31Eki
Please review my (basic) approach to user email verification
- After successful user registration, the session is created via session cookie and the account is marked as unverified.
- A universally unique 128 long random string is created using node's
crypto
(see below). The length effectively makes brute forcing impossible. - The token is stored in a DB along with the user's ID and given a TTL of 24 hours. Redis is a good choice as it is considered to be ephemeral data and does not need stored in the main DB (in my case, SQL).
- The token is emailed to the user's given email address as a link. The param
token={token}
is the only param given. - When the server receives the GET request from the link being clicked, it looks up the given token in the DB using the token from the GET request and the user's ID from the session. If not found or expired, a message is returned to the user stating it is not found and suggests creating a new token. If found, update the user record of that user ID to confirm the account is verified. If the account is found to be already verified, inform the user.
- If a user requests another token (and the account is not already verified), delete all current open request tokens in the DB for that user as clean up/security.
- Rate limit the
/verify-email
endpoint to 1 try every 10 seconds to further impede brute-force attacks. If the rate is limited, inform the user they can only perform the action once every 10 seconds.
const token = crypto.randomBytes(128).toString('hex')
Inspiration from: -
https://supertokens.medium.com/implementing-the-right-email-verification-flow-bba9283e1d63
Thanks.