should the new email address be verified when 'emailChange'?

eddyystop / feathers-service-verify-reset

Adds sign up email verification, forgotten password reset, and other capabilities to local feathers-authentication

MIT License

33 stars 7 forks source link

should the new email address be verified when 'emailChange'? #19

Closed beeplin closed 7 years ago

beeplin commented 7 years ago

Currently we only verify email address when users sign up. But when they call emailChange, the new email address isn't verified. Would this be a problem?

eddyystop commented 7 years ago

Thanks. I'll look into this when I'm free.

On Thu, Nov 10, 2016 at 5:38 AM, Beep LIN notifications@github.com wrote:

Currently we only verify email address when users sign up. But when they call emailChange, the new email address isn't verified. Would this be a problem?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/eddyystop/feathers-service-verify-reset/issues/19, or mute the thread https://github.com/notifications/unsubscribe-auth/ABezn5dctBO96wBDR3QQSYesP4P5tkKSks5q8vQngaJpZM4Kugqj .

eddyystop commented 7 years ago

There are 2 purposes to verifying a person's email on signup

Force bots and hackers to create (or already have) a separate email addr for each signup.
Verify the email addr is correct (since there is no way to parse an email addr 100%) and that it exists.

Only the second concern exists on an email change. A wrong email addr does not prevent the user from signing on, nor from correcting the email addr.

So the question is whether the benefit is worth the added complexity? The complexity being (1) maybe even keeping both email addrs around until reverification (2) its awkward to ask to person to do something if they do not receive an email.

beeplin commented 7 years ago

my concern is that sometimes it is important to make sure the user is the real owner of the email address. for example, i signed up with my own email and then changed it to your email. then when you want to sign up the same website, you found your email is occupied. that would be frustrating.

eddyystop commented 7 years ago

I assume we keep both the old and new email addrs in the user item. The old one remains the current one until the new one is verified.

During verification, either isVerified === false && newEmail === undefined or isVerified === true && newEmail !== undefined and that determines what is to be done.

beeplin commented 7 years ago

yeah this will work. Cool!

eddyystop commented 7 years ago

Now a duplicate of https://github.com/eddyystop/feathers-service-verify-reset/issues/18