The best way to send a re-confirmation email?
scifinder opened this issue · 5 comments
Hello!
I can't think of a better algorithm for actions when confirming an email.
If the user has NOT confirmed his email, but at the same time makes an attempt to login, he will receive the following exception: \Delight\Auth\EmailNotVerifiedException. Here I can display a message about the need to confirm the email. But I can't think of a better way to resend a confirm email in this case. And if the user entered his address incorrectly during registration and the confirmation letter sent to a stranger - what should I do? Obviously, the user needs to be given the opportunity to change their email address here, but we can't do that until the email is confirmed, right?
I will be glad of any ideas. Thanks!
A "change" is not necessary at this point, force the User to register with a valid Email, don't work around it. Unconfirmed Emails expire, so you will not break anything there or make unconfirmed Emails useless forever. Changing the Email makes only sense with confirmed email addresses, not while in the registering process.
@eypsilon, thank you for your reply! But there is one nuance. In my system, registration is carried out by invitation. After registration, the invitation code is marked as used.
- Let's imagine that the user simply did not receive a confirmation email. In this case, after logging in, he will see a message with the need to confirm the email address. In principle, if for some reason he did not receive the letter, I can send him the letter again here. Do I understand correctly that I can use the value of the
$_POST['email']variable taken from the login form for this? In fact, this was my main initial question. - Let's say the user made a mistake when entering an email address during registration, and then, when trying to log in, entered the address correctly and, of course, received a message that such an address does not exist. In this case, I need to find out about it somehow and make the invitation code active again. I can't resolve this contradiction for myself yet.
Returning to first question: can I do something like this? (Use $_POST['email'] in catch)
try {
$auth->login($_POST['email'], $_POST['password']);
echo 'User is logged in';
}
...
catch (\Delight\Auth\EmailNotVerifiedException $e) {
$url = 'https://my-site.com/re-send-confirmation/' . bin2hex( http_build_query( [ 'email' => $_POST['email'] ] ) );
die('Email not verified. <a href="' . $url . '">Click to resend the confirmation email.</a>');
}
...
Do I understand correctly that I can use the value of the
$_POST['email']variable taken from the login form for this? In fact, this was my main initial question.
Sure. You should at least validate the email, but once validated, you can use it for whatever you need. $_POST is a superglobal.
A simple solution for you would be to display the used Email to the User who tries to login with an additional note, that in case it's not the correct email, to re-register with a link you then create that contains the invitation-information as GET-parameters. It would be much safer than letting anonymous users change already registered emails.
https://example.com/registration?invitation-code=xxx