Based on the knowledge sources provided, here's the recommended approach for handling a user who is logged in but still unverified: The best approach is to allow the user to log in but limit their functionality until they verify their email address. This is considered a better practice than requiring a verified email for login, as it helps improve signup conversion rates. Here are the key points to implement this approach: 1. Enable "Sign In After Registration" in the Ory Console or configuration. 2. Show a verification screen or prompt after login for unverified users. 3. Limit functionality for unverified accounts and display a banner encouraging verification. To implement this, you can: 1. Configure the login flow to show the verification UI after login if the address is not verified yet. This can be done by adding the

verification

and

show_verification_ui

hooks to the login flow configuration. 2. In your application, check the session status after login. If the user is logged in but unverified, you can show a banner or limit certain features. 3. Provide an easy way for the user to initiate the verification process from within your application. Here's an example of how to configure the hooks using the Ory CLI:

ory patch identity-config {project_id} \   --add '/selfservice/flows/login/after/password/hooks=[{"hook": "verification"}, {"hook": "show_verification_ui"}]' \   --add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "verification"}, {"hook": "show_verification_ui"}]' \   --add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "verification"}, {"hook": "show_verification_ui"}]'

This approach balances security with user experience, allowing users to access basic functionality while encouraging them to complete the verification process. Sources: [Login and registration webhooks and actions](https://www.ory.sh/docs/identities/sign-in/actions#show-verification-after-login-if-address-is-not-verified-yet) [Allow login only with verified email](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email)

I understand that you prefer a stricter approach than the one I previously suggested. In that case, Ory does offer a more stringent option for handling unverified users. Here's a stricter approach you can implement: You can configure Ory to allow login only with verified email addresses. This means users won't be able to log in at all until they've verified their email address. Here's how you can set this up: 1. Using the Ory Console: - Go to Authentication → Email verification in the [Ory Console](https://console.ory.sh/projects/current/verification). - Toggle Require Verified Address for Login to switch on the feature. 2. Using the Ory CLI: Run this command:

ory patch identity-config --project <project-id> --workspace <workspace-id> \      --add '/selfservice/flows/login/after/password/hooks/0/hook="require_verified_address"'

This configuration will prevent users from logging in if their email address is not verified. It's important to note that Ory doesn't generally recommend this approach as it can negatively impact signup conversion rates. However, if security is your top priority and you're willing to accept a potentially lower conversion rate, this method will ensure that only verified users can access your application. Remember that with this strict approach: - Users will need to verify their email address before they can log in for the first time. - If a user changes their email address, they'll need to verify the new address before they can log in again. - You'll need to ensure your verification flow is robust and user-friendly to minimize friction in the signup and login process. Sources: [Allow login only with verified email](https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email) [Require verified address](https://www.ory.sh/docs/actions/require-verified-address)