Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send meld request #8

Open
Sivli-Embir opened this issue Oct 6, 2014 · 5 comments
Open

Send meld request #8

Sivli-Embir opened this issue Oct 6, 2014 · 5 comments

Comments

@Sivli-Embir
Copy link

So a thought on security. Rather then just checking if the local email is verified would it not be better to send a meld accounts request email?

In the email it could say something like:

Someone has requested to add {{serviceName}} account {{name}} 
to the account associated with this email.

Is this your account at {{serviceName}}? 

yes/no
@splendido
Copy link
Owner

I think it makes sense, but still if the email address is the same and it is verified for both accounts there should be no problems...

Btw, I'm open to whatever proposal that can improve security!

One more thing to consider is that the app owner might want to prevent the creation of many different accounts by the same user (for him not to gain discounts and offers more than once).
This is actually a request I had, which lead to the 'askBeforeMeld' configuration flag.

In this case, asking the user whether to meld or not does not fit well I guess...

thoughts?

@Sivli-Embir
Copy link
Author

I think it makes sense, but still if the email address is the same and it is verified for both accounts there should be no problems...

So far I have only seen google accounts have a verified option but I guess yes in that case its fine. Maybe still send an email but it only tells the use of the event and does not require action. Just to maintain constancy.

One more thing to consider is that the app owner might want to prevent the creation of many different accounts by the same user

Oh! Yes that would be nice. In that case you can still send the the meld request. If the user says this is not their account then we could set up some way to mark that account as blocked, optionally of course. But it's worth notting that making more emails/service accounts is very easy and users will still get around this.

@splendido
Copy link
Owner

...mmm,
I've just read again your first post.

I think now I see what you meant...
Are you referring to the first time a logged in user is trying to add a service to her account?
Like pressing the button Add Foobook?

So there could be no meld action involved...
...but just one more check before adding the service to the user object.

Is this what you meant?

@Sivli-Embir
Copy link
Author

Again, sorry for the late response.

Yes thats one of the use cases. But even when its a meld it should be able to send the user an email that warns them of whats happening and even requires confirmation before the meld.

@splendido
Copy link
Owner

the confirmation step is already in place.

The best thing would probably be to add another callback so to let developers send emails to warn the user and ask for confirmation. The confirmation step should also be easy to implement (see this stub package...)

I admit this package deserves more love! ;-)
I have a plan for a migration of all accounts-templates-* packages and this should be migrated too.
Also, I have plans for a better direct integration with the core package.

...still, so much ideas and good interactions with the community (you at first, tnx!), but my spare time is very limited :(

I might try to write things down somewhere, so to see whether better collaborations could arise.

Tnx, as usual!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sivli-Embir @splendido