I have an application where a user (we will call 'original user') can create a 'plan' and then add other user's to that 'plan' so they can view the 'plan'. The original user can simply enter the email address of the user they want to add. If that user already exists, the user will be added to the plan and there are no issues.
In the case that the user does not exist, I am having the original user enter the email address and an initial password for that user. I can trigger an email to go to the new user to notify them. The new user is added to the Plan Mapping table so they are attached to that plan.
The vulnerability in my approach is that the original user could start creating accounts for people inappropriately and that the original user has to tell the new user their password or the new user has to hit 'Forgot Password' the first time they log in.
It would be ideal for the original user simply to add an email for the user they want to add to the plan. If the user exists, the user is added to the plan automatically. If the user does not exist, they are added to the Plan Mapping somehow and sent an email with a token to create an account.
I know how to send an Activation email. However, that doesn't work because the password is still created by the original user. I don't know how I could send an email with that user to sign up and then automatically do the Plan Mapping after that user signs up.
1) You could create a user without password.
2) When create a signed url for the new user and send it via email. https://laravel.com/docs/6.x/urls#signed-urls
3) User will get to the link you have create and will have to enter a new password.
Related
In the spring boot rest application (frontend end is Angular), Looking to implement OTP-based login. without any password.
Every time a user needs to log in using a mobile/email number and the OTP sends it to the mobile/email.
The first-time login, treat as registration and create a user in DB, and further same user login will fetch profile data from DB.
Similar to
https://www.cowin.gov.in/
Upon registration, get the user's email and create a user entry in your DB.
When user clicks Login present them with a screen to enter their email. Upon submitting email, check if it exists in the backend. If it does, generate an OTP and save it to the user e.g if using a SQL DB, save the OTP in a column in the user's row. Send the user an email with the OTP and update the UI to display the input field for the OTP.
When the user enters the OTP, verify that what they entered is what is stored in DB. If they match, fetch profile data. If not, display error message.
In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.
I am working on a Laravel project. I need to be able to create a user, mark that user with a number for their 'plan_id', and then invite them to log in and change their password. Currently, I am creating a user, adding the 'plan_id', and setting the password to a generic term like 'password'. I don't have info like their SSN or DOB that I could set it to initially.
While this does work, I don't know that it follows best practices. The only other thing I can think of is setting up another table that matches up the user's email address to the 'plan_id'. I don't want to do this because it makes it possible that the user accidentally signs up with another email and can't figure out why their portal is not working.
It doesn't sound like a great idea to set all new passwords to "password". It looks like your application is creating users, then letting each user know they have an account, as opposed to the user initiating this process. This would mean that you can't have the user pick a password.
Consider not creating a password at all, but sending an email to each new user containing a link to your system with a unique key that you store in the database user record. The user could then access the system, and it would ask them to pick an email and password to be registered with. You could have the keys expire after a number of days.
The easiest way to do this would be to generate a completely random password for the user and then email them a password reset link. The potential pitfall of this is that password reset links expire, by default after 1 hour though you can change it in config/auth.php.
I want to Create a user screen with Two authentications (SMS and Email)
User will receive email to verify and activate his account first.
After that he set password and he will receive SMS massage to verify the password.I want to do this in Oracle apex.I have tried Custom Authentication but i didn't found fruitful, Any one have some good idea to achieve this.
after u take care of the email and sms verification, u should store that data in the data base and create a function to use in your custom authentication that verifies if the user is already validated.
put the function in shared components -> authentication schemes -> settings -> Authentication Function Name
(the function must return true or false to allow the login)
I'm not a fan of using SMS for Two-Factor Authentication, but if you must, perhaps this might demo implementation for Time-based One Time Password (TOTP) might give you some ideas: https://github.com/fuzziebrain/orclapex-tfa-demo
I provided some background information here as well: https://fuzziebrain.com/content/id/1718/
Good luck!
I have achieved this in one of my APEX project but only with the e-mail. For the sms I use it in another context but you could still do it. You will need a smtp server ( you can run one on your server ) and for the sms you will need an external provider. In your oracle database, create a table called OTP ( one time password ).
This table contains a foreign key to a user. When the user creates an account, run a dynamic action in pl/sql that will generate a random 6 digit number that will be encrypt in your OTP table. This dynamic action will also send an email to the user with APEX_MAIL. The full documentation for how to use APEX-MAIL is here and it is pretty easy to use. You can send the user the password for authentication trough email.
Create a new session user called user_na (not authenticated) and make it so that when he connects, the only page he can see is a page with a text field to enter the password he receive through email. After he enters it, encrypt it the same way you did when he created an account and compare the password in the OTP table. If they match , change his account type to user and then he will be able to access every page that you made accessible for the users.
If you also want to send an sms, I recommend using this tutorial. The sms provider have a free trial if you want to test. If you have any questions don’t hesitate to ask I can easily help you with this.
NOTE: if you don’t want to create different session_users you can just add a column in your user table named authenticated. Set it to 0 by default and to 1 when he enters the email password. Then, when he log in, check if this value is 0 or 1 to know which page you should redirect him to.
When a user initially signs up through my app on Parse.com, they supply a username, an email address, and a password.
They verify that email address before they can start using the Parse.com functionalities. So now the user has a valid username, email address and password.
Then, consider this scenario:
1) The user changes his or her email address. 2) The user fails to validate the new email address. 3) The user doesn't use the app for a while. 4) The user forgets his or her password. 5) The user asks to reset the password.
If the user used his or her old email address for the password reset, that address is now gone and the user won't be able to reset the password using that email address.
If the user used the new email address, that address is not verified. Furthermore, it might not have been verified because it could have been typed in wrongly. So the user won't be able to reset the password using that email address.
How is this supposed to have gone down? Is there any way to keep the old email address until the new email address has been verified? That is the only way I can see that this would work.
Have you tried to use the Trigger features from Parse CloudCode?
https://parse.com/docs/cloudcode/guide#cloud-code-aftersave-triggers
Here you can perform code before or after some Object changing. So you can do what you suggested in the bottom of your question: save in another field de old email when the email or emailVerified fields changes.