Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

validation phrase for email security #688

Open
heyjay44 opened this issue Mar 29, 2023 · 3 comments
Open

validation phrase for email security #688

heyjay44 opened this issue Mar 29, 2023 · 3 comments

Comments

@heyjay44
Copy link
Contributor

heyjay44 commented Mar 29, 2023

Purpose of this ticket:

  1. give the user a signal they can use to determine whether or not to click the button in the email. This is implemented by: feat: verify legitimate claim↔︎redeem by assigning a random phrase during email validation #432
  2. give us greater assurance that a person is who they say they are (not yet addressed by any PR)
@heyjay44 heyjay44 mentioned this issue Mar 29, 2023
23 tasks
@gobengo
Copy link
Contributor

gobengo commented Mar 30, 2023

I think for both #1 and #2, we may need to think from a clean slate about what is appropriate for the access/authorize -> access/confirm etc flows, because #432 only modified the (essentially now deprecated) voucher flows.

#1 or #2 may be solved for in different ways, so might also be good to make them two distinct issues and we prioritize one above the other (and so we can discuss one in isolation from the other).

@travis
Copy link
Member

travis commented Mar 30, 2023

Yep that's true, though from a user perspective not much has changed here - I'd probably need to copy the phrase generation code into the access/authorize handler but it should basically just work from there.

I do think we need to think about these from a clean slate though, especially given the UX changes @Gozala has been advocating for around capability grants - if we're going to have a more complicated UX after the user clicks on the email (in which they can select which capabilities they want to grant) we'll need to think about where this sort of thing fits in that UX.

@travis
Copy link
Member

travis commented Apr 6, 2023

Worth noting that @Gozala proposed an auth flow that would supercede this: #723

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants