Login/Register
Node.js - Send email on registration
Asked Answered
Solved node.jsemailuser-registrationemail-verification
S

1

13

I have signup form with the single email field. When an user enters its email I need to send a registration link.

I've seen this Node.js example with signup form. But it has sendWelcome feature only.

Are there any examples of Node.js apps with sending registration email?

Scion answered 12/1, 2012 at 16:33 Comment(0)
T
26

I haven't seen such an example so far, but what is your secondary question? The example you've provided shows pretty well how to send an e-mail. Another option is to use this package:

github.com/andris9/Nodemailer

Which also seems to be well documented on how to send e-mails.

Therefore I assume that you'd like to know how to setup the sign-up system. One way to do this is to have a table for registering users which has e-mail and token columns. E-mail is obvious, token is a randomly generated string (for example with node's crypto.randomBytes method) that will be send as a part of the link to the user. Upon entering the link, you search the database for this token and if it's found, you proceed with the registration.

Two things to note: when creating the token, make sure that it doesn't exist in the db already. Second: it's a good practice to use a valid_until column to remove tokens older than several hours.

Update:

Unfortunately, node's base64 export is not url-safe. Therefore, this is the easiest method to obtain the secure token I've found:

require('crypto').randomBytes(48, function(ex, buf) {
    token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-');
});

Perhaps someone will come up with a better solution.

Tail answered 12/1, 2012 at 22:0 Comment(10)
Thank you for the reply. I saw node_mailer module I'm interested in method of making token. But I need to see some robust example to see any practice to prevent hacker attack. Is your formula secure as?Scion
Well, I guess it's as secure as an e-mail. You cannot verify the user by password since you don't have one yet, so you have to trust that the user who know a secret token send by e-mail is the actual e-mail owner. If you want extra protection, you may check the request IP along with time. I don't know about node examples, but I've seen this principle used in rails apps around.Tail
Thanks. And the last question: How should I generate token? by using crypto.randomBytes only or I should to glue email + IP + something else?Scion
There's no necessity for that, as you only need a token that is secret. For this purpose, a random string is enough. You don't need to store nor verify any information with it.Tail
@HubertOG One quick question - do we need to enforce that the token be unique? If we send a link to say www.example.com/register/username/token and search the database for a row where user.username = username and user.token = token, would that be enough?Eisteddfod
@Eisteddfod Don't worry about collisions - the entire point of using 48 crypto-random bytes is to make it so that you literally couldn't find a collision if you tried, because the number of possible keys is 8^48 (2.2300745e+43). To put that in perspective, that makes the odds of landing on a specific token one in about three trillion trillion times the number of grains of sand on Earth. If you happen upon the same token, it's not going to be by chance.Antidisestablishmentarianism
@StuartP.Bentley Ahh, nice. That puts things into perspective. Thanks :)Eisteddfod
To back up a little, the collision probability isn't quite the same as the keyspace, as you add more documents to your database. See en.wikipedia.org/wiki/Birthday_problemAntidisestablishmentarianism
Why not just inline the better solution you linked at the bottom?Prognostic
@HubertOG Apparently node_mailer is deprecated in favour of github.com/andris9/Nodemailer. So, please edit your answer based on new better solutions!Germinative

© 2022 - 2024 — McMap. All rights reserved.