Email Verification

[William-McGonagle]

Idea

Users are a difficult part of programming because there are always bad users. Email verification stops users from creating spam accounts and it also lets us determine where groups of spam accounts may be. This is why we need a system for users to verify their emails.

Todo

• Send Verification Email to Users
• Add Email Bool to User in Database
• Restrict User from Actions Until Email is Verified

[MassiGy]

Looks very interesting to me!
I wonder if I still able to finish it? or someone is already doing it?

Massiles.

[NeilChaudhari]

Looks very interesting to me!

I wonder if I still able to finish it? or someone is already doing it?

Massiles.

Go ahead :)

[MassiGy]

Cool, thanks guys!

[MassiGy]

Hey there, @William-McGonagle @NeilChaudhari

I want to discuss a little bit my email verification system design. I am gonna to narrow you the steps that a typical signup scenario will follow, but a short description first.

Description:
My system will basically make sure that the user has a valid email (not a spammer) in the user behalf before actually making a request to our back end. For that we will use a third party API, with which we will send to the user email address a digit based code, and we will ask him to write it back in a browser based prompt.

If the code is correct, then we will make the API call to our back end.

Steps :

• USER : Submit the Form.
• CLIENT SIDE SCRIPT : Prevent Form API Call + Send Code in Email to User + Ask User with Browser Prompt.
• USER : Fill the Prompt with the Code.
• CLIENT SIDE SCRIPT $IF typed_code===forwarded_code : Make Back end API Call + Create new User Record.
• CLIENT SIDE SCRIPT $Else : Redirect User to /signup with Feedback Message.

Pros & cons

->Pros

• Huge Performance Gain, since there will be no spamming overload in our back end. If the user want to spam he can only spam his browser and personal RAM, XD.
• Less Coast and Better security, since we are making less API calls comparing to a back end based verification system.
• Better UX, since the browser response and interaction will be much faster then our back end responses.
• and more.

->Cons

• Vulnerable to XSS attacks, since we will wait the user to submit the correct code, we have to save the user credentials in the user behalf (browser storage), so if the user goes away or lets the browser session open, these information can be accessed with a XSS attack.

Comments on the Cons
As you can see, there is only one drawback, and the scenario of this one is very unlikely to happen, also it is majorly the fault of the user.
A possible solution, is to add a timeout approach, which will redirect the user to a new blank form after some period of inactivity.

Please let me know if something is wrong, and I would love to hear your comments and ideas on this!

Thanks,
Massiles.

[MassiGy]

Hey there, @William-McGonagle , @NeilChaudhari

I've done some research about free APIs to use in order to create the client side based system for email verification. But, this can not be done with out revealing the API keys.

So this can not be done without a trade off !

Suggestions

• Solution 1 : Build the same system but in our back end.
• Solution 2 : Create our own email sending API server.
• Solution 3 : Discuss & search together.

Cons

• Solution 1 : make more API calls, which can slow up our back end, but we have more control over it, and it is much more secure.
• Solution 2 : it will coast as a server or a docker container to run this service.

Well this are my thoughts for the moment, I would love to hear from you guys, to see what is the best design for this system.

Thanks in advance.
Massiles.

[MassiGy]

Hey everyone !

I've continued researching on the subject, and it turned out that the most relevant solution is the back end email verification system.

Why ?

• Data Security : Performance is good, but Security is better, the client side validation gives to the user access to the validation layer, and since it is on the client side (browser), it can be bypassed via API consumption tools like postman, which does not run the client scripts.
• Software Security : Client side scripts are literally modifiable by the user, and we do not have a data validation system that can be modified by the user.
• Software Design : One of the benefits of making systems on the back end is that you can design it, change it however you like and the users wont even notice it.
• and more.

Solutions
What I think will be the best solution, is to create a gmail account dedicated to the organization, and create an emailing system using this address via the node-mailer library.

Benefits

• This will help us to send the emails in a secure way.
• Send emails directly to the user inbox, and not on the spam.
• Cover the biggest part of our users since Gmail is the most famous emailing SaaS.

Drawbacks

• This system will not prevent the user of submitting an invalid email address, but it will not set the User.confirmed_email to true until the user validates it.
• Meanwhile some users will validate it, some others don't, so we will need a system running in the background of our server that checks if there is any user records that has the confirmed_email property set to false, and that is an old record ( created more then one month ago, as an example).

Comments
As you can see, the drawbacks are not that significant, and do not invoke any security leaks ! Which was the main problem at the beginning.

I would love to hear your thoughts about this, and please let me know if something is wrong on it

Thanks in advance !
Massiles.

[NeilChaudhari]

Hey Massiles, I think that you can go ahead and implement the email system that you think will work. It sounds great! The email account that we will be using is " no-reply@fairfieldprogramming.org", and there is no password for that account because its a no-reply one. If you need an actually used email account, you can use "fairfieldprogramming@gmail.com" and if you need the password, just direct message me on slack. We're so grateful that you're helping us build an email system, and we cannot thank you enough! Thank you for all your help, ~ Neil Chaudhari

[MassiGy]

Hey Neil,

Thank you so much for the great support and feedback, I appreciate it !

Yeah, I've already enrolled in the implementation process, and for now I'am testing with my gmail account credentials. The system is almost done, I'am now able to send emails to user email addresses, and I can also handle the request for validating their email in our db when they actually click on the link that I've sent to them.

So the first two tasks on this issue are done !
There is only the last one that is left, and this should be an easy one, since we already have an auth middelware, it will be very similar

This is the status of my progression at the moment, hope that is clear

Please refer to me if something is wrong !

Thanks again.
Massiles.

[William-McGonagle]

Hey @MassiGy,

I just checked out your pull and it looks awesome. The email fits our style perfectly, and I just pushed some small changes so now it should be working in production. I still have to run some tests, but I'll let you know how it goes.

[William-McGonagle]

It works!!! Thank you so much for your help with this one @MassiGy!

[MassiGy]

Hey @William-McGonagle,

You are welcome, and thanks for the great feedback it is really nice !

Thanks again !
Massiles.