Send confirmation email after registering
Is your feature request related to a problem? Please describe.
- You can't be sure that the email you used to register was correct
- Spammers can create a lot of accounts very easily
- Someone else can use your email (even if I don't know why anyone would do that?)
Describe the solution you'd like
Send a confirmation email when creating an account.
Accounts created from the CLI should probably be immediately confirmed.
Describe alternatives you've considered
Someone else can use your email (even if I don't know why anyone would do that?)
someone could sign up in your name, and leave hateful comments.
I'm not even sure admins can see a user's email address at this point, so doing this would not really impersonate the email owner. And doing it using their pseudo is probably unavoidable, and far more effective to discredit someone
Would love to see some form of notification to admins whenever a new account is created.
A very primitive way to do it is to BCC confirmation emails to admin's email address
Also, want to see support of ESPs such as SendGrid, Mailgun. Thanks!
You should open a new issue for supporting ESPs, the two you named seems to have some rust bindings so it should not be too difficult, but if it stay here as a comment, it will definitely get forgotten
What happen if an email which is already used for existing user is posted for registration?
I think it is clearly assumable that email is identity linked, so that if an email is already referenced it should not be reused, but this failed the goal of the fediverse as this can means a central database...
There are many directions:
- Just send the e-mail and store the adress for that user, with a (1:Email)->(N:User) mapping, but this mean that given an email we can't get the user (is this really a problem ?)
- Verify that the mail is not linked to another user on the local instance, email so become an identifying data and can maybe be used in place of the username for connecting.
- Verify that the mail is not linked on every plume instance, but this prevent someone to have two identities links to the same email.
In the first option, it is mandatory when using the email to also provide the username, but maybe there are some impersonating issues (someone claim as another user).
In the second one, email is identifiable and we just have to check and emit an error if it is already in use.
I think the second option is the most heavy one (needs to query the database with some
SELECT COUNT(username) FROM users WHERE mail = ?given_email ), but it is also the safest one.
Thank you for your thouhgs.
I choose the second. How we should do if an email which is used already for a user is provided for sign up?
- Should send an email to the existing user?
- Show "This email is already used"?
- It might expose privacy
My current thought is:
- Doesn't send an email
- But shows "Email is sent to the address"
- In order to protect privacy
- Writes warning to log file
Deleting a branch is permanent. It CANNOT be undone. Continue?