA, email re-verification, and second-factor challenges for logged-in users. Reserve anonymous-path friction (email entry, lightweight CAPTCHA) for unauthenticated submissions only:

if (!session?.user) {
  const email = req.body.email
  await verifyAnonymousSubmitter(email)
} else {
  await db.reviews.create({
    data: { user_id: session.user.id, rating, text }
  })
}

Detection

  • ID: ecommerce-reviews.schema-seo.review-email-reauth

  • Severity: low

  • What to look for: Count the number of friction steps an authenticated user must complete to submit a review: (1) email re-entry, (2) email re-verification link, (3) CAPTCHA, (4) second auth factor. List all friction steps found in the review submission handler and form component.

  • Pass criteria: Authenticated users (with active session) can submit reviews in no more than 1 step (the form submission itself) with 0 additional verification friction steps. Anonymous users may require at most 1 additional step (email entry) for identity purposes.

  • Fail criteria: Authenticated users must complete at least 1 additional verification step (email re-verification, CAPTCHA on every submission, or second auth factor) beyond the form submission itself.

  • Skip (N/A) when: The project requires login for all users and has no anonymous review path, or the review form is only accessible to authenticated users by design.

  • Detail on fail: "Authenticated users face 2 friction steps: CAPTCHA on every submission and email re-verification link. Only 1 step needed (the form submission)."

  • Remediation: Skip re-verification for authenticated users in api/reviews/submit:

    // POST /api/reviews/submit
if (!session?.user) {
  // Require email for anonymous submissions
  const email = req.body.email
  // Verify email...
} else {
  // Authenticated users can submit directly
  const review = await db.reviews.create({
    data: {
      user_id: session.user.id,
      // ...
    }
  })
}

Taxons

user-experience

History