Send confirmation email after registering #636

Closed
by elegaanz opened 3 years ago · 8 comments
elegaanz commented 3 years ago (Migrated from github.com)
Owner

Is your feature request related to a problem? Please describe.

  • You can't be sure that the email you used to register was correct
  • Spammers can create a lot of accounts very easily
  • Someone else can use your email (even if I don't know why anyone would do that?)

Describe the solution you'd like

Send a confirmation email when creating an account.

Accounts created from the CLI should probably be immediately confirmed.

Describe alternatives you've considered

Additional context

From #635

**Is your feature request related to a problem? Please describe.** - You can't be sure that the email you used to register was correct - Spammers can create a lot of accounts very easily - Someone else can use your email (even if I don't know why anyone would do that?) **Describe the solution you'd like** Send a confirmation email when creating an account. Accounts created from the CLI should probably be immediately confirmed. **~~Describe alternatives you've considered~~** **Additional context** From #635
igalic commented 3 years ago (Migrated from github.com)
Owner

Someone else can use your email (even if I don't know why anyone would do that?)

someone could sign up in your name, and leave hateful comments.

> Someone else can use your email (even if I don't know why anyone would do that?) someone could sign up in your name, and leave hateful comments.

I'm not even sure admins can see a user's email address at this point, so doing this would not really impersonate the email owner. And doing it using their pseudo is probably unavoidable, and far more effective to discredit someone

I'm not even sure admins can see a user's email address at this point, so doing this would not really impersonate the email owner. And doing it using their pseudo is probably unavoidable, and far more effective to discredit someone
GitHubGeek commented 3 years ago (Migrated from github.com)
Owner

Would love to see some form of notification to admins whenever a new account is created.

A very primitive way to do it is to BCC confirmation emails to admin's email address

Also, want to see support of ESPs such as SendGrid, Mailgun. Thanks!

Would love to see some form of notification to admins whenever a new account is created. A very primitive way to do it is to BCC confirmation emails to admin's email address Also, want to see support of ESPs such as SendGrid, Mailgun. Thanks!

You should open a new issue for supporting ESPs, the two you named seems to have some rust bindings so it should not be too difficult, but if it stay here as a comment, it will definitely get forgotten

You should open a new issue for supporting ESPs, the two you named seems to have some rust bindings so it should not be too difficult, but if it stay here as a comment, it will definitely get forgotten
KitaitiMakoto modified the milestone from 1.0 to 0.8.0 5 months ago

I'm implementing this feature that it sends email before registering.

I'm implementing this feature that it sends email *before* registering.

Required consideration:

What happen if an email which is already used for existing user is posted for registration?

Required consideration: What happen if an email which is already used for existing user is posted for registration?

I think it is clearly assumable that email is identity linked, so that if an email is already referenced it should not be reused, but this failed the goal of the fediverse as this can means a central database...

There are many directions:

  • Just send the e-mail and store the adress for that user, with a (1:Email)->(N:User) mapping, but this mean that given an email we can't get the user (is this really a problem ?)
  • Verify that the mail is not linked to another user on the local instance, email so become an identifying data and can maybe be used in place of the username for connecting.
  • Verify that the mail is not linked on every plume instance, but this prevent someone to have two identities links to the same email.

In the first option, it is mandatory when using the email to also provide the username, but maybe there are some impersonating issues (someone claim as another user).
In the second one, email is identifiable and we just have to check and emit an error if it is already in use.

I think the second option is the most heavy one (needs to query the database with some SELECT COUNT(username) FROM users WHERE mail = ?given_email ), but it is also the safest one.

I think it is clearly assumable that email is **identity** linked, so that if an email is already referenced it should not be reused, but this failed the goal of the fediverse as this can means a central database... There are many directions: - Just send the e-mail and store the adress for that user, with a (1:Email)->(N:User) mapping, but this mean that given an email we can't get the user (is this really a problem ?) - Verify that the mail is not linked to another user on the local instance, email so become an identifying data and can maybe be used in place of the username for connecting. - Verify that the mail is not linked on every plume instance, but this prevent someone to have two identities links to the same email. In the first option, it is mandatory when using the email to also provide the username, but maybe there are some impersonating issues (someone claim as another user). In the second one, email is identifiable and we just have to check and emit an error if it is already in use. I think the second option is the most heavy one (needs to query the database with some `SELECT COUNT(username) FROM users WHERE mail = ?given_email` ), but it is also the safest one.

Thank you for your thouhgs.

I choose the second. How we should do if an email which is used already for a user is provided for sign up?

  • Should send an email to the existing user?
  • Show "This email is already used"?
    • It might expose privacy

My current thought is:

  • Doesn't send an email
  • But shows "Email is sent to the address"
    • In order to protect privacy
  • Writes warning to log file
Thank you for your thouhgs. I choose the second. How we should do if an email which is used already for a user is provided for sign up? * Should send an email to the existing user? * Show "This email is already used"? * It might expose privacy My current thought is: * Doesn't send an email * But shows "Email is sent to the address" * In order to protect privacy * Writes warning to log file
KitaitiMakoto closed this issue 5 months ago
Sign in to join this conversation.
No Milestone
No Assignees
4 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.