From c289947d4bcef8b33178540f9446a708d7752460 Mon Sep 17 00:00:00 2001 From: Luke Glazebrook Date: Sat, 9 Mar 2024 16:01:30 +0000 Subject: [PATCH] tweak wording in email verification guide --- pages/email-verification.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pages/email-verification.md b/pages/email-verification.md index 2a4779b..88af418 100644 --- a/pages/email-verification.md +++ b/pages/email-verification.md @@ -4,7 +4,7 @@ title: "Email verification" # Email verification -If your application requires user email addresses to be unique, email verification is a must. It discourages users from entering a random email address and, if password reset is implemented, allows users to take back accounts created with their email address. You may event want to block users from accessing your application's content until they verify their email address. +If your application requires user email addresses to be unique, email verification is a must. It discourages users from entering a random email address and, if password reset is implemented, allows users to take back accounts created with their email address. You may even want to block users from accessing your application's content until they verify their email address. ## Table of contents @@ -21,7 +21,7 @@ Emails are complex and cannot be fully validated using Regex. Attempting to use - Includes at least 1 `@` character. - Has at least 1 character before the`@`. -- The domain part includes at least 1 `.` and has at least on character before it. +- The domain part includes at least 1 `.` and has at least 1 character before it. - It does not start or end with a whitespace. - Maximum of 255 characters. @@ -33,7 +33,7 @@ Some email providers, including Google, allow users to specify a tag that will b One way to verify email is to send a secret code stored in the server to the user's mailbox. -This approach should be preferred over using links. People are increasingly less likely to click on links, and some filters may block emails with them. Using links also limit what device the users can use to create an account (eg. the user doesn't have to their mailbox on their phone). +This approach should be preferred over using links. People are increasingly less likely to click on links, and some filters may block emails with them. Using links also limits what device the user can use to create an account (eg. the user doesn't have access to their mailbox on their phone). The verification code should be at least 8 digits if the code is numeric, and at least 6 digits if it's alphanumeric. You should avoid using both lowercase and uppercase letters. You may also want to remove numbers and letters that can be misread (0, O, 1, I, etc). It must be generated using a cryptographically-secure random generator. @@ -53,13 +53,13 @@ https://example.com/verify-email/ A single token should be tied to a single user and email. This is especially important if you allow users to change their email address after they're sent an email. Tokens should be single-use and be immediately deleted from storage after verification. The token should be valid for at least 15 minutes (anywhere between 1-24 hours is recommended). When a user asks for another verification email, you can resend the previous token instead of generating a new token if that token is still within expiration. -Make sure to set the pages's [Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) tag to `noreferrer` to protect the token from referer leakage. +Make sure to set the pages's [Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) tag to `noreferrer` to protect the token from referrer leakage. All sessions should be invalidated when the email is verified. ## Changing emails -The user should be asked for their password, or if [multi-factor authentication](/mfa) is enabled, authenticated with one of their second factors. The new email should be stored separately from the current email until it's verified. For example, the new email could stored with the verification token/code. +The user should be asked for their password, or if [multi-factor authentication](/mfa) is enabled, authenticated with one of their second factors. The new email should be stored separately from the current email until it's verified. For example, the new email could be stored with the verification token/code. A notification should be sent to the previous email address when the user changes their email.