lastuser icon indicating copy to clipboard operation
lastuser copied to clipboard

Published 20 hours ago verified publisher icon hasgeek

Client app contact email

Open jace opened this issue 11 years ago • 2 comments

Client apps should have a contact email address for support issues (if say, an API is changing and we need to notify the app's owner).

Since apps can be owned by an org and orgs don't have email addresses, we can't default to the owner's email. However, a plain text field will effectively be an unverified email.

Options:

  1. Wait for #125 and use Lastuser's existing verification support,
  2. Limit choices to the editing user's personal addresses, or
  3. Use unverified email addresses.

jace avatar Nov 03 '14 03:11 jace

#125 has been reversed. Contact info can only be linked to a user account. We are left with options 2 and 3 now.

jace avatar Oct 01 '18 18:10 jace

If we implement the second option (limit choices to the editing user's personal addresses), we will be encouraging users to add a shared email address to their personal account. This is dangerous as shared email addresses provide a vector for breaking into an individual's account. Our options appear to be:

  1. Unverified email addresses
  2. Separate verification for client app email addresses, handled independent of UserEmail verification.

Ironically, the latter is how Hasjob verifies email addresses (for job posts), bypassing Lastuser entirely. Now we have the same solution pattern in Lastuser.

jace avatar Oct 01 '18 19:10 jace