We need to allow users to change their email. This is currently only allowed for admins. We need to verify the email. I propose that on email change we generate a new verification code and send it by email, like in registration. What we store in the User.confirmationCode field will be a combination of UUID+newEmail, and the confirmation link will contain the UUID, and will require the user to be logged in. On confirmation we check the UUID with the first part of User.confirmationCode (UUIDs have a fixed size) and change the User.email to the newEmail part.
We need to allow users to change their email. This is currently only allowed for admins. We need to verify the email. I propose that on email change we generate a new verification code and send it by email, like in registration. What we store in the
User.confirmationCode
field will be a combination ofUUID+newEmail
, and the confirmation link will contain the UUID, and will require the user to be logged in. On confirmation we check the UUID with the first part ofUser.confirmationCode
(UUIDs have a fixed size) and change theUser.email
to thenewEmail
part.