william
/
ssb-pub-frontend
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26 Commits
2 Branches
0 Tags
3.3 MiB
 
 
 
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
William Davis 0ada1fe68f
update readme todo 		2 years ago
db check if email is already in db 2 years ago
keys set up SMTP and password import for SMTP 2 years ago
static serve css for page styling 2 years ago
templates serve css for page styling 2 years ago
token add func to generate random alphanumeric token string 2 years ago
.gitignore add email to db on invite request 2 years ago
README.md update readme todo 2 years ago
main.go serve css for page styling 2 years ago

README.md

email invitation handler

Typically you have a URL that looks like this,

http://yourwebsite.com/confirm-email?token=abcfbcffbabcfcfbbcfaa282bfc8

In your application when request comes in to that URL you grab the token value and check if it is valid by looking up the relevant table in the database.
The table might look like this,

user_id, token, date_generated, date_expires, date_used
1, abcfbcffbabcfcfbbcfaa282bfc8, 2014-03-12, 2014-03-14, NULL

When the link is viewed you must invalidate the corresponding token.

user_id, token, date_generated, date_expires, date_used
1, abcfbcffbabcfcfbbcfaa282bfc8, 2014-03-12, 2014-03-14, 2014-03-13

The token is of course generated randomly at an appropriate time such as after user registration form is submitted.
An alternative approach is to create some sort of deterministic hash using the user data and use that as the token to avoid having to store tokens. But I highly advise against that particularly for more sensitive stuff, sometimes you can get away with that method for a simple "unsubscribe" functionality.

Things to watch out for:
Token must be long (particularly if for pass reset and the like), I'd suggest 24 characters case-sensitive 0-9A-Z
As soon as the link for a token is viewed, it must be marked as used (regardless of the outcome)
Token should have some expiry date, you can adjust this to appropriate value to not annoy users, and depending on the sensitivity of the application, email validation could last 21 days, but pass reset should probably last less than 72 hours.
Be careful to ensure that the token column is unique across the table

notes

  • remember to update keys/keys.go with SMTP password

todo

  • store email as string instead of []byte for readability
  • clean up db code
    • does user struct obj need to be pointed to??
  • add db func to retrieve data from db
  • add func to generate ssb invite code
  • store invite in db
  • add func to check if email is already in db
    • send email with old token on email resubmission
  • use token as bolt key in db instead of sequential int
  • gracefully handle db lookup failure (e.g. incorrect token)
  • add styling to html templates
  • refactor!!!
  • how to prevent abuse? limit emails to addr? Turn off sending more than one email altogether? cache emails and send manually (admin)?

reference

https://www.zupzup.org/boltdb-example/ -might be good