Reputation: 3034
What is the workflow for a secure 'verify by email' system?
I am thinking of a forum type system that will allow users to post/edit posts without an account but through e-mail verification.
So, you would fill out the form, supply email address, submit, and then receive a link in an email that would 'activate' your post. Same thing to edit. Click 'edit', receive email with link, link takes you to edit form.
I'm trying to understand the exact steps to securely do this. How do I create a link that will expire after some time period? How do I ensure it is coming from the email address and not just some bot cycling through potential url's?
Any help to get started in the right direction is appreciated.
I am using Python, flask, Postgres on Heroku.
Upvotes: 12
Views: 3687
Answers (1)
Reputation: 33309
Since you are using flask, you might want to look at itsdangerous library:
https://itsdangerous.palletsprojects.com/en/2.0.x/
Using itsdangerous, the workflow could be something like:
- User enters the email and post.
- Generate the secure link using
itsdangerousmodule which can be tied to the specific email - Once the user receives the email and the specific URL as generated in step 2, they can click on it to confirm the post. You could even add an extra layer of check when the user clicks this URL where you could ask them to enter their email address again and then match it against the email tied to the URL.
Upvotes: 16
Related Questions
- Email verification in Django
- Preventing verification email trolling
- Email verification with flask-mail
- Flask Webapp - Verify Email after Registration - Best Practice
- Email Verification Check
- Implementation of e-mail verification in Django
- Flask Security - Send confirmation email?
- How do you verify an email via javascript or django?
- Python: using smtplib to verify emails
- How to send out verification emails safely?