I have a question about security flow of confirmation link.
I have a website on which you have to fill your email address and password after filing these information my app sends an email with a secure link to user email address. After clicking on confirmation email user automatically gets logged inside the application.
Now question :
Is there a security risk to auto login user on clicking of confirmation link ?
Is there and security risk to auto login user on clicking of confirmation link? Yes and no. It depends on what is in the link. What I would do is I would have two field in database activate_code, that is randomly generated and is_activated which is defaulted to 0. Then I will send a link to activation code and another email with activation link. Once at activation link, user will fill code and account will be activated. redirect him to login page.
Do not send user emails or any other information. just send random codes or something similar
That is my cent!
Yes there is a security concern, as Gumbo points out.
Since the user has provided an email & password, why not require he be logged in to access his confirmation page?
Related
I use this Node.js library to register a user via POST /{realm}/users. That's working, but I have an issue with the user activation over an E-Mail. The scenario should be, that the user registers and directly gets an E-Mail with the activation link for his account. But this case is another in Keycloak. First you have to login with the new user once and after that you get the activation link and not right after the registration process. That's too late. So I trigger the API PUT /{realm}/users/{id}/send-verify-email to send the verification link as an E-Mail.
But the E-Mail text and template are another one. It's the same as from PUT /{realm}/users/{id}/execute-actions-email, which is confusing. It is also used for a update of user info etc. which is needed. So adjusting this E-Mail template isn't an option.
Is there a possibility in the Keycloak settings to send the correct E-Mail verification mail right after registering the user? Or can I add new E-Mail templates and assign them to the API?
I'm using the current version of Keycloak: 12.0.2
I am trying to implement the email verification system on Parse-Server (/Heroku), when a user account is created; so that the user can confirm his/her account creation.
Things are working well for those matters:
I can create a working account.
The user receives the verification email that is expected.
The problem is this:
When the user clicks on the link inside the verification email. This is what appears in the browser:
{"error":"unauthorized"}
Has anyone seen a similar issue and knows how to solve it?
I just setup the basic JHipster application and set in the FB client ID and secret. However, when I try to login by not sharing the email - I see that it gets redirected to my app with a success. I can handle the no email exception on application.
Instead , I wanted FB to make sure that my email was a mandatory field. How do I do that?
You can't force Facebook to return an email address for a user. It may also be null on their end (if the user signed up with a phone number). You will have to handle it in your application. This is the same case with Twitter - they simply don't provide the user's email.
Note, even if you request the email permission it is not guaranteed you will get an email address. For example, if someone signed up for Facebook with a phone number instead of an email address, the email field may be empty.
https://developers.facebook.com/docs/facebook-login/permissions/
Like you mentioned, you need to handle it in your application. You could catch the fact the email is null and prompt the user to enter an email.
Our application offers Docusign integration.
Therefore, we allow our users to Login to Docusign.
Everything is fine when the user is already a Docusign user and logs in:
User taps on Login to Docusign
A browser is opened and redirected to Docusign login dialog where he enters his email address
He enters the email address
He enters his password
He is redirected to callback_url
However, when the user needs to register to Docusign, the process becomes like this:
User taps on Login to Docusign
A browser is opened and redirected to Docusign login dialog where he enters his email address
Since he doesnt have an email registered with docusign, he taps on "Register" link
An activation email is sent to his email address.
user clicks on the activation link in the email
User is redirected to his Docusign dashboard
The problem with this registration flow is that on step 6, the user is not being redirected to callback_url.
Therefore, the loop with our application is now broken and user is confused.
Shouldn't Docusign redirect users back to callback_url when activation is completed?
If your application's User Experience (UX) explicitly enables the user to either create an account on DocuSign or to sign in, then you can remove the "Create an account" option from the OAuth window:
In your initial GET to the DocuSign authentication server, include query parameter of
ui_flavors=no_sign_up
This should prevent the "Sign Up" links / options from being shown.
This is not the optimal answer for the question, but it is available now.
I'm developing an web application using Django.
Currently I am working on sending "reset password link" thorough email (amazon simple email service - SES)
The mechanism I used, is the same with the answer of "simeonwillbanks" below link
Secure ways to reset password or to give old password
Give users a reset password option.
This option saves a unique token for a user. The token eventually expires (hours, day or days).
A link is emailed to the user which includes the token.
User clicks on the emailed link.
If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
Once the user sets a new password, delete the token and send the user a confirmation email.
What I worry about this, I am not sure this way is safe in terms of security. What if the email is captured by a hacker?
I tested on several major websites how they care this.
get an "reset password" email and copy the link.
give the link to other and see if he can change password on my account.
From this test, I figured out that somebody else also can change my password only with the link.
If I cannot do anything on the link, is there way to make email more secure?
like as the mechanism of ssl(https) on website?
Thanks!
It's somewhat secure, though is toast if the user's email was compromised.
I prefer using an HMAC in the URL, which avoids storing tokens in the DB.
If you include the user's IP address in the URL, and in the HMAC, you can be sure the reset link click came from the same computer (router actually) that requested the reset, and that it can't be shared.
Instead of the IP, you could set a device cookie with the username/email and an HMAC, and then check this when the reset link comes in from the email.
The system should ask the user the answer to a secret question after he clicks the link. Even better, send an SMS to his mobile with a short random code and ask for that. This is called https://en.wikipedia.org/wiki/Multi-factor_authentication
Then show the change password form (over HTTPS of course).
While we're here, you should display the same "success" message whether or not the user has an account, to avoid user enumeration attacks.
Also, use a localhost MTA relay or asynchronous email so that a hacker can't tell whether you sent an email (a slow response would indicate that a user exists).