MILESTONE -- Account Verification

[jeturcotte]

Users who exist and are able to log into and out of accounts have various reasons why they may need to be able to receive email notifications. This milestone invents the capacity to send our users these messages.

• RESEARCH: https://github.com/szabgab/perl6-Email-Send
  • LEARN about sendmail
  • CONSIDER alternatives
• TASK: establish a means of sending email to the email listed in any given account
  • Install a sendmail interface like the one listed about
  • Create a generic in-cro function that will accept an account and message content and will send that combination as an email
• TASK: Create a data storage for temporary single-use tokens that will be used to help new users verify their accounts
  • Part of the point is to PROVE the email they gave us is real AND belongs to them
  • The other part is to put up an annoying barrier in the way of bots clogging our system with fake accounts
  • Create a data store; you can use SQL or you could try using REDIS
  • Add space to store the account identity and a uniquely generated token
• TASK: create a function that will generate a unique token
  • (consider looking up UUID)
• TASK: create a function that uses the email sending function to specifically sent an account verification email
  • Take in an email
  • Take in a user name
  • Take in a token
  • Generate a 'please verify by clicking here' email template (plain text is fine for now) using these details
    • This template should thank them
    • This template should ask them to verify
    • This template should print a link to /verify/$email/$token$
  • Call the generic email sending function
  • Return success or failure, depending
• TASK: Create a /verify/ endpoint
  • Use POST to recieve /verify/$email/$token
  • Look in the data store for the pairing of email and token
  • If they are present, mark the account as verified
    • and return a thank you html page
  • If not present, do nothing but return a thank you page, too
    • This way bots cannot learn who is or is not in our system

[ajbuchholz]

Hey Josh,

We were looking at the Cro documentation today. A couple of minutes ago we learned that Cro has an Authentication Module. What Peter, Francesco, and I want to do is get together this Monday and rewrite the authentication on the server. After that is done, we will move onto email and two-factor authentication. We just want to make sure that we are doing authentication in the best way possible. So expect commits and such based on authentication. We will still be working out of feature/CRO branch, however it will no longer be "crotest" instead it will be called "cro."

[jeturcotte]

Good find, @HermesTheDev ... go for it.

[ajbuchholz]

Good News. The CRO Authentication Module works sessions and cookies are more secure and way easier now. I commited the stuff to CRO/cro directory

[peteryn]

Adrian and I have been trying to get CRO to send an email for verification.
We have tried

• Email::Simple
• MIME
• LibCurl
  Libcurl leaves us needing an smtp server to deliver messages. We could try to set up an smtp server using google's services but we are limited to 2000 messages a day and we don't want to be dependent on google.

We will keep investigating but we will need help setting up our own smtp server Thursday.