如何在创建用户之前验证电子邮件?
[英]How to verify email before creating user?
问题描述
SITUATION:
情况:
I am trying to send a verification email to a user who just registered.我正在尝试向刚注册的用户发送验证电子邮件。
His account is not created unless he verifies his email address.除非他验证他的电子邮件地址,否则他的帐户不会被创建。
MY CODE:我的代码:
var userAuth = firebase.auth().currentUser;
userAuth.sendEmailVerification().then(function() {
req.flash('success_msg', 'Please verify your email address. You have 60 seconds');
setTimeout(function(){
if(userAuth.emailVerified) {
firebase.auth().createUserWithEmailAndPassword(email, password).then(userData => {
var user = {
email: email,
username: username,
}
firebase.database().ref('users/'+userData.uid.toString()).set(user);
req.flash('success_msg', 'You have registered and logged in.');
res.redirect('...');
}).catch(error => {
var errorCode = error.code;
var errorMessage = error.message;
req.flash('error_msg', 'Registration Failed. ' + error.message);
res.redirect('/users/register');
console.log("Error creating user: ", error);
});
} else {
req.flash('error_msg', 'Registration Failed.');
res.redirect('/users/register');
}
}, 60000);
}, function(error) {
console.log(error);
});
PROBLEM:问题:
userAuth is of course null since the user hasn't been created yet. userAuth当然是null因为用户还没有被创建。 This means my code crashes.这意味着我的代码崩溃了。
QUESTION:题:
How can I achieve what I am looking for ?我怎样才能实现我正在寻找的东西?
Or is there a better way ?或者,还有更好的方法 ?
REFERENCE参考
https://firebase.google.com/docs/auth/web/manage-users https://firebase.google.com/docs/auth/web/manage-users
1 个解决方案
解决方案1
4 已采纳 2017-01-12 22:10:26
Putting my collection of comments into an answer since it seems to have answered your question for you.将我的评论集放入答案中,因为它似乎已经为您解答了您的问题。
In order to be able to process the confirmation request when it comes in, you have to store something related to the pending user.为了能够在收到确认请求时对其进行处理,您必须存储与待处理用户相关的内容。 You either create a user object and put it in a "pending" state that your code won't let be used for anything other than a confirmation or you create a separate type of object (a pending confirmation object) and that's all that exists until the confirmation happens.您要么创建一个用户对象并将其置于“待处理”状态,您的代码将不会被用于确认以外的任何其他用途,或者您创建一个单独类型的对象(待处理的确认对象),这就是存在的全部内容,直到确认发生。 You do not want your existing request handler to "wait" until the confirmation happens.您不希望现有的请求处理程序“等待”直到确认发生。
Your current scheme allows attackers to load up your server with requests just waiting for something to happen which will probably either exhaust your memory or sockets.您当前的方案允许攻击者通过请求加载您的服务器,只是等待某些事情发生,这可能会耗尽您的内存或套接字。 It's actually much better to have a tiny object stored in the database that you can clean out every few hours or so if they aren't confirmed.在数据库中存储一个小对象实际上要好得多,如果它们没有得到确认,您可以每隔几个小时左右清理一次。 And, it's likely that some well intentioned users can't even do the confirmation in 60 seconds like you have coded so you'll just frustrate some of the legit users.而且,很可能一些善意的用户甚至无法像您编写的代码那样在 60 秒内进行确认,因此您只会让一些合法用户感到沮丧。
You HAVE to store something.你必须存储一些东西。 When a confirmation link comes in, you have to have something to compare it to that you've previously stored.当确认链接出现时,您必须将其与之前存储的内容进行比较。 Otherwise, people could just make up confirmation links on their own and you'd happily process them.否则,人们可以自己制作确认链接,而您很乐意处理它们。 Storing something you created at the time of the original request is how you authenticate the confirmation link when that request arrives at your server and it's how you associate it with the right user object.存储您在原始请求时创建的内容是您在该请求到达您的服务器时验证确认链接的方式,以及您将其与正确的用户对象关联的方式。 I don't understand what the objection is to storing a small (probably under 100 bytes) account pending object in your database?我不明白反对在您的数据库中存储一个小的(可能低于 100 字节)帐户挂起对象是什么?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.