BLT icon indicating copy to clipboard operation
BLT copied to clipboard
verified publisher icon OWASP-BLT

Add email verification system to link users to domains

Open Copilot opened this issue 3 months ago • 16 comments

Implementation Complete ✅

Successfully added functionality to link users to domains via email verification.

Completed Tasks:

  • [x] Create a model to store domain verification codes
  • [x] Add a "Manage this Domain" button to the domain view page
  • [x] Create a view to handle verification code generation and email sending
  • [x] Create a view to handle verification code validation
  • [x] Add URL patterns for the new views
  • [x] Update the domain view template to show the button
  • [x] Create email template for sending verification codes
  • [x] Add database migration with indexes
  • [x] Add database indexes for performance
  • [x] Improve error handling and audit trail
  • [x] Pass code review
  • [x] Pass security scan (CodeQL - 0 alerts)
  • [x] Move imports to module level (best practices)
  • [x] Update migration number to avoid conflicts

Recent Updates:

  • Moved imports to module level: Relocated random, string, send_mail, and render_to_string imports from function level to module level for better performance and code organization
  • Updated migration number: Renamed migration from 0245 to 0254 to resolve conflict with existing merge migration and updated dependencies to reference 0253_add_verifier_permission

Implementation Summary:

Model Changes:

  • Added DomainVerificationCode model with:
    • 6-digit verification code generation
    • 15-minute expiration window
    • One-time use enforcement
    • Optimized database indexes for performance

Views:

  • request_domain_access: Generates code and sends to domain's registered email
  • verify_domain_access: Validates code and adds user as domain manager

Templates:

  • Professional email template with verification code
  • User-friendly verification form with clear instructions
  • "Manage this Domain" button integrated into domain page

Security & Performance:

  • Database indexes for optimized query performance
  • Code expiration to prevent replay attacks
  • One-time use enforcement
  • Audit trail preservation for debugging
  • CodeQL security scan passed (0 alerts)

How it works:

  1. User navigates to domain page and sees "Manage this Domain" button (if authenticated and not already a manager)
  2. User clicks button, triggering code generation
  3. 6-digit code is emailed to the domain's registered email address
  4. User enters code on verification page
  5. If code is valid and not expired, user is added as domain manager
  6. User gains full management access to the domain

Testing Notes:

To test this feature:

  1. Ensure domain has an email address configured
  2. Login as a non-manager user
  3. Visit domain page at /organization/domain/{pk}/
  4. Click "Manage this Domain" button
  5. Check email for verification code
  6. Enter code on verification page
  7. Verify user is now listed as domain manager

API Endpoints:

  • POST /organization/domain/<pk>/request-access/ - Request verification code
  • GET/POST /organization/domain/<pk>/verify-access/ - Verify code and gain access

Database Changes:

  • New table: website_domainverificationcode
  • Migration: 0254_domainverificationcode.py

Context from issue:

  • ✅ Add button on domain page: "manage this domain"
  • ✅ Send auth code to the email on file for the domain
  • ✅ Easy way to link a user to a domain without separate company model
  • ✅ Use existing code for associating user with organization

The implementation provides a simple, secure way for users to claim domain management by proving they have access to the domain's registered email address.

Original prompt

This section details on the original issue you should resolve

<issue_title> link a user to a domain. On the domain page have a button - “manage this domain” - that will send an auth code to the email on file for the domain. Done, easy way to link a user to a domain - no need for a separate company model.</issue_title> <issue_description>Idea to link a user to a domain. On the domain page have a button - “manage this domain” - that will send an auth code to the email on file for the domain. Done, easy way to link a user to a domain - no need for a separate company model.

References: OWASP-BLT/BLT#597</issue_description>

Comments on the Issue (you are @copilot in this section)

@DonnieBLT we have a link on the company model for managers @DonnieBLT @AtmegaBuzz is this for the view / code to do the logic of linking a user? @AtmegaBuzz @DonnieBLT Its for company dashboard, in the manage domain section the admin can add new members/user to manage that domain. So issue is raised to complete the logic/view for linking user plus integrating it with UI. @DonnieBLT @coderabbitai I think we already have some of the logic or code for associating a user with an organization which the domain is connected to. Can you please use the existing code for that and then integrate these new features?
  • Fixes OWASP-BLT/BLT#1061

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Nov 23 '25 06:11 Copilot