Add a "verify" flow, to verify product owners

[jacquescrocker]

The person submitting a product is not necessarily the product owner.

We need a ux flow to allow the product owner to prove he is the owner, so he can see private feedback posted to his product.

strategies:

• email [any]@domain.com
• add private TXT record to DNS
• contact support

[jacquescrocker]

https://github.com/OpenHunting/openhunt/blob/master/app/models/user.rb#L100

[rmcfadzean]

How does a flow like that sound? It's missing a bit of detail I'll try explain below.

I'm unsure if the plan is to allow projects to be submitted by non-owners so I've left that part a little open. Walking through the idea, it's pretty simple:

A project is submitted and the submitter sees a small 'Verification' (or similar) button on the project's page. Clicking this will show the steps for the two (current) verification methods mentioned in the first post.
The first will be to email <their_choice>@<project_domain> with a link containing the unique verification code (SecureRandom.hex(10) or similar) which was generated when the verification link was clicked and a link to somewhere along the lines of

OpenHunt Project Verification Email for project_name

Click here to verify that @submitter.username is an owner of this project openhunt.co/verify?code=:code

The second will allow them to create a TXT record on the project domain with the key ohunt/openhunt and the value as the code. Depending on how complex you want to make the next part there are two (possibly more) ways to then verify that.
One would be an automatic background runner constantly trying to verify the txt records of domains which have a code but are unverified, the other would be a simple 'Check domain verification' button or similar which will spawn an async background runner to check and report back.

Both of these will also add the submitter to a new ProjectOwners model and toggle the project's verified attribute to true. If you're going the route of allowing non-owners to post, this would also add some visual flair to show verification status.

edit: A quick side note I only just realised... with this project being open source and the code being the same for both email and DNS in my suggestion, when the code is displayed for use with the DNS record, one could simple use it on the email verification URL without actually owning the email address. Possible solution to this is salting/modifying the code for DNS based on a secret key in the rails application.

[nblackburn]

Both methods assume the project is hosted on a domain that the owner has access to which might not be the case.

[rmcfadzean]

Fair point. In those cases some level of manual support fall-back would definitely need to be implemented. Some automation on the domain-level verification would be nice as it's likely going to be the most common but will obviously not always be the case. A github verifier, for example, wouldn't be the hardest thing in the world to implement and does, in a way, lend itself to the 'openness'. It still won't cover everything possibility.

[nblackburn]

I like the github verification idea but you're right about it still not covering all possible scenarios.