Email Verification

[rbarman]

Users can create an account with any email.

Nodemailer npm (https://www.npmjs.com/package/nodemailer) provides a very easy way to send emails.

The general idea is there would be some /Verification endpoint. We send an email with a link to omp.com/Verification/**\ where * is some unique key associated with the user. User clicks on that link and server must handle a post to /Verification, check if the key is correct, and change the user to be verified / create the account.

What do you think? This is not an urgent thing now but we should think of this for the future.

[pranavpunjabi]

Let me look into verification tonight! Also, we want that verification link to expire within a time-frame(say 24 hrs) for security purposes. I'll work on this.

Another thing that I noticed is a problem with the toast in the LogIn page. Try closing the toast by pressing (x) and tell me if you observe a weird behaviour!

[rbarman]

Alright cool. I like the idea of an expiration. 24 hours seems reasonable.

Nodemailer (https://www.npmjs.com/package/nodemailer) is pretty easy to use, the example given is pretty straight forward. However you may want to create a new email to send the emails because you don't want your email password on this public repo.

And I'll checkout the toast right now.

[rbarman]

As of https://github.com/rbarman/OneMomentPlease/commit/58d63f3a63e2e9274ff64064243c3e4fc1dd1b13 ... You can go to http://127.0.0.1:5000/#/Verify/*** where * is the unique key specified in the emailed url and see the unique key appear on the page.

You will need to have the server accept a POST to /Verify. req.body.verificationCode will contain the unique code. Based on the validity of the code you will need create an account or not.

Let me know if you have any questions.

[pranavpunjabi]

Sure! I'll look into this really soon and let you know the progress!

[pranavpunjabi]

Email verification created on a separate branch. Generates random tokens and tries to send email. 'Auth Error' in sending emails but verification can be done by copying the sent link and pasting in browser.

Possible error in nodemailer module. Trying other modules as well.

[rbarman]

You get an auth error most likely because of this

var smtpTransport = nodemailer.createTransport("SMTP",{
    service: "Gmail",
    auth: {
        user: "Your Gmail ID",
        pass: "Gmail Password"
    }
});

You need to enter a valid username and password.

Also I see that you set a random number for the verification code. This way could work but you would have to store it for that user. A global value will not work if multiple users are signing up. Alternative way would be just to hash the user's email and set that as the verification code.

[pranavpunjabi]

I wrote user and pass fields as "Your Gmail ID" and "Gmail Password" to prevent disclosing our credentials on github. When we have a company ID for sending emails and a private repo. I would replace this.

In the mean time, while I put in my credentials, Google blocks sign-In due to security reasons and generates an "auth error". And yeah..I realize it's not due to node-mailer. Just need to change settings.

For ID generation, random number is temporary. I eventually plan to use UID generator for node.

Also, let me know how do I view nodes in GapheneDB??

[pranavpunjabi]

It works now!! Changed Gmail authorization settings. Check your email for sample verification.

[rbarman]

I got the email. To see the nodes, log on to graphenedb, choose the db, launch the Neo4j web interface, in their terminal enter this query : "match(n) return n"

[pranavpunjabi]

Cool! Will merge with master branch today!

[rbarman]

alright cool. Make sure you don't add the email_verification folder into master.

[pranavpunjabi]

Tasks Completed :

1. Generating UUID
2. Sending email
3. Redirecting to verification link
4. Setting isVerified field to true on success

To be done:

1. Workaround for gmail, mymail emails
   • https://support.google.com/mail/answer/1366858?hl=en&expand=5 All verification emails are treated as spam
2. Add expiry time to verificationCodes

[rbarman]

I don't think we can use Yandex for emailing. I sent myself a simple plaintext email and it was marked as spam from gmail ...

[pranavpunjabi]

Let me look into generating a fake email path. It would look like we sent from 1momentplease.com but the service used would be gmail.

[rbarman]

I changed to Mailgun (https://github.com/rbarman/OneMomentPlease/commit/f3e3f3e6ef0740b4a81db8ca4c948a01423c2252) and now I can see the email in my gmail account.

The user will see 'OMP@omp.com via mailgun.org' in the from field

[pranavpunjabi]

Can the from field be changed to anything? If yes, let's make it noreply@omp.com

[rbarman]

Yea the from field can be changed to anything. So all that is left is expiration.

[rbarman]

Here is one way to handle expiration :

1. When processing a Post to /SignUp we append the current time to the verificationCode we send in the url. We know UUID provides some sense of time stamp but we don't know how to decode it.
2. When the server gets a POST to /Verify, get the current time
3. Compare the current time to the time indicated on our timestamp provided in the verificationCode of the request body.
4. If the time difference is less than a day, continue to search for that verification code among non verified users in the db. Else let the user know that the url is expired.

You mentioned that expiration could be done with mongodb, but I don't think there is such a thing in neo4j, so we will have to do this directly in node.