DEV Community

How to verify your users' email addresses | Node.js/Express

Chris on June 24, 2020

When you build an application there is a good chance that you'll want to restrict access to certain parts of it. You'll need to set up a user authe...
Collapse
 
gersilva96 profile image
Germán

Hi Chris! Nice post! I have a question. When you register in the app and not verify the email, how do you control when other user wants to register in the app but with the same email that you previously registered but not verified it?

Collapse
 
jomiva profile image
Jose Valera

If the email is "in use" but not verified, the email's user can the recover password or send another code activation to its email.

Collapse
 
opeolluwa profile image
ADEOYE ADEFEMI OPEOLUWA

One thing I'll suggest is, once a user post BioData for account registration, check if mail exist :

If (mail_exist)

**is_mail_verified ?**  {ask user to confirm identity, by sending verification link to mail} : {  redirect to login }

}

else{
register user and verify email
}
Enter fullscreen mode Exit fullscreen mode


`

Collapse
 
opeolluwa profile image
ADEOYE ADEFEMI OPEOLUWA

One thing I'll suggest is, once a user post BioData for account registration, check if mail exist

If (mail_exist){

is_mail_verified ? {ask user to confirm identity, by sending verification link to mail} : { redirect to login }

}

else{
register user and verify email
}

Collapse
 
opeolluwa profile image
ADEOYE ADEFEMI OPEOLUWA

One thing I'll suggest is, once a user post BioData for account registration, check if mail exist :

If (mail_exist)

is_mail_verified ? {ask user to confirm identity, by sending verification link to mail} : { redirect to login }

}

else{
register user and verify email
}

Collapse
 
gersilva96 profile image
Germán

Thank you! I solved that problem very similar to what you say.

Collapse
 
miguelznunez profile image
Miguel Z. Nunez

Shouldn't the token expiration date be longer than 10 minutes? Just in case the user does not want to verify their account right away?

Collapse
 
christopherliedtke profile image
Chris

That is, of course, as flexible as you need. At the end, I think the question is, why do you need the code to expire at all. I guess, the shorter the period, the safer the system in general. But it's totally up to you.

Btw I am sorry for the late reply. Somehow I didn't receive any notifications. Cheers

Collapse
 
miguelznunez profile image
Miguel Z. Nunez

Thanks for your reply. I guess a good reason for the token to expire is just in case the user's email gets hacked. Either by a hacker or a disgruntled boyfriend or girlfriend. If any of those people happen to find the link and the original user has not yet activated their account, they would be able to activate the account for them. However, activating the account alone would not give them the login credentials. I suppose the hackers can choose to reset the password at that point by entering the email address but even if they manage to do that, chances are the account does not contain any sensitive data since the original user never even activated the account. In the end, I suppose you're right. The token does not need to expire since no real harm will come from it even if someone manages to hack their email.

Collapse
 
mike1234pixel profile image
Mike

Brilliant solution, implemented it yesterday and it works great, thanks Chris!

Collapse
 
christopherliedtke profile image
Chris

Great that it worked out for you!

Collapse
 
axios profile image
Hiroyuki Takahashi

Hi Chris! Thanks for the post!
Btw, what is the point to save all the codes in to a collection instead of adding a new field to user model?
Is there any need to save the historical verification code?