Authenticate with email and weird things about it

Hi ,
I want to use the AuthenticateEmailAsync feature on Nakama. There are a lot of weird things.
We cannot get/change/read the password of an email that the user enters.

  1. How can we recover their password?

  2. How can we know if a user entered the wrong email or password?
    We just have the “ApiResponseException: Invalid credentials.” error message, which is nothing, and we can not do anything with that.

The “nakamaConnection.Socket.ReceivedError” action did not work!
So we never can handle the server error messages (email is wrong, password is wrong , the server is down, or many other things).

  1. How can we check the server’s status? The response of the server is not true (we cannot receive error messages from the server).

For security purposes, maybe, but we can never tell the user what the problem is (server is down,email is wrong, etc).
I’ve seen other topics where we can’t change or reset email passwords!

  1. So exactly what should we do if a user forgets the password?

I am trying to create a test account with a saved email and another password(fake value). I got the “ApiResponseException: Invalid credentials.” error message and can not connect to the server. That means the real password (without hash) is compared to.

  1. So why are you not giving us any way to access email password?

After I enter email and password and create an account, in User Account >> Authentication, at the bottom, I see the “Verification Status: Not Verified” message!
I did not link the device ID.

  1. What is this “Verification Status: Not Verified” message for?

{client is unity , c#}

I appreciate any help.

Hello @jsonberg215,

I will answer each question by their respective numbers:

  1. This question seems to be a duplicated of this one made by you, which was already answered. link Forgot password system
  2. Exposing such details will allow an attacker to fine tune its attack to your game. It’s a best practice to avoid reveal as much info as possible to non-authenticated people. An attacker could even use that to find out the emails of your player base for example.
  3. To help you here, I will need more information. Could you share some snippets of your code, log errors,etc :pray:
  4. please check iteam 1 in this list
  5. there are security implications on every decision, thus the game designers should think about them.
  6. The status is to indicate if an account was verified or not. This post should help you with that. Link Email Verification Status