This is just a general question on how Email verification can commonly be carried out in a secure way in web apps (I am targeting nodejs based frameworks, but I don’t want any framework specific code, just the steps). I can’t seem to find any general guides on the best practices for email verification, so asking here 🙂
What I have in mind is the following
-
When a user signs up, create a random token and store it in a DB table along with a field
token_created_atthat tells when the token is created. Then send a verification mail with that token and the user id. -
When the user clicks on the link, the route get’s the
tokenand theid. We can then lookup the table to verify thetokenfor thatid. If when the route is clicked is already past thetoken_created_atfield, we simply say they need to generate a new verification URL. If it matches, the account is verified.
This is what I have in mind ? Is this a right approach for email verification ?
Thanks in advance ! 🙂