Skip to content

Instantly share code, notes, and snippets.

@amitmbee

amitmbee/stateless-email-verification.md

Created June 18, 2020 13:04
Show Gist options
  • Save amitmbee/2fefd3e64b28173dc958532918396323 to your computer and use it in GitHub Desktop.
Save amitmbee/2fefd3e64b28173dc958532918396323 to your computer and use it in GitHub Desktop.
Download ZIP
Stateless Email Verification
Raw
stateless-email-verification.md
layout title date categories
post
Stateless Email Verification
2014-04-18 03:20:50 -0700
security stateless

My preference has always been stateless approach, but the approach mentioned needs a bit more work. You want the link to expire in some time - so when you generate the signature, you append a timestamp into it as well.

Stateless email verification should be something like this -

  1. Make a JSON Object with {"email": "[email protected]", "timestamp": "1395139162"}
  2. Base64 encode JSON Object with URL Safe Encoder. Call the string as "payload"
  3. Compute a signature, which is SHA1(payload + secret key). MD5 is also fine for this purpose.
  4. Generate a link - https://example.com/verify_email?payload=&signature= and email the user.
  5. When the user clicks the link, extract the payload and verify the signature. If signature mismatch - raise hell
  6. Extract timestamp and verify it hasn't expired
  7. Finally, confirm the email. Optionally, log in the database when the email was confirmed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment