social_auth_account_verification

Adds email verification for accounts created via social authentication (e.g. Google, Facebook). New social auth users must verify their email with a 6-digit code before they can log in, helping prevent bot accounts.

Features

Basic functionality: When someone registers through a social provider (Social Auth), the module blocks the new account, generates a 6-digit verification code, and emails it to the user. The user cannot log in until they enter the code on the verification form. After successful verification, the account is unblocked and they can sign in normally.

What this module adds:

• Automatic blocking of newly created social auth accounts until email is verified
• Verification code sent by email with configurable subject and body
• Verification form where users enter the code (login attempts for unverified users are intercepted and redirected here)
• Configurable code expiration (default 60 minutes), max failed attempts (default 5), and rate limiting on resend (e.g. 3 per hour)
• Token support in emails: [site:name], [user:display-name], [verification:code]
• Custom content entity for verification data; optional admin list at /admin/content/social-auth-account-verification
• Drush commands: saav-resend to resend a code, saav-regenerate to create a new verification for a stuck user

When to use it: Use this module when you rely on Social Auth for registration and want to reduce fake or bot accounts by requiring proof of a valid email before the first login.

Use cases: Sites that use Google/Facebook/Microsoft (or other Social Auth providers) for sign-up and need an extra verification step; communities that want to ensure users have access to the email associated with their social account before granting full access.

Post-Installation

After enabling the module:

1. Go to Configuration → People → Social Auth Account Verification (/admin/config/people/social-auth-account-verification).
2. Configure the verification email (subject and body), code expiration (minutes), max verification attempts, and any optional timeouts or messages.
3. Optionally grant Administer Social Auth Account Verification to roles that should manage verification entities; they can then use Content → Social Auth Account Verification (/admin/content/social-auth-account-verification) to view or delete verification records.

No new content types or text formats are added. Once configured, the flow is automatic: new social auth sign-ups are blocked and emailed a code; unverified users who try to log in are sent to the verification form. Ensure your site can send mail (e.g. core mail or a module like SMTP) so verification emails are delivered.

Additional Requirements

• Drupal 11 (core)
• Social Auth (drupal.org/project/social_auth) — required for social login and for the USER_CREATED event this module subscribes to.

No external APIs or third-party libraries beyond what Social Auth uses. The module uses Drupal core mail and a custom content entity.

Recommended modules/libraries

None required. If verification emails are not received, consider configuring reliable outbound mail (e.g. an SMTP module or your host’s mail settings) and checking /admin/reports/dblog for mail log entries.

Similar projects

Generic email verification modules typically target standard Drupal registration (user register form), not social-auth-created accounts. This project is aimed specifically at Social Auth: it hooks into social provider registration, blocks those accounts until verification, and ties the verification flow to the first login. If you only use Social Auth for sign-up, this module fills that gap.

Uninstall note: Drupal will not uninstall the module while verification entities exist. Delete all verification entities first (e.g. via Drush: drush entity:delete social_auth_account_verification, or from the admin list), then uninstall.