tutorbook
tutorbook copied to clipboard
tutorbookapp
Restrict profile flow and verify email addresses
Is your feature request related to a problem? Please describe.
Related to #115: Right now, our /[org]/signup page is rather open. Users can change their email addresses, signup with fake emails, use non-authenticated email domains (e.g. @gmail.com in an org that requires @pausd.us), etc.
Describe the solution you'd like
I need to refactor the signup flow (completely getting rid of that [org]/signup page) to look like this:
- The user clicks on a "Signup" or a "Become a volunteer" CTA somewhere within the app.
- The user is redirected to
/login?redirect=profilewhere they choose a provider (e.g. Google or GitHub) to login with. - Once logged in, the user is immediately redirected to their profile page where they can fill out the rest of their profile (e.g. availability, subjects, bio). This could also be a good time to trigger a short (less than 3 step) Intercom Product Tour to welcome our new volunteer.
The user's email address will then be locked (or changeable only once we have an API that can handle updating the user's email address on their Firebase Authentication account, update org configs, etc).
If the user changes their email address, we'll either:
- Send them a verification email (to the new email address).
- Require them to login again using a provider that uses the new email address (e.g. a different Google account).
That way, user's can't easily bypass the org email domain restrictions described in #115.
At this point, I've added the profile page but I've still got to:
- [x] Add redirect query parameter to the login page (e.g.
redirect=profile). - [ ] Add multiple providers to the login page (i.e. Facebook, Instagram, LinkedIn, GitHub).
- [ ] Create that Intercom product tour to welcome our new volunteer (and fix #120).
- [x] Lock the user's email address (open a separate issue requesting email-change features).
Actually, re-opening this because I've still got to update the org sign-up flow.