braitsch
Added password confirmation on account creation & email verification via confirmation link.
This still needs a link to resend the verification e-mail. Trying to work on that now.
Querystring hash?
I probably haven't thoroughly thought about this, but is it OK to just be sending the hashed password in a query string for the password reset?
You didn't change it but I wasn't sure where to ask this at.
Not sure why you're asking on this issue. The verification hashes the username in order to verify. For password reset, why would sending the current password hash be a bad thing? as soon as it's reset the "current" hash may no longer be valid. EDIT: unless the user changes their password to the exact same password... but then why would they have requested a reset in the first place. EDIT 2: I dont know that much about encryption so i could be wrong that the same password would have the same hash given a second encryption.
@bjwyse : I'd like to integrate your changes into my fork. Are you releasing your contributions under the same license as node-login, i.e., MIT?
I went ahead and released 1.0.0 of nogin incorporating these changes which includes these changes (the differences were I think substantial enough from this PR that inspired them). (My changes are breaking, however.)
Note that an update now causes a new activation to be required (user changing email). Email won't be changed until activated.