lundi 25 janvier 2021

JWT Email Validation Protocol

I had an idea about the email validation step inside an account creation process on a web application. This is the first time I build something like that, so I just want to be sure that this protocol is secure.

As I don't really want to store anything on my database for a 'non verified' user, I had the idea to use a JWT in order to verify the user's email address. This is my idea:

  1. The user visits the /register endpoint on the website and enters his email (only his email, no username or password for the moment).
  2. I verify the email format using regex on the backend server and check the MX DNS records associated with the domain name.
  3. I create a JWT containing the user's email address that he provided as only data. After that I send an email to that address containing a link to a new endpoint: /create?token=<generated jwt>. (This token is cryptographically signed preventing generation of registration links already bound to an email address).
  4. If this email belongs to the user, he just clicks on the link and I would now know that this address valid.
  5. The user can complete his registration on this new /create endpoint where he will be asked to provide a username and a password.

I think that this method would be more user-friendly because the user don't have to enter his username and password twice (1: registration, 2: login after clicking on the emailed link) and more efficient for my database as I don't keep track of the unverified users at all.
On top of that the expiration time set on the JWT would be very convenient as I could set it to 24 hours (after its creation) and the link would instantly become unusable.

I would just need to display the email address on the /create endpoint to ensure that someone did not send a link bound to his email address to someone else to register (which would give this person the ability to reset the victim's password later). This is pretty easily prevented by displaying a non-editable field containing the email address next to the username and password prompt.




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)