search

thombruce / credible-ruby-archived

JWT and API Token Authentication for Rails apps
MIT License
0 stars 0 forks source link

Account Confirmation Should Be Meaningful #34

Open thombruce opened 4 years ago

thombruce commented 4 years ago

At the moment, when a user signs up, a confirmation email is delivered if email is configured for the app...

...but this is meaningless, as lack of confirmation does not invalidate the account after a given amount of time.

How should this be handled?

Rolify could be used to provide a global banned/expired role. But actually no, you're making this more complicated than it needs to be...

Simply check for confirmed_at against created_at upon login, and do not provide a token if this check fails.

This is another example of something that could/should be admin configurable.

thombruce commented 4 years ago

Give the user 24 hours. Do not destroy the account after this time, in case of issues with email, but do disable the account after 24 hours...

Interesting aside: You could do this with the refresh token expiry time. IF UNCONFIRMED exp = 24hrs since signUp ELSE 14 days. That might be a thought...