hasgeek / lastuser

Lastuser has been merged into Funnel. This repository is archived.
https://hasgeek.com/
BSD 2-Clause "Simplified" License
166 stars 30 forks source link

verified_at date for UserEmail and UserPhone #178

Open jace opened 8 years ago

jace commented 8 years ago

The UserEmail model should have a verified_at or active_at datetime field that records the last time a message sent to this address was opened (especially if it's an explicit probe to confirm the address).

Auto-verified emails from Google, GitHub etc logins will have this field set to null, while a manually verified email (conversion from EmailClaim) will have it equal to created_at.

This field will be critical for use cases like identifying employer-linked email addresses that may have since expired – and preventing account access backdoors from such instances (password reset, automatic account merger based on shared email).

jace commented 8 years ago

Related to #135.

jace commented 7 years ago

UserPhone also needs a verified_at column as users may have a business-assigned phone number that gets reassigned to someone else when they switch jobs.

jace commented 6 years ago

mxsniff introduced a probe feature in 0.3.1 that can be used to confirm an email address is valid, without actually sending it an email. This can be used in a periodic automated sweep. It is unclear if probing will work at scale though, as mail servers may detect and block unusual behaviour if it crosses a threshold, risking accidentally blocking some email addresses.