Developers November 24, 2020

How do you handle email verification?

Justin @Harrjm

I'm working on form backend project, Jamform, and now I'm trying to setup email verification. I need this feature set up because I will be sending form submissions to the email on file, and if the email was accidentally (or maliciously) typed incorrectly, some other person could be receiving all these emails and potentially sensitive data. I know there are other benefits to email verification as well.

What I'm wondering is how to go about implementing that, and by that I mean what's the correct registration flow. I looked at two of my competitors FormSpree and Getform to see how they do it. Both of these services seem to create a legitimate account for you without verification, they just block you from using the features. The boilerplate I'm building off of works about the same. Registration creates an account that's unverified, you can block features based off that, and then you can verify and it just toggles the property on the user record.

However, I'm thinking I should not create the account at all until the verification email is clicked. This would prevent emails from being "locked" into an unusable verification state if someone registers with it but doesn't verify their email. This would mean rewriting a non-trivial part of the boilerplate (which is fine if necessary). So I'm wondering if this is worth it?

  1. 1

    As far as I know, with most services you create an account and can use it (or in limited ways) without verifying your email BUT most of them check the email address to be valid using a 3rd party email validation service, which makes sure the email is legit and not a temporary email for example. Example of such a service: https://www.mailgun.com/email-validation/

  2. 1

    This would prevent emails from being "locked" into an unusable verification state
    if someone registers with it but doesn't verify their email.

    If you're concerned (and a quick fix so you can go on to doing more important stuff!) you could have a cron task that delete unverified accounts greater than say 3 days (or whatever you want), then you can sleep better! :)

    1. 2

      That's a great idea! And I can just do that manually until it gets to an unmanageable point since I doubt I'm going to have a huge influx of users any time soon.

  3. 1

    I don't think it's worth it. Most sites that implement email verification do it like your competitors, make the account optimistically and then unlock it once it's verified. It'll be much simpler for you to do it this way as well.

    If you've worried about the email address being "locked" until the verification link is clicked, what is the reason for that? Are you thinking it's an attack vector and a malicious user could block an innocent one from registering? The chances of that happening are very low and even if it does, you can just manually resolve it if the innocent user fails to log in and writes in to you to help them.

    Do it the old fashioned way. It'll save you some development time (and headaches) with weird edge-cases, and is probably more secure anyways, as creating user accounts upon clicking links in emails has the potential to be abused.

    1. 1

      Awesome glad to hear this is a common way to implement this flow, it will certainly save me some headache. Yes the only real reason I was considering the other flow was to prevent the 'innocent' user from being locked out of their account, whether maliciously or because a third party accidentally typed the wrong email and created an account for them. But as you said they could just write in or even use the "forgot password" functionality to reset it. So I'll just stick with creating the account optimistically!

Recommended Posts