Email Authentication in ERPNext - erp

Right now When a user Signs up, an email is instantly sent to the user's ID.
However, I want to first verify the user credentials before sending out the the email.
What process can I use to achieve this task?

There is no such setting out of the box to stop the email verification.
The email sent is for email verification, the user will not have any roles unless you assign. You can then disable the user if you don't want the user to sign up.

Related

Implementing username reset rails 5

I have a rails app and I have implemented devise, password resets etc that are built into devise.
I have a username field, however, I now need to allow the user to reset this too from the login page following the same flow as the way devise does password resets (recoverable).
I have a forget page where the user can select whether they have forgotten their password or username, the password flow is built-in devise, however, I'm unsure how to go about doing the username reset.
I have the views, but I need help with the backend so the flow I need is the user clicks that they have forgotten their username, they enter their email, they get sent a username reset email with a link with a generated token, clicking that link should send them to a page where they can reset there username.
Some images for reference
Any help here would be great.
#debugabug I think it can be an api call when user clicks on forget username or forget password. Having code common for both is better than to duplicate it.
The API call is a POST call with email address in case of 'forget username' or username in case of 'forgot password'. Based on the incoming parameter, backend can decide the next workflow.

How do I resend invitation to a user using devise invitable?

I have devise invitable gem
Hooked up in my app as well as devise.
Everything working fine. When I create new user, they are saved in database and mailer sends email an email address. User clicks on email, sets password and then is logged in.
But sometimes these users lose their email or rather can’t find it in their email inbox. I’d like to have a resend invite button on the users index page.
When user clicks resend, I want the invites user to get another email sent to them.
Had anyone successfully accomplished this with devise invitable? If so, can you share how?
The gem adds a resend_invitation configuration parameter on your invitable-enabled model. From the docs:
resend_invitation: resend invitation if user with invited status is invited again. Enabled by default.
So, calling .invite! again on a record that's marked as invited will do the trick for you.

Using One Time Password as main authentication

I need to implement the equivalent of One Time password, meaning that I need the flow:
User enter contact address (phone number, email ....)
The server generates a short password, send it to the user through mail/sms/pidgin
User read the message, and copy past the code in the app.
Server authorize credential and approve login (create a session/return token to the user)
I do not want to the user to type/update/reset any other password, once the one time password has been entered, he is logged in.
I am looking at OTP for this, but all I can find for OTP is to be used as MFA in combination of the user actual password.
Is there a name for such login flow? Any literature about it?
Thank you
Such a flow is usually called a "magic link".
https://auth0.com/docs/connections/passwordless/guides/email-magic-link
https://docs.magic.link/welcome

Rails: Sign in Users with just an email using Devise

Here is my situation. I am letting users to sign up in a landing page so that when the page is launched we can contact them. They are just entering their email.
What I am looking for is to automatically sign the user in, after he signs up because I want to be able to know if the just signed up User clicks on a button that is shown right away his sign up is finished.
How could I make it so that I know the email of the user who signed up? Where should I store this so that with a Javascript listener I am able to listen for a click and send that email back to the server?
Thanks

How to allow other users to register with an email already taken but not confirmed?

I'm developing an application that requires authentication with devise/rails and it was decided to allow users sign in without email confirmation. However, after a deep thinking this odd workflow came in mind:
What if someone registers with my email, starts using it and later
I decide to join the app with my stolen email? The guy did not
confirm, but should I keep his account, block it or remove it?
(side note: email must be unique)
As the designer of the application, you are in control. You can handle that situation how you would like.
I'm not sure how facebook deals with 'unconfirmed' account creations. I would imagine that they allow whoever registered to check their e-mail and click the confirmation link within a certain amount of time - after which that e-mail becomes available for use by other users. This makes sense to me, as this would prevent people from spamming the site and effectively 'e-mail blocking' legitimate users from registering. If you forever allow unconfirmed accounts to sit and 'use up' e-mails, you could run into the following situation:
A malicious user creates thousands of 'fake' account registration attempts with bogus e-mails. These e-mails sit and wait forever to be confirmed, but never will be because they don't exist (yet), acting as 'in-use' e-mails. Some time later, a legit user happens to create an e-mail account with GMail or whoever that happens to match one of the 'bogus' e-mails submitted by the malicious user earlier. This legit user is then unable to register his or her e-mail with your service because the malicious user has 'e-mail blocked' this address.
My personal opinion is to give the registrant a certain amount of time to confirm their address as legitimate, and if they never confirm within that time frame, just discard the account creation attempt.
I've a very similar problem and the solution I've arrived (not implemented yet) is to make the user choose the email he want if there is not other confirmed user with that e-mail.
Once registered the user will be uncorfimed/nonactive and will receive a confirmation e-mail, when it will follow the link it will confirm his e-mail and other can't use it anymore.
Most of these sites require you to verify your email by sending you an email link. Only afterwards can you create an account. This handily sidesteps the problem of someone trying to steal someone else's email: unless they can log into your email account, they simply cannot.
Do you have a 'resend confirmation email' action (you should) or 'password forgotten' action (you should)? With both I could reclaim the account with my email address as only I have access to my emails.
Also think about the case of the user who creates an account, forgets about it and creates another account with the same email address.

Resources