search

openaustralia / righttoknow

Theme for, and issues specific to, Right To Know.
https://www.righttoknow.org.au/
MIT License
21 stars 14 forks source link

right to know allowed me to initiate sign up with an incomplete email address #829

Open katska opened 2 months ago

katska commented 2 months ago

See https://www.righttoknow.org.au/admin/users/8386

@benrfairless RTK allowed me to sign up for an email address without a complete email address - I accidentally didn't include .com !

pinkforest commented 2 months ago

One way to address this is do signup by sending e-mail and authenticate it using DKIM bypassing all "register" friction.

I built a datapipeline for my open source meetup.com displacer that works entirely via e-mails for RSVPs etc.

Spammers typically don't operate proper e-mail infrastructure and "grey rocking" works on them making it more computationally expensive to register accounts with valid e-mails.

This way anyone who registers sends an e-mail using modern e-mail infrastructure and then the account can be created for them to access without any further friction other than sending an e-mail.

If interested I can PoC it for you.

benrfairless commented 2 months ago

This is really weird, and is (possibly) an upstream issue.

Alaveteli doesn't appear to be doing email address validation properly when a user signs up.