2

before this question is going to be marked as a possible duplicate, I want to address a few things.

I want to make sure that users have a single email field called email. They also have an is_verified field to indicate whether the email has been verified.

There are a few pitfalls in most of the email verification implementations. Lets say that an user creates an account and has an unverified email. Lets say that the user does not actually own the email, though.

Now, the actual owner of the email enters the site. But, as the email is already saved in the database, we get an integrity error - that the email is already in use.

Thus, any scammer can enter a random email and claim it. This reduces the user experience. How can this be avoided so as to provide a complete email verification system? ( One where the actual owners can claim their emails)

So, when an user registers with an email which is already owned by another user, but is unverified, should the existing user be deleted? Or should we display integrity error messages? What is the right thing to do?

thanks a lot!

Aryan Iyappan
  • 323
  • 1
  • 3
  • 15
  • Are you using a custom User model? The built-in model does not have a unique constraint on email address – Iain Shelvington May 01 '21 at 11:10
  • yes, I am using a custom user model – Aryan Iyappan May 01 '21 at 11:12
  • Can you allow duplicate emails but add a constraint that only one active account is allowed per email? – Iain Shelvington May 01 '21 at 11:13
  • Don't you send an email to the user to verify their email address? This way the user would likely know someone has tried to use their email address and can try resetting their password if they really want to make an account. – Abdul Aziz Barkat May 01 '21 at 11:22
  • @IainShelvington yes, I could do that, but then if one user asks to resend the activation email, then every user with that email- verified or unverified, will receive it, right? – Aryan Iyappan May 01 '21 at 11:36
  • But only one person actually has the email address so only the owner of the email address will receive the email – Iain Shelvington May 01 '21 at 11:38
  • yes, but there will be emails to confirm multiple user accounts - even sent by scammers. If the actual owner activates that email, then the scammer's account i=will be activated. – Aryan Iyappan May 01 '21 at 11:46
  • @aryan340 you appear to be too concerned about things not in your hand and generally are assuming users to be malicious. It is quite easy to make mistakes while registering on a website and making typos is not that rare, you just need to make your activation emails a bit more descriptive and state that if they have not registered they can safely ignore the email or send them a link where they can report such actions. – Abdul Aziz Barkat May 01 '21 at 11:47
  • @aryan340 Plus another thing you can do if you are really concerned is not take a password from the user at registration time, this will create a password that is unusable and then instead of an activation email you can simply tap into the builtin password reset views and send that password reset email to your user. – Abdul Aziz Barkat May 01 '21 at 11:53

2 Answers2

2

Yes, it is very important to add a verification step in the signup procedure.

  • So first of all create an email template and send an email of unique code to users when they signup. To implement a free email service for starting in Django:

    check my answer here: How to send email via Django?

  • Than generate a random string every time in the register function in views to send a verification code through the mail. Eg.

    verifyCode = random.choice( ["a", "b", "c", "d", "x", "y", "z"]) + str(random.randint(100000, 1000000))

  • create a temporary table where unverified user's data is stored and delete it when the verification of the email completed and then store it in the main Users table.

  • According to your last question, if a user is signed up with an email that is not verified it should not be stored in the main Users table. Don't Login (give access to) that user with that email and username to your site.

Hope this is what you want.

abdeali004
  • 463
  • 4
  • 9
0

if you are not using the email to authenticate (so username_field is not email), you can set the email field to a not unique field ,then when registering users in the signup view or in the customUserManager you can verify if its unique only for users with verified email (so if the email exist and verified then don't create a new user).

of course there will be the case where someone create two accounts (before validating any of them) then trying to validate two of them in the same time , in this case when you activate an email for the first time remove all other accounts with the same email (not verified email).

mahmoud ettouahri
  • 141
  • 4
  • 13