django-sitegate icon indicating copy to clipboard operation
django-sitegate copied to clipboard

Published 20 hours ago verified publisher icon idlesign

confirming email changes

Open imposeren opened this issue 10 years ago • 6 comments

I think that it's good to have ability to validate email changes with same model and view that are used to confirm emails on registration. This pull request adds easy way to do so with docs. For default config nothing will change: developers should provide their own methods to generate required DB rows and emails

imposeren avatar Aug 14 '15 19:08 imposeren

JFYI: I have not added any tests for new features. I do not know why coverage increased (it' something obvious but I do not want to investigate)

imposeren avatar Aug 14 '15 19:08 imposeren

Thank you for your participation %) I'd review it in a few days.

idlesign avatar Aug 15 '15 02:08 idlesign

There may be several more universal alternatives:

  1. signing.dumps(...) as code:

    1. increase length of "code" field
    2. store signing.dumps(arbitrary_data) in code field
    3. it's now possible to use "new_email" field without actual field by decrypting data in code field
    4. But signing.dumps results may be of any length so this model willnot work for all data inputs:
    In [4]: len(signing.dumps(range(20)))
Out[4]: 103

In [5]: len(signing.dumps(range(200)))
Out[5]: 957

  2. zero changes to models, just use "special" urls with encrypted data salted by email_confirmation.code:

    1. here we do not add any changes to models
    2. instead we just create special view with url like "^/custom-confirmations/(?P<code_pk>\d+)/(?P<data>\S+)/$"
    3. to generate url we'll use signing.dumps(data, salt=code.code) (that's why i use code_pk instead of code in url above: to not include salt in url)
    4. we now can perform any confirmations with a single view and old model. This also will make it easier to send confirmation emails both to new and old email addresses (to old: "do you really want to change email to XXX?", to new: "To confirm that this email belongs to owner of OLD_EMAIL pplease follow next link...")
    code = get_object_or_404(EmailConfirmation, pk=code_pk, expired=False)
try:
data = signing.loads(data, salt=code.code)
except (signing.SignatureExpired):
messages.error(request, "Your url expired")
except (signing.BadSignature):
raise Http404

  3. Currently proposed changes are used in my project without sending confirmations to old email addresses (just to new one). I have many users with dead emails: they are registered with python-social-auth through vk.com backend and many of them just don't use old mailbox anymore or their mailbox is already dead.

What do you think? different approaches will break code in my project but this will be relatively easy to fix.

imposeren avatar Aug 15 '15 06:08 imposeren

Code Health Repository health decreased by 0.12% when pulling 614d18e on imposeren:email_change_confirmation into 669747b on idlesign:master.

landscape-bot avatar Aug 16 '15 10:08 landscape-bot

Universal alternatives are always more welcome. No 2 sounds interesting. I'm taking a time out to think over that. Please inform me if any new ideas.

idlesign avatar Aug 22 '15 08:08 idlesign

Coverage Status

Coverage increased (+16.9%) to 89.194% when pulling 9a4dfb640deb511ae4b0ec55f27d39ae3295aac5 on imposeren:email_change_confirmation into 669747b0e5030e98feb31be992e0ec42d28850ba on idlesign:master.

coveralls avatar May 15 '17 20:05 coveralls