BUG: User Email hijacking

[Sarthak-ONS]

Describe the bug

Suppose an account is registered with an email address, but not from the owner, and the verification email is also sent to the email address while registering . As the real owner's mail is used by another person, and account is also unverified in the database. Now, whenever, new real owner comes and registers, the account is already created for that owner.

To Reproduce

Just create an account with dff email, and u will be able to to reproduce.

Expected behavior

Again email is sent to the user for verification after registration.

Screenshots

No response

OS

No response

OS Version

No response

Client

No response

Additional context or Information

No response

[Shashan17J]

Implement OTP (One Time Password )functionality to solve this problem.

[arnb-smnta]

@Sarthak-ONS does not that happens in every social media app we might implement a check in login controller if email is not verified user cannot login and also we have forget password as unsecured route for specifically this case if email is hijacked then they can get a forget password link in registered email to reset password but to be efficient it is needed to add the check of verified email for login or we need to throw an error what's your take on it sarthak feel free to share if you feel I am thinking in right direction

[pankajkhuswaha]

Can I work on this issue

[pankajkhuswaha]

My approach will ad one time OTP verification before completing the signup process

[arnb-smnta]

have u gone through the user controller one time email verification is already there

[wajeshubham]

@Sarthak-ONS the point is valid but then this demolishes the purpose of easy to access apis in FreeAPI. if we restrict unverified emails to perform certain actions then configuring mailbox is a requirement for developers to go ahead with applications. Right now we are not focusing on robust security as that might limit developers to quickly get started with FreeAPI and can introduce friction as well.