Email validation is not working on edit profile page

[vishalka98]

Please describe the problem (or idea)

on updating profile page email validation is not working.

What happened just before the problem occurred? Or what problem could this idea solve?

What did you expect to see that you didn't?

Email validation should occur while changing email in edit profile

Please show us where to look

https://publiclab.org/profile/"username"/edit

What's your PublicLab.org username?

caiptanamerica234

This can help us diagnose the issue:

Browser, version, and operating system

windows 10-chrome

Many bugs are related to these -- please help us track it down and reproduce what you're seeing!

---

Thank you!

Your help makes Public Lab better! We deeply appreciate your helping refine and improve this site.

To learn how to write really great issues, which increases the chances they'll be resolved, see:

https://publiclab.org/wiki/developers#Contributing+for+non-coders

[igniteeng000]

Great catch. Thanks

[igniteeng000]

@jywarren email can be changed to anything. Users can also login with the incorrect email also. Please take a look.

[avsingh999]

@vishalka98 great

[jywarren]

I think this would be a great project to plan out. What systems could we plan out to address this?

Could we send an email validation when you try to change your email? Would we use a token? Would it expire?

Thanks!

[igniteeng000]

Yes, same as we did on sign up

[igniteeng000]

@vishalka98 Add code links

[vishalka98]

correct answer @igniteeng000 .

[aashna27]

@vishalka98 @jywarren @igniteeng000 I would like to work on this . Please assign me this.

[jywarren]

Hi! Assigning is not necessary -- please go ahead now that you've claimed it, and THANK YOU!!!!! :-)

…

On Mon, Oct 1, 2018 at 2:30 AM aashna27 ***@***.***> wrote: @vishalka98 <https://github.com/vishalka98> @jywarren <https://github.com/jywarren> @igniteeng000 <https://github.com/igniteeng000> I would like to work on this . Please assign me this. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3522 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABfJ6SbB5-cTlflkaslBDMOI_-YZcAIks5ugbZUgaJpZM4W-Nhk> .

[jywarren]

Hi everyone - this is a relatively complex multi-part issue which could use some planning and breaking up into smaller pieces. Please think about how we might take an initial step. We have a welcome email that's sent - could we require email validation using a link included there? How might we generate a unique secret token that'd be included in that validation link?

Thank you!

[Radhikadua123]

Just wanted to give my views on this issue. :)

I can think of two ways to fix it:

1. Requires saving tokens in DB

We create a new model in the project called EmailVerification. In this model, we can have following fields :

a) foreign key to `email_id` object of the `user` model
b) randomly generated token string which will be sent to the user in the link
c) is_active - so that token can be only used once and we will make it false after user changes his/her password.

We can use some cronjob to remove the old entries every week. Otherwise table might get quite large with time.

2. Doesn't require saving tokens in DB

In this case we will use some secret key. We will encrypt json

{ "email": email_id, "current_timestamp": current_timestamp }

with some secret key and send it to the user. User won't be able to see and modify the data because both operations would require secret key.

When user will open the link, we will try to decrypt the data. After decryption, we will have email_id and timestamp values. From email, we can identify user uniquely. From timestamp we can make sure that link was generated within last 24 hours and then let user change the password. Though downside is link can be used multiple times within that time frame i.e. 24 hours. To prevent this, we can store the encrypted data into some temporary data store like redis/memcached with expiry time ? I think no caching db is being used right now(correct me if I'm wrong). Sooner or later we will require that in this project. So, may be it's good opportunity to introduce it.

I personally like second approach.

[Radhikadua123]

I'm working on breaking up this issue and will create new ones by tomorrow.

[jywarren]

Wow, awesome, and many thanks!

…

On Thu, Oct 25, 2018, 4:43 PM Radhika Dua ***@***.*** wrote: I'm working on breaking up this issue and create new ones by tomorrow. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3522 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABfJ3MRuQHweBVaBt2AWvWgewHmZrmmks5uoiJrgaJpZM4W-Nhk> .