Email validation needs an email parameter (docs)

[dmaze]

The documentation recommends creating a completion URL for email validation with

from flask import url_for
url = url_for('social.complete', backend=strategy.backend_name,
              _external=True) + '?verification_code=' + code

but you get a vague exception if the link isn't clicked within the same session. Adding an email query parameter fixes this. My working code looks like

from flask import url_for
url = url_for('social.complete', backend=strategy.backend_name,
              verification_code=code.code, email=code.email,
              _external=True)

[omab]

What's the vague exception?

[cmltaWt0]

Exception Type: AuthMissingParameter
Exception Value: Missing needed parameter email

This exception is raised when we validate email within different session.
Step to reproduce:

1. Send email to validate.
2. Logout.
3. Click validation link.

[omab]

If that's the error, it won't only fail the validation because email is "missing", it will also break the whole authentication process since the pipeline information is empty, the whole authentication process will fail.

[cmltaWt0]

@omab The whole authentication process is not fail - it will start as new login/register process...
And there is a problem because if user click to associate Email and confirm email from another PC (for example from Phone) it will fall into new login process but not into Email association process...

[craig-hacklaunch]

@omab as @maxsocl mention above I don't think the current implementation is how most users expect things to work. There should not be a dependency on the session for the mail validation partial. There is no guarantee the user will continue the process using the same device or even browser. Any state information should be retrievable from the validation link and not depend on the session.

[cmltaWt0]

@omab @craig-hacklaunch
UPD: I got around this issue by creating custom Strategy, Storage and Code. In Code a have user_id field. And when user click confirmation link on different PC I can see exactly what user want to confirm an email.

[omab]

@maxsocl, @craig-hacklaunch, I see the problem now, and even if I think that this could be solved with a re-write of the email validation pipeline, this affects all the pipeline functions that use the partial mechanism, so, I'm already working on a restructure of the pipeline serialization functionality that will improve this behavior. Basically the pipeline data will be dumped to a DB table and a hash code will be used to identify the processes which can be stopped and continue later, removing the dependency of the session.

[craig-hacklaunch]

@omab thanks for your contribution to the community :). Your fix sounds like a good approach, I guess this will fix the problem for all partial pipelines that were using the session to dump their data to before.

[cmltaWt0]

@omab it is a good news for everyone 😄 thank you for contribution!

[a1Gupta]

@omab Is it fixed now ? @maxsocl Can you please share the solution/fork you are using. I was using this https://gist.github.com/SaneMethod/b30156a3705ce9e944cd#file-django-python-social-auth-monkey-py till now , but it fails if session_key gets deleted/changed in the database. Django updates session_key each time the session data changes. So in case any other user logs in the same browser the session_key gets changed and user can't verify with the email link.

[annshress]

Any updates for MissingParameterEmail?

[annshress]

@dmaze your fix still gives me:

"error_messages": ["Password is None"]