User flow with email verification
I have a very weird user flow question. I have an account creation system that when a user signs up, they are sent to their home page but they have no access to the main functionality of the site until they verify their email. However, my email changing system requires an email to be sent to the current one and then another one to the new email to verify it. So how can I do this properly without any security vulnerabilities?
8 Replies
The reason I ask this question is because I don't know what to do if a user signs up but they accidentally put the wrong email address. Now they are stuck with an account they can't delete (the delete system also sends an email to their current address)
And now the random person who got the email (if the smtp request didn't fail) is sitting there confused
I am not a security expert so take what I say with a grain of salt, but in my opinion it's a multi-step process:
1. Have the user submit a change of email request
1. Mark their user account in your DB as "awaiting authorization" somehow
1. Send a "did you authorize this email change?" email to the current email on file with a link to verify
1. When they click the link, mark their user account as "initial authorization"
1. Send an "do you really want to change your email address?" email to the new address with a special link to authorize
1. Update the finalized email address in your database to the new, fully authorized email address
I think I may not have been as clear as I should have been (or I am completely misunderstanding what you just said). I have a system to change email that works great if both emails exists and are owned by the same person. However, if someone signs up to my site but made a typo in the email address field, then what?
If they accidentally signed up with a wrong email then there's really nothing to do. The wrong email will get a message about "welcome to [New Platform of Awesome]" and delete it, assuming it's spam. And you said the actual user won't have access to anything until they verify their email right? So no verification means there's nothing done that will be lost so they just sign up again with the correct email address
Yes, that is true, but I don't want an extraneous user sitting in my database if I don't need one.
So unless they're registering a unique username or something there shouldn't be any issues with just re-registering with the correctly-spelled email
But if there is something unique in the registration…don't? Or have like a 1hr "use it or lose it" for the registration information
Yeah, you can periodically clean the DB by removing users that haven't verified their email address in [amount of time]. Even 24hrs should be sufficient. Most people click on that activation email within minutes of trying to sign into a new platform
Ok. That sounds like it would work. Thanks for the help!
Of course! 👍