myth-auth icon indicating copy to clipboard operation
myth-auth copied to clipboard

Published 20 hours ago verified publisher icon lonnieezell

Security: Email camping

Open MGatner opened this issue 4 years ago • 4 comments

Because email addresses must be unique in the database, accounts can be denied intentionally or accidentally by "camping" a new account with the email address, verified or not. Unverified emails should either go in a different field or the Model requirements should be loosened to allow multiple instances of the same email.

MGatner avatar Jan 14 '21 16:01 MGatner

How would an account be 'camped' if it's verified?

SpiralBrad avatar Sep 02 '21 02:09 SpiralBrad

@SpiralBrad it need not be verified to use up that one "unique" slot in the database. If I create a new account as [email protected] but obviously don't own that address then you will never be able to use it.

MGatner avatar Jul 12 '22 20:07 MGatner

Sure, but you said “verified or not”.

…but if it’s verified, it wouldn’t be camped. …cuz it’s verified.

SpiralBrad avatar Jul 12 '22 22:07 SpiralBrad

Understood! Yes I see now how that phrasing was confusing.

MGatner avatar Jul 12 '22 22:07 MGatner