Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

One step UserPass registration #388

Open
pichsenmeister opened this issue Apr 7, 2014 · 6 comments
Open

One step UserPass registration #388

pichsenmeister opened this issue Apr 7, 2014 · 6 comments

Comments

@pichsenmeister
Copy link

First of all: great work on this project!
But: Is there any possibility to make the registration in one step, so that you can send only one form with email, name, password,.. ? I think the way it is done at the moment isn't a good approach in flavour of UX...
thanks!
@lyuen
Copy link

lyuen commented Apr 18, 2014

This is one feature that we would like to have for our project as well.

There is already a pull request with what you are looking for. Although there hasn't been any updates to it for a few months.

#260

@jaliss jaliss reopened this Apr 19, 2014
@jaliss
Copy link
Owner

jaliss commented Apr 19, 2014

@3x14159265 @lyuen My concern with making a one step registration is that we would be forced to show an error message if someone tries to register with an existing email address. This will leak information about the user base and could potentially be used by an attacker to target accounts knowing they exist.

What are your thoughts on this? It might be depending on different needs/use cases that some people might be ok with that risk.

@paiou
Copy link

paiou commented Apr 19, 2014

I think there is no additional risk, the workflow should be the same as current one, i.e.:

  • Display an informational message requesting to check mailbox for further instructions.
  • Then the email itself contains different instructions depending on account existence.
    As I mentionned in One-step user registration #260 I also needed the feature for my project so I worked to improve a bit the proposed request. My code is now fully working and I could submit a PR next week.

@pichsenmeister
Copy link
Author

@jaliss @lyuen i think that risk is acceptable compared to the risk, that the user is not going to sign up since the sign up flow is disrupted (but of course, depends on what kind of application you're developing). anyway, i already forked this repo to change it to my needs.

@jaliss
Copy link
Owner

jaliss commented Apr 19, 2014

I understand your concern @3x14159265.

What @paiou says might work but it's a bit different to what #260 was doing. In it users are allowed to log in immediately (but marked as non verified). If you plan to support that then you will be forced to show an error if a sign up with an existing email address is attempted (again, depending on the user case people might be ok with this).

@3x14159265 is your flow the same as what @paiou mentioned above?

@tabdulradi
Copy link

@jaliss
#260 This line make sure that the user is active before logging him in.
https://github.com/jaliss/securesocial/pull/260/files#diff-85a165c733917359c2bf82c8ef290049R86
There is no way to tell if the email doesn't exist, or exists but not active, there is no leaked info about existing emails.

However, allowing anonymous users to log-in was a feature I had in mind to implement next. We will have to accept the risk of leaking info then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tabdulradi @jaliss @pichsenmeister @lyuen @paiou