I'm developing a website with using struts2 and jsp pages. In many sites after you sign-up, a link will be sent to your email and after clicking on that the registration is complete. I want this feature on my webstie, but I don't have any idea how to do this and how is this working? Should I save user's information on my database until he/she is verified or not? I searched web but there is learning for php forms.
any tutorial?
Thanks in advance.
The algorithm is something like this:
Save the user's info, marking it with a pending status.
Generate a token that contains some info
related to the user's account.
Generate the email, which must
include the URL to activate the
account and the URL will have the
token in it.
The URL must point to
some servlet or service in your app
that will validate the token, check
if the user related to the token is
inactive, present a completion form
(let the user set a password,
present a captcha, etc) and on form
submission you activate the account
with the password they set.
You should periodically scan the
inactivate accounts and delete the
ones that are several days old and
have not been activated.
To generate the token, you can encrypt some data such as user ID, email, etc and encode it in Base 64 (the URL-safe variant) - remember to salt it when you encrypt. When you receive the token, you decode and decrypt it, and it must point to an inactivate user account.
Related
I am using AWS Cognito for user management in my application. The userpool is configured that the users login with a unique username and a password, and that multiple users can have the same email addess. I am using Amplify built-in components for authentification.
The problem I can't seem to resolve, are double verification mesages upon updating user email. When an an email is chaged CustomMessage_UpdateUserAttribute is triggered, and when user wants to verify the changed email CustomMessage_VerifyUserAttribute is triggered. I have a custom lambda function that listens for these triggers among others and sends corresponding emails based on the action user is trying to perform: login, verify email, reset password etc.
So if a user modifies his email address, CustomMessage_UpdateUserAttribute is triggered and the user recieves an email with the following (default) message "Please verify your account and enter the following verification code to reset your password: xxxxxx". However, when this user loggs in, amplify recognises that the user is in the "verifyContact" state, and displays the screen you can see below.
The user has two options:
to skip the verification, or
to select the only attribute that awaits verification and click on "verify" button.
Clicking on the "verify" button triggers CustomMessage_VerifyUserAttribute and sends yet another email to the user. The user is redirected to the following screen.
The second screen shows where user is supposed to input newly sent code (from the second email). So the user has absolutely no need for the first email (and code) that is sent automatically when the email is updated. I have tried to find a way to avoid sending the email, but have not found a good solution. Congito won't let you override the message in lambda without sending the confirmation code in it, which is completely unnecessary since there is no place where user can input it. I don't want to disable email verification, or set email_verified to true upon updating.
Do you have any suggestions what I could do?
If anybody is facing the same problem, a workaround is to update email_verified field twice. When updating the email, set email_verified to true. This will prevent Cognito from sending and email on CustomMessage_UpdateUserAttribute. Then in a separate user attribute update request update only email_verified field to false. This will set the user to "verifyContact" state and request email verification on login.
We are trying to implement Oauth2 on our app, in our App we are login using Sign In with Google, and this returns a lot of stuff like : UID, ACCESS_TOKEN, REFRESH_TOKEN, etc.. we are thinking to send from APP to server-side the UID and store it to DB linked with user like if it was its password.
From server side we want to on each call for instance : get_products, we are thinking to use an access_token but we don't know if it's the UID from user itself or we have to create another access_token with its refres_token with expiration time. So we have one UID from user and another access_token and refresh_token from oauth.
I'm not sure about the value you refer by UID. May be it's something that I haven't come across before.
But if it stands for USER IDENTIFIER, then you should not use it to identify the end user and maintain a session. UID could be a public identifier so anyone who knows will be able to communicate to your server. Also, think about user login through multiple devices. Your server won't be able to identify the correct session.
User access_token to initiate a session. In your server, use user-information endpoint to obtain validity details and end user information. Alternatively you may choose OpenID Connect.
The questions is pretty simple.I am also a novice regarding token authentication.
I know that, in case of token authentication, in case of android apps, token is used so that the user credentials does not remain in the app.i.e. whenever the user fetches data from server, it does not send the user credentials everytime but he sends token.
When the user signs in for the first time, from the app, a token is generated from the server and is "entried" in the database beside the user data.This token is send back to the app from the server and it is this token that the user, from the app, has to send everytime it plans to fetch some data from the server.When the user has to fetch data, it sends the required parameters and with them the token.This token is matched with all the tokens present in the database.If the token is present,it also gets the user associated with that token.And as the token is present so the user session is valid and then the required data from the server is send back to the android app.
What i want to know is that what to do with the token, in both client and server side, when the user logs out?
If any doubt please comment.I know its a simple question but dont know much about token authentication.Thanks everyone for their time.
Note:- Also if any of my concepts, in the question, is wrong please feel free to correct me.
Basically all tokens have an expiry. This is intended for security purposes. But you can choose whether to set an expiry for your token. But I suggest that you must put an expiry for your token. And also delete that tokens from both server and client, and set user session to login again. Use timestamps to create the tokens. They are also useful when comparing tokens.
Happy Coding.... :-)
On android client, I create Credentials, then choose account using AccountPicker and set the account name. On GAE, I have User parameter in every endpoint method. (I described it here)
Android Client ID, Web client ID and audiences are configured correctly.
On endpoint, the user is not null and has correct email set. But when I call user.getUserId() I get null. Is this user authenticated or not?... It really makes me nervous not to know that...
What you describe is odd, and I don't know why you get null when you call getUserId(), but never-the-less I would say, Yes, you are authenticated.
If you want to be sure, then you could try using that authentication from a web client - I read that once you have authenticated an Android user you are automatically given minimal account authentication for web too. So create a minimal servlet that includes the following code:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
Load the page while signed in with the same account you authenticated from Android and see whether it acts like it already knows you, or whether it prompts the user as it would for a different, un-authenticated user.
This is a bug on google's side.
There seems to be a clunky workaround: save User to datastore and read it back.
My application uses 3-legged authentication (OAuth).
I have the token (user was redirected to google login page to log in)
How can I get the e-mail address he used to authenticate?
you should look up user data using the access token. in facebook, the access token starts with user serial, so you can identify user from token directly. (ex. 123456-someStrangeStringBlahBlah...)
so if exposure of user serial is not problem, make token like facebook.
I think you want to use OpenID attribute exchange. (not OAuth, but Google has a bridge between the two).
See Google's page on their federated login API.
If you are using OAuth1.0 you can extract user email from the contactService by making a request to get for example contact group id. The returned response contains the user email encoded:
"http://www.google.com/m8/feeds/groups/user_email_here%40gmail.com/base/5f062e1e08cb3123"