we have noticed that since the beginning of this year, new accounts are immediately considered verified. In the self-test:
New Account with E-Mail and MasterPW → Welcome Mail arrives. But no Note to verify E-Mail Account in the Browser or in the Welcome-Mail.
In the Admin Portal (Bitwardendomain/admin) the Account shows immediately the verified icon. We have old Accounts from Dec. 2024 which are not verified. So it must still have worked in december
Has Bitwarden made any changes here? Server version is up to date. We found no settings to this.
I had a chat with one of the developers about what is going on here, and this is a bug.
Bitwarden refactored the registration flow so that, on cloud, email verification is a required part of the signup flow. This is enforced by providing an emailVerificationToken to the server when creating an account.
On self-host, this behavior is controlled by an environmental variable, but is off by default since self-host has a different threat profile than the Bitwarden cloud instances.
Rather than not requiring an emailVerificationToken in self-hosted environments where the variable is set to false, the server just hands the token to the client after providing the email address for the registering user (rather than sending it in an email). Then, when the user registers, because they did so with an emailVerificationToken the server marks their email as verified.
We will track this internally, or if you prefer feel free to create an issue on github.