search

publiclab / plots2

a collaborative knowledge-exchange platform in Rails; we welcome first-time contributors! :balloon:
https://publiclab.org
GNU General Public License v3.0
961 stars 1.83k forks source link

Email validation is not working on edit profile page #3522

Open vishalka98 opened 6 years ago

vishalka98 commented 6 years ago

Please describe the problem (or idea)

on updating profile page email validation is not working.

What happened just before the problem occurred? Or what problem could this idea solve?

What did you expect to see that you didn't? emil

Email validation should occur while changing email in edit profile

Please show us where to look

https://publiclab.org/profile/"username"/edit

What's your PublicLab.org username?

caiptanamerica234

This can help us diagnose the issue:

Browser, version, and operating system

windows 10-chrome

Many bugs are related to these -- please help us track it down and reproduce what you're seeing!

Thank you!

Your help makes Public Lab better! We deeply appreciate your helping refine and improve this site.

To learn how to write really great issues, which increases the chances they'll be resolved, see:

https://publiclab.org/wiki/developers#Contributing+for+non-coders

igniteeng000 commented 6 years ago

Great catch. Thanks

igniteeng000 commented 6 years ago

@jywarren email can be changed to anything. Users can also login with the incorrect email also. Please take a look.

avsingh999 commented 6 years ago

@vishalka98 great

jywarren commented 6 years ago

I think this would be a great project to plan out. What systems could we plan out to address this?

Could we send an email validation when you try to change your email? Would we use a token? Would it expire?

Thanks!

igniteeng000 commented 6 years ago

Yes, same as we did on sign up

igniteeng000 commented 6 years ago

@vishalka98 Add code links

vishalka98 commented 6 years ago

correct answer @igniteeng000 .

aashna27 commented 6 years ago

@vishalka98 @jywarren @igniteeng000 I would like to work on this . Please assign me this.

jywarren commented 6 years ago

Hi! Assigning is not necessary -- please go ahead now that you've claimed it, and THANK YOU!!!!! :-)

On Mon, Oct 1, 2018 at 2:30 AM aashna27 notifications@github.com wrote:

@vishalka98 https://github.com/vishalka98 @jywarren https://github.com/jywarren @igniteeng000 https://github.com/igniteeng000 I would like to work on this . Please assign me this.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/3522#issuecomment-425802255, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ6SbB5-cTlflkaslBDMOI_-YZcAIks5ugbZUgaJpZM4W-Nhk .

jywarren commented 6 years ago

Hi everyone - this is a relatively complex multi-part issue which could use some planning and breaking up into smaller pieces. Please think about how we might take an initial step. We have a welcome email that's sent - could we require email validation using a link included there? How might we generate a unique secret token that'd be included in that validation link?

Thank you!

Radhikadua123 commented 6 years ago

Just wanted to give my views on this issue. :)

I can think of two ways to fix it:

1. Requires saving tokens in DB

We create a new model in the project called EmailVerification. In this model, we can have following fields : 

a) foreign key to `email_id` object of the `user` model
b) randomly generated token string which will be sent to the user in the link
c) is_active - so that token can be only used once and we will make it false after user changes his/her password.

We can use some cronjob to remove the old entries every week. Otherwise table might get quite large with time.

2. Doesn't require saving tokens in DB

In this case we will use some secret key. We will encrypt json

{ "email": email_id, "current_timestamp": current_timestamp }

with some secret key and send it to the user. User won't be able to see and modify the data because both operations would require secret key.

When user will open the link, we will try to decrypt the data. After decryption, we will have email_id and timestamp values. From email, we can identify user uniquely. From timestamp we can make sure that link was generated within last 24 hours and then let user change the password. Though downside is link can be used multiple times within that time frame i.e. 24 hours. To prevent this, we can store the encrypted data into some temporary data store like redis/memcached with expiry time ? I think no caching db is being used right now(correct me if I'm wrong). Sooner or later we will require that in this project. So, may be it's good opportunity to introduce it.

I personally like second approach.

Radhikadua123 commented 6 years ago

I'm working on breaking up this issue and will create new ones by tomorrow.

jywarren commented 6 years ago

Wow, awesome, and many thanks!

On Thu, Oct 25, 2018, 4:43 PM Radhika Dua <notifications@github.com wrote:

I'm working on breaking up this issue and create new ones by tomorrow.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/3522#issuecomment-433198767, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ3MRuQHweBVaBt2AWvWgewHmZrmmks5uoiJrgaJpZM4W-Nhk .