Email confirmation after registration

Question

Email confirmation after registration

d0peCode opened this issue 5 years ago · comments

I implemented email confirmation feature in my fork but before I create new PR I have question.

What does this code do?

userSchema.method({
  transform () {
    const transformed = {}
    const fields = ['id', 'name', 'email', 'createdAt', 'activationKey', 'role']

    fields.forEach((field) => {
      transformed[field] = this[field]
    })

    return transformed
  },

  passwordMatches (password) {
    return bcrypt.compareSync(password, this.password)
  }
})

I'm sending mail in .post mongoose hook and I don't know if I should add following code to it:

if (!this.isModified('activationKey')) {
  console.log('Not modified.. but what does it mean?')
  return next()
}

Also second question - because currently I'm sending email and have /cofirm endpoint to set active to true but I'm not checking if user active when login. What is most convienient place to check it?In controller or in findAndGenerateToken function? Or maybe somewhere else?

While waiting for reply, for now I just added this line

if (!user.active) throw new APIError(`User not activated`, httpStatus.UNAUTHORIZED)

to findAndGenerateToken function.

Borys Tymiński · Answer 1 · Sat Jun 29 2019 17:08:18 GMT+0800 (China Standard Time)

@kasvith I created new PR, take a look #16

Kasun Vithanage · Answer 2 · Sun Jun 30 2019 13:01:07 GMT+0800 (China Standard Time)

userSchema.method({
  transform () {
    const transformed = {}
    const fields = ['id', 'name', 'email', 'createdAt', 'activationKey', 'role']

    fields.forEach((field) => {
      transformed[field] = this[field]
    })

    return transformed
  },

  passwordMatches (password) {
    return bcrypt.compareSync(password, this.password)
  }
})

This method is dropping unwanted fields from the schema when used elsewhere. For example, to retrieve user information, we don't need his password. You can see this only returns an object w/o a password.

Borys Tymiński · Answer 3 · Sun Jun 30 2019 17:54:36 GMT+0800 (China Standard Time)

We definitely don't want to send activationKey in response to user. We want them to click mail.

Kasun Vithanage · Answer 4 · Sun Jun 30 2019 18:25:31 GMT+0800 (China Standard Time)

Just remove it from the array and it will not be shown to the user
Also, I think we should keep activation codes in one mongo collection with userID and Activation Code also a timestamp.

Then we can add an expiration to email activation codes.

Kasun Vithanage · Answer 5 · Sun Jun 30 2019 18:29:37 GMT+0800 (China Standard Time)

I think we should use invert logic here. Will make a PR for that once your one is merged :)

Then we check for keys that needed to be removed from the user model when requested for outside

Borys Tymiński · Answer 6 · Sun Jun 30 2019 19:13:21 GMT+0800 (China Standard Time)

I think we should use invert logic here. Will make a PR for that once your one is merged :)

I'm working on #12 bug. Solution will have breaking changes. Maybe it's good idea to wait for it with your new PR.