12

I am thinking of a forum type system that will allow users to post/edit posts without an account but through e-mail verification.

So, you would fill out the form, supply email address, submit, and then receive a link in an email that would 'activate' your post. Same thing to edit. Click 'edit', receive email with link, link takes you to edit form.

I'm trying to understand the exact steps to securely do this. How do I create a link that will expire after some time period? How do I ensure it is coming from the email address and not just some bot cycling through potential url's?

Any help to get started in the right direction is appreciated.

I am using Python, flask, Postgres on Heroku.

chrickso
  • 2,994
  • 5
  • 30
  • 53
  • 7
    i understand your attempt to prevent SO users from doing my work for me but I have clearly noted that I am simply looking for a general direction of how this type of system operates. i figured i'd come ask the experts to get an understanding before wasting my time 'trying' to do something erroneously. – chrickso Nov 13 '12 at 20:08

1 Answers1

16

Since you are using flask, you might want to look at itsdangerous library:

https://itsdangerous.palletsprojects.com/en/2.0.x/

Using itsdangerous, the workflow could be something like:

  1. User enters the email and post.
  2. Generate the secure link using itsdangerous module which can be tied to the specific email
  3. Once the user receives the email and the specific URL as generated in step 2, they can click on it to confirm the post. You could even add an extra layer of check when the user clicks this URL where you could ask them to enter their email address again and then match it against the email tied to the URL.
codegeek
  • 32,236
  • 12
  • 63
  • 63