I would like to follow up on this discussion and have a question:
I want to build my own custom email confirmation to be able to send it via Sendinblue templates. I have added the fields Verification_key (randomly generated) and Registered (yes/no) to the user. The key changes after each use to increase security (unlike Gaby’s suggestion to only use the unchangeable user ID).
I want to use the verification key in combination with the unique User ID. The confirmation email will then look like this, for example:
When the user calls the link, the field Registered switches to “yes”. But unfortunately, for some reason, it doesn’t. It only works if I use the user ID solely in the URL. But not in combination with the self-generated verification key.
Does anyone have an explanation for this? What have I overlooked?
I thought I had checked the privacy rules. But now I see that under “Everyone else (default permissions)” I didn’t select the checkbox for the relevant field “Verification_key”.
Another question:
When the user logs in, I want to check if the user field Registered is set to “yes” respectively if the user has already verified himself.
The workflow looks like this:
Log ther user in
Go to page My Profile (Only when Registered is “yes”).
Otherwise:
Log the user out (Only when Registered is “no”)
Go to page Please confirm (Only when Registered is “no”)
Does it make sense to log the user in first, then check and log out again if the user is not verified? Is there another more elegant and secure alternative?
What I typically do is keep the use signed in and give them the chance to use a verification code that is also sent with a verification link. So for example, the verification link might be used if the user signs up on their laptop, then verify on their phone because they get email notifications there (this is what I do all the time) and if they do check their email on their laptop, they might use the link or they can use the code directly within an input.
I had already thought about this variant as well, @johnny .
Since very sensitive data will be stored in my app, I want to make it as secure as possible.
I thought about temporarily storing the confirmation data (verification code and user ID) in a separate database. After 24 hours, the verification code would be invalid. Only when it is confirmed would a user account be created.
I am not a security professional. But I hope that these small security measures make the system a bit more secure (as I understand, at least more secure than Bubble’s own verification system at the moment).
