In my project I need to send letter to user email with confirmation link. My solution:
How are you create confirmation link for email?
I use similar practice, with the following differences:
host.com/user/email/{code}/confirm
secure, so that the user must login to verify himself. This ensures a bit more security. For example, if the user had typed a wrong email id while registering, that wrong person shouldn't be able to verify even after getting the mail.code
, I would thus fetch the user by id
(the id of the currently logged in user).UUID.randomUUID().toString()
. Also, it depends on personal choice, but I don't use an is_active
flag. Instead, I have a roles
set, in which I put "UNVERIFIED" role. That helps me populating the authorities of the user a bit more easily while using Spring Security. Another way would be just to check if the code
is null
or not.
Don't keep "{code}" as 1/0 or any predictable value. let that be a random(unique number/key generated for that user)
When user confirms by the link, don't just look up in db like where code=. Validate the key such any possible injection is possible or not. Or in simple words if the code logic is numeric then, the receive code should be validated as number
For more security you can also put validity for the confirmation. If the user not confirmed with in that period, then url is invalid.
Sorry if this is too late. You could use JWT token in your link ( example /email/{token}) good thing about JWT's is that you can sign userID inside it (can be easily decrypted but that's not the point of JWT's) but token's signature is encrypted with your secret key (and data its self) so you can validate in your backend whether that token issued by you. Also, you could add expiration time to your token so "link" is valid for a certain duration.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.