Verify Email middleware #13
Conversation
|
Looks good on general, minir nits above. From the bird perspective, I lack some understanding why cookie mahic is done in middleware and also in the unikernel. Maybe we need to draw some diagrams on what a http request should have for validation? I'm still a big fan of e.g. webmachine diagram https://raw.githubusercontent.com/wiki/webmachine/webmachine/images/http-headers-status-v3.png (also there's http://github.com/inhabitedtype/ocaml-webmachine/ but rather dated an stuck with cohttp) -- so let's have a simple version thereof for mollymawk :) for functions with only a single argument, I'd not use labels. Usually I use them if I pass two arguments of the same type, or if I pass boolean values. |
Thank you for the review and this diagram. It is really helpful. I will at some point create a dedicated error page that we can call to handle all the different types of errors, and also be sure to include the appropriate status codes. |
| ]; | ||
| ]; | ||
| Footer_layout.footer; | ||
| Tyxml.Html.Unsafe.data ""; |
There was a problem hiding this comment.
I don't quite understand, why do we have a Unsafe.data "" here? What is its purpose?
There was a problem hiding this comment.
This will be corrected with a function to call our backend when the user wants to resend a verification email, in case the one they received already expired. :)
utils.ml
Outdated
| Sendmail.mechanism = PLAIN; | ||
| username = config_data.username; | ||
| password = config_data.password; | ||
| } |
There was a problem hiding this comment.
this should be part of the configuration -- either passed via command line arguments or stored in the persistent storage...
utils.ml
Outdated
| let generate_verification_link uuid timestamp = | ||
| let signature = generate_signature uuid timestamp in | ||
| let encoded_uuid = Base64.encode_string uuid in | ||
| "/auth/verify/token=" ^ encoded_uuid ^ "/" ^ signature |
There was a problem hiding this comment.
the issue with this is: consider we know the user uuid (passed in here) -- and I'm at the moment not sure whether it is exposed (accidentally or as part of an API), we can do the entire token computation.
this means that a person who want to verify an email address they don't have access to, can do so - without receiving the email.
store email verification uuid in user model, use a random uuid
This PR adds a new middleware for checking if a user's email has been verified.
There's also addition of smaller utility function such as checking if the cookie in the header is valid and hasn't expired.