This is just a general question on how Email verification can commonly be carried out in a secure way in web apps (I am targeting nodejs
based frameworks, but I don’t want any framework specific code, just the steps). I can’t seem to find any general guides on the best practices for email verification, so asking here 🙂
What I have in mind is the following
-
When a user signs up, create a random token and store it in a DB table along with a field
token_created_at
that tells when the token is created. Then send a verification mail with that token and the user id. -
When the user clicks on the link, the route get’s the
token
and theid
. We can then lookup the table to verify thetoken
for thatid
. If when the route is clicked is already past thetoken_created_at
field, we simply say they need to generate a new verification URL. If it matches, the account is verified.
This is what I have in mind ? Is this a right approach for email verification ?
Thanks in advance ! 🙂