melvincarvalho
commented
6 years ago I think some of the other servers do this already. So may be some reusable code or patterns.
Open megoth opened 6 years ago
melvincarvalho
commented
6 years ago I think some of the other servers do this already. So may be some reusable code or patterns.
dmitrizagidulin
commented
6 years ago From the conversation in Gitter: Are we sure we actually need to verify the user's email? The only reason it's a common pattern with other application providers is that they're building a mailing list (to send announcements and advertisements). We're not doing that (I'm assuming), and the only reason we ask for the email is for account recovery (so, it's a convenience for the user).
melvincarvalho
commented
6 years ago @dmitrizagidulin I totally see where this is coming from. One of my pet hates is a service that forces you to give up your email to use it. It makes you even more reliant on centralized mail services.
However, in practical terms, what happens when someone wants to delete their account? How do we verify it's them?
dmitrizagidulin
commented
6 years ago in practical terms, what happens when someone wants to delete their account? How do we verify it's them?
I think the idea is - if they don't control that email, they don't receive the link that lets them delete the account :)
melvincarvalho
commented
6 years ago @dmitrizagidulin to me that sounds reasonable in principle. But how then to garbage collect accounts without an email. People can get very irate when their name is on the web and they want it taken down immediately, and will blame you personally. I had this happen to me once at Christmas. Not nice.
melvincarvalho
commented
6 years ago gitter conversation here
https://gitter.im/solid/node-solid-server?at=5bbe0a92ae7be940163220ab
That makes sense to me.
The use case for email verification in the context of solid is not obvious.
megoth
commented
6 years ago Should we allow an alternative route to take if trying to delete an account that you haven't registered with an email? The whole point of the email is to make sure that a user don't accidently delete an account because they were mislead to /account/delete; so how to make sure of this if we cannot use email?
kjetilk
commented
6 years ago I think it is reasonable to verify the email if it is given. There could be abuse scenarios where people sign up someone with their email, then post something abusive, which could then engulf the victim in flames...
If we should require an email at signup is a different topic, I think. I don't have any strong opinions on that, but @timbl 's suggestion was that we should remind the user that setting an email is probably a good idea, rather than require it.
melvincarvalho
commented
6 years ago @kjetilk it's a great point, but verifying email does not prevent claiming someone else's email after signup.
kjetilk
commented
6 years ago @kjetilk it's a great point, but verifying email does not prevent claiming someone else's email after signup.
Yeah, we should always verify a new email address.
In the case that users add their email address on account creation, we need to verify that address by sending them an email.
I didn't find any other issues on this, but please let me know if there are relevant issues connected to this.