smtp + email confirmation #285
Conversation
docs/configuration/smtp.md
Outdated
| @@ -0,0 +1,67 @@ | |||
| # Email Config (smtp) | |||
|
|
|||
| GoToSocial supports sending emails to users via the [Simple Mail Transfer Protocol](https://nl.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) or **smtp**. | |||
|
|
||
| Configuring GoToSocial to send emails is **not required** in order to have a properly running instance. Still, it's very useful for doing things like sending confirmation emails and notifications, and handling password reset requests. | ||
|
|
||
| In order to make GoToSocial email sending work, you need an smtp-compatible mail service running somewhere, either as a server on the same machine that GoToSocial is running on, or via an external service like [Mailgun](https://mailgun.com). It may also be possible to use a free personal email address for sending emails, if your email provider supports smtp (check with them--most do), but you might run into trouble sending lots of emails. |
There was a problem hiding this comment.
add config option to ratelimit amount of emails sent?
There was a problem hiding this comment.
I'll do this in a separate PR later I think. Rate limiting is something we haven't touched yet anywhere, so there's probably a lot of reusable logic we can write for that (write one rate-limiter interface and attach it to everything that needs to be rate limited, for instance).
|
it might be good to have a user action on the submission link page, otherwise the link can be triggered by wack email clients/antivirus inspecting the link automatically. |
|
also might be better to not minify the html email, so it's at least more readable on plaintext clients |
Is this really a thing that happens? I don't think I've seen a 'confirm' link where you have to click confirm, navigating to the link seems to be the most common way of doing it 🤔 My understanding of this pattern was that clicking the link in the email is already the user action. I'm gonna leave this as-is for now, but bear it in mind later if we see weird behavior. |
This PR provides email-sending functionality to GoToSocial via smtp, as implemented by
net/smtp.The package 'email' has been added, which contains a
Senderinterface for sending emails. Currently,Senderis instantiated on app startup, and then passed in to the processor so that functions that need to send emails can use that.Some templates have been added for emails like 'confirm-this-email-address' and 'reset-your-password', under
web/template. These are HTML templates, for now, but plaintext emails could also be added later if desired.This PR also adds functionality for confirming a user's email address. How this works: on account creation, user gets sent an email with a link in it that has a UUID in the query parameter. This UUID is stored in the database as
User.ConfirmationToken. When the user clicks the link in the email, it sends them to/confirm_email?token=whatever-uuid-was-generated. The User entry is altered to reflect that the user has been confirmed, then the user sees a nice little page informing them that their email address has been confirmed.Any attempts to 'guess' a token by providing random-ass query parameters are met with the standard web 404 page, so as not to give any information away.
If a token is older than 7 days, it won't work anymore and the user will have to request a new one.