How you create confirmation link for email?

java database spring email
10,878

Solution 1

I use similar practice, with the following differences:

  1. I would make the URL, i.e. host.com/user/email/{code}/confirm secure, so that the user must login to verify himself. This ensures a bit more security. For example, if the user had typed a wrong email id while registering, that wrong person shouldn't be able to verify even after getting the mail.
  2. Instead of searching by code, I would thus fetch the user by id (the id of the currently logged in user).
  3. For the code, I use UUID.randomUUID().toString().

Also, it depends on personal choice, but I don't use an is_active flag. Instead, I have a roles set, in which I put "UNVERIFIED" role. That helps me populating the authorities of the user a bit more easily while using Spring Security. Another way would be just to check if the code is null or not.

Solution 2

Sorry if this is too late. You could use JWT token in your link ( example /email/{token}) good thing about JWT's is that you can sign userID inside it (can be easily decrypted but that's not the point of JWT's) but token's signature is encrypted with your secret key (and data its self) so you can validate in your backend whether that token issued by you. Also, you could add expiration time to your token so "link" is valid for a certain duration.

Solution 3

  1. Don't keep "{code}" as 1/0 or any predictable value. let that be a random(unique number/key generated for that user)

  2. When user confirms by the link, don't just look up in db like where code=. Validate the key such any possible injection is possible or not. Or in simple words if the code logic is numeric then, the receive code should be validated as number

  3. For more security you can also put validity for the confirmation. If the user not confirmed with in that period, then url is invalid.

Share:
10,878
Alexey Nikitenko
Author by

Alexey Nikitenko

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. Linus Torvalds

Updated on June 04, 2022

Comments

  • Alexey Nikitenko
    Alexey Nikitenko almost 2 years

    In my project I need to send letter to user email with confirmation link. My solution:

    1. Add string column "code" and boolean column "is_active" (with default value false) to user table.
    2. When user register, generate unique string key and save to database. Send to email link, for example host.com/user/email/{code}/confirm
    3. Then find by the code (generated string value) user and set flag "is_active" - true.
    4. Clear value of column "code".

    How are you create confirmation link for email?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

com.sun.mail.smtp.SMTPAddressFailedException
How to force commit Spring - hibernate transaction safely
Sending Email with Attachments in Spring Boot
An SQLException was provoked, java.lang.InterruptedException, am I running out of db connections?
How to create pdf file and send in mail of spring boot application
Inserting Clob with NamedParameterJdbcTemplate
How to configure spring-boot to send email via sendGrid?
How to connect postgresql in hibernate.cfg.xml
How to use same connection for two queries in Spring?
How to use @Transactional annotation in mybatis-spring?