Confirm email/sms before update module

[ashtonian]

I think one additional confirm workflow that I think is missing is requiring email/sms confirmation before a user updates their email/sms.

Example flow for user:

• registered and confirmed user requests to change email
• email verification sent to new email
• user verifies email, and authboss updates related

I would like to create a module(confirm-email-update, confirm-sms-update) that addresses the above. Current plan is to start with a fork of the confirm module, but I wanted to check with you to see if there was anything I should know or advise you had?

[aarondl]

Hi @ashtonian.

It sounds like an interesting plan. I assume then that the confirm-email-update module as example would provide the ability to change a user's e-mail address (like a user edit) via various pages and html forms?

It's an interesting idea and I had pondered the notion for things we work on internally too, but decided to give it a pass mostly because of the handling of arbitrary forms is quite complex (as you can see from the register package) and I think that most user's edit pages will be quite complicated forms as well.

It's been expected that people write their own things for editing usernames/passwords/emails because these sorts of views are typically quite integrated with other pieces. There is utility to help people out in this endeavor: You can certainly use the same mailer interface to do confirmations, and there's a https://godoc.org/github.com/volatiletech/authboss#Authboss.UpdatePassword function to help maintain the same password functionality.

So currently updating is rather a bespoke thing, that's not to say that I think you shouldn't proceed, just wanted to give some background on how it was expected/designed originally.