13

I have signup form with the single email field. When an user enters its email I need to send a registration link.

I've seen this Node.js example with signup form. But it has sendWelcome feature only.

Are there any examples of Node.js apps with sending registration email?

nbro
  • 15,395
  • 32
  • 113
  • 196
Erik
  • 14,060
  • 49
  • 132
  • 218

1 Answers1

26

I haven't seen such an example so far, but what is your secondary question? The example you've provided shows pretty well how to send an e-mail. Another option is to use this package:

github.com/andris9/Nodemailer

Which also seems to be well documented on how to send e-mails.

Therefore I assume that you'd like to know how to setup the sign-up system. One way to do this is to have a table for registering users which has e-mail and token columns. E-mail is obvious, token is a randomly generated string (for example with node's crypto.randomBytes method) that will be send as a part of the link to the user. Upon entering the link, you search the database for this token and if it's found, you proceed with the registration.

Two things to note: when creating the token, make sure that it doesn't exist in the db already. Second: it's a good practice to use a valid_until column to remove tokens older than several hours.

Update:

Unfortunately, node's base64 export is not url-safe. Therefore, this is the easiest method to obtain the secure token I've found:

require('crypto').randomBytes(48, function(ex, buf) {
    token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-');
});

Perhaps someone will come up with a better solution.

Pradeep
  • 3,258
  • 1
  • 23
  • 36
Hubert OG
  • 19,314
  • 7
  • 45
  • 73
  • Thank you for the reply. I saw node_mailer module I'm interested in method of making token. But I need to see some robust example to see any practice to prevent hacker attack. Is your formula secure as? – Erik Jan 13 '12 at 04:40
  • 1
    Well, I guess it's as secure as an e-mail. You cannot verify the user by password since you don't have one yet, so you have to trust that the user who know a secret token send by e-mail is the actual e-mail owner. If you want extra protection, you may check the request IP along with time. I don't know about node examples, but I've seen this principle used in rails apps around. – Hubert OG Jan 13 '12 at 10:39
  • Thanks. And the last question: How should I generate token? by using crypto.randomBytes only or I should to glue email + IP + something else? – Erik Jan 13 '12 at 13:47
  • There's no necessity for that, as you only need a token that is secret. For this purpose, a random string is enough. You don't need to store nor verify any information with it. – Hubert OG Jan 13 '12 at 18:49
  • @HubertOG One quick question - do we need to enforce that the token be unique? If we send a link to say www.example.com/register/username/token and search the database for a row where user.username = username and user.token = token, would that be enough? – funseiki Apr 03 '13 at 21:48
  • 1
    @funseiki Don't worry about collisions - the entire point of using 48 crypto-random bytes is to make it so that you literally couldn't find a collision if you tried, because the number of possible keys is 8^48 (2.2300745e+43). To put that in perspective, that makes the odds of landing on a specific token one in about *three **trillion trillion** times the number of grains of sand on Earth*. If you happen upon the same token, it's *not* going to be by chance. – Stuart P. Bentley May 26 '13 at 17:30
  • @StuartP.Bentley Ahh, nice. That puts things into perspective. Thanks :) – funseiki May 28 '13 at 07:34
  • 2
    To back up a little, the collision probability isn't *quite* the same as the keyspace, as you add more documents to your database. See http://en.wikipedia.org/wiki/Birthday_problem – Stuart P. Bentley May 31 '13 at 02:08
  • Why not just inline the better solution you linked at the bottom? – light24bulbs Dec 15 '14 at 21:04
  • @HubertOG Apparently `node_mailer` is deprecated in favour of https://github.com/andris9/Nodemailer. So, please edit your answer based on new better solutions! – nbro Dec 05 '15 at 22:56