ordercloud-api / ngx-shopper

Open-source B2B e-commerce. Built with the OrderCloud.io API and maintained by the OrderCloud team
MIT License
9 stars 22 forks source link

Account Creation: email verification #249

Open bhickey77 opened 6 years ago

bhickey77 commented 6 years ago

Proposed change to require emails to be verified by users when they create accounts. This feature will primarily be relevant for the buyer application in B2C sites when buyers are creating accounts. Essentially I believe that we should be verifying that buyers, among all users, control the emails that are in our systems.

Why this is important: 1) malicious accounts: someone could create accounts with emails which they do not control. Certain applications my use an email address as a username. Usernames are required to be unique, so this would prevent the actual holder of that email from registering an account. 2) mistakes: a typo could prevent someone with a similar email from being able to register. Additionally, lots of sensitive information and PPI can be sent to email addresses. If someone has mistyped their email address, an unknown party could receive this sensitive information, for example: https://www.forbes.com/sites/ianmorris/2017/08/01/when-companies-dont-verify-email-addresses-this-is-what-happens/#449d7508148e

How it might work 1) Upon submission of a registration form, a user will be asked to go to check their email. 2) They will have received an email from the site with a signed link which will verify the user upon hitting that url or they will have received a verification code which can be entered on a verification page 3) (In this second scenario, the user will be forwarded to the verification page upon registration submission and/or there will be a link to the verification page in the email). 4) In either case, the user will ideally be automatically signed in upon verification