How to check if an email address exists at the time of signup, not in database but on the mail servers. for example when I enter an email-id in signup form, how to check if the id exists and is not a fake
This service allows you to check up to 20 email addresses per day for free, or you can purchase their premium plan: https://tools.verifyemailaddress.io/
Their site also provides a link that explains the "mailbox pinging" functionality which makes this possible, along with some limitations.
You can precede this with a simple check for a valid email address format. A quick online search will provide you with many code snippets that can do this.
Related
Basically I understand how to integrate Stripe payment into Flask, I'm using the official website (https://stripe.com/docs/payments/accept-a-payment?integration=elements) as a guide. In the guide the user is taken to a success page after the payment is successful. What I want to do upon a successful payment is collect the user's email, create a randomized password, and then email that password to the user. I've learned how to grab information from the session id using this page (https://stripe.com/docs/payments/checkout/custom-success-page). What I'm concerned about is that a user might go to the success page, get an account, and bypass the required payment.
My idea to solve that is to get the session info using this line:
session = stripe.checkout.Session.retrieve(request.args.get('session_id'))
and then before doing anything else check if it's none. If it's none, it will display an error page, if it is not none then it will create an account for the user. Would that work? Or would people just be able to change the session_id in the url until they find a number that is a valid session?
If that doesn't work, all I really want to do is upon successful payment create an account for the user using their email and a randomized password. How do I do that?
You're on the right track. Generally the flow is:
Customer is redirected to Checkout
Customer pays
Checkout redirects customer back to your success_url
You fetch the Checkout Session using the ID in the URL to confirm a valid payment
For #4 you can do various things to make sure people can't guess a Checkout Session ID (which would be unlikely due to their length and complexity). I suggest checking to see if the successful payment happened within a certain timeframe, like the past hour or past day, for example.
We currently accept credit cards by phone (entering the order info into the Virtual Terminal) as well as on the website (OpenCart, using the built-in Authorize.net AIM module).
Problem: when order is placed on website, the customer receives 2 E-mails - 1 from our site, 1 from Authorize. The Authorize E-mail, being plaintext, looks ugly AF, and my boss wants to have it disabled.
Attempt # 1: looked in the Authorize.net AIM plugin/module settings. No such option.
Attempt # 2: in the Authorize.net account, under "Settings -> E-mail Receipt", there is a checkbox "Email transaction receipt to customer (if email address is provided)".
Result #2: unfortunately, this disables ALL transaction E-mails - from website transactions (OK) and from Virtual Terminal phone-order transactions (NOT cool). We have to provide an E-mail receipt to phone customers.
Attempt #3: in the OpenCart system, editing file:
catalog/controller/extension/payment/authorizenet_aim.php
to comment out the line
$data['x_email'] = $order_info['email'];
Result #3: during checkout, even if a valid E-mail is entered, upon trying to submit the order, the "Email address is required" error message appears.
So...
Can't disable it in Authorize plugin/module in OpenCart.
Can't disable it in Authorize Account Settings.
Can't just delete the E-mail from the array of data that OpenCart collects during checkout.
How can I disable the Authorize.net E-mail (and ONLY the Authorize.net E-mail, I still want the website receipt to go out) on a site built on OpenCart 3.0?
Found the solution (via Authorize.net Developers Forum). Simpler than I expected:
Open file: public_html/catalog/controller/extension/payment/authorizenet_aim.php
Find line: $data['x_relay_response'] = 'false';
Add after: $data['x_email_customer'] = 'false';
This allows the checkout process to complete without errors, and sends the transaction to Authorize.net along with the instruction to not E-mail the customer.
This isn't a great solution but could you change the email address that gets sent to Authorize.net to be the store admin email, in that case it won't give you the "Email address is required" error message and you'll get that email instead of the customer.
In attempt number 3, can you confirm whether OpenCart gives the error about the email being required or if Authorize.Net gives that error? If Authorize.Net provides the error it may be reconciled by adjusting the payment form settings in Authorize.Net:
1. Sign into Authorize.Net
2. Account > Payment Form > Form Fields
3. Make sure the email field isn’t checked as required.
4. Save your changes at the bottom of the page
So I am trying to get my head around AWS Cognito but I have hit some walls.
So, right now I can register an account, and verify it and sign in. Simple enough. The edge cases are where my walls are.
Here's the info I have so far:
username's cannot be changed once created
I am using UUIDs as my username values
email is marked as an alias, which in Cognito terms means I can use it to sign in with in addition to username.
if email is chosen as an alias, per the docs, the same value cannot be used as the username (http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases):
If email is selected as an alias, a username cannot match a valid email format. Similarly, if phone number is selected as an alias, a username that matches a valid phone number pattern will not be accepted by the service for that user pool.
The email address can ONLY be used to sign in once the account has been verified (http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases)
Phone numbers and email addresses only become active aliases for a user after the phone numbers and email addresses have been verified. We therefore recommend that you choose automatic verification of email addresses and phone numbers if you choose to use them as aliases.
Here in lies my edge case.
If a user signs up, but does NOT immediately verify:
they get called away
maybe the app crashes
they lose connectivity
their battery dies
they force quit
app get's accidentally deleted.
In their mind they have signed up just not verified their account. At this point it effectively leaves no way to verify their account they thought they signed up for. I guess it could be solved with messaging:
"Warning your account will not be created until you verify your email address." or something along those lines. Anyway...
They can't attempt to sign in as they won't know the UUID that was randomly assigned as their username.
Even if that wasn't the case, they provided their email address as their username. From the user's POV they would have no idea what their username could even be since they only entered their email address.
The best they could hope for is to try to sign up again. (Assuming they read the verification warning above) In this case now Cognito potentially has abandoned unconfirmed accounts piling up.
"Piling up" may be too strong a phrase, this is likely a pretty fringe case.
Now the plus side is, since they have not "verified" their email they can sign up again with the same email address since the email doesn't get uniquely constrained until it's verified. If someone tries to verify an address that has already been verified they get a AliasExistsException. This actually brings up an interesting point which I just tested as well.
I can register with an email address, then verify that email address so the account becomes confirmed. I can then turn right around and sign up with the same email address and I don't get an official AWS error until I try go to verify that account with the duplicate email address. There isn't any way to surface this error earlier? I guess the expectation is that it's on the developer to write a verification service in the Pre-Signup Trigger:
This trigger is invoked when a user submits their information to sign up, allowing you to perform custom validation to accept or deny the sign up request.
To sum up, and to restate the question:
It seems to be required, practically speaking, that when using an email address with Cognito a Pre-Signup Lambda is required to ensure an account with an email doesn't already exist since the AWS Exception won't be handled until a verification attempt is made.
Is my assumption here correct? By required here I think it's pretty reasonable to let a user know an email address is not available as soon as possible. For example:
John Doe : jdoe#gmail.com
Jane Doe : jdoe#gmail.com
You are correct.
Another solution is to create a lambda (not triggered by preSignUp) and called whenever the user finished typing into the email field. And getting a response "This email is already used" or "This email is available" before even sending the sign-up event.
Referring the first part of your question. If the user does not immediately verify their email. You probably mean confirmation by code. I prefer using confirmation by link sent to email which avoids this problem.
Knowing that this is an old question, here's a solution for posterity... I am using generated UUIDs for usernames, just like you, undisclosed to the user.
When the user wants to confirm the code at a later time (or perhaps ask to resend it), he doesn't know the username but he does know the email address that he registered with...
You can search for Cognito users with a certain email (or any other attribute) using ListUsers with a filter like email = "user#signupemail.com".
Once you find the user, you can access their username via response.Users[0].Username, and use it to confirm the account.
I have two question about usernames and emails
1. I judge username is a Email if '#' in username, and auth it follow:
email_user = User.objects.get(email__iexact=username)
authenticate(username=email_user.username)
Is that a good way that you recommended? or you may have a better advice?
I know a AbstractBaseUser can do it, but I think use User is more reasonable.
2. Should I store the user's email within the User.email field?
Imagine if I sign up a new user with:
username: '123'
email: '456#google.com'
and when I signup success, then I find that my email is wrong,
and now another user that email is '456#google.com' can't signup again.
I just want to a email is verified that can associate with the user.
what's your advice?
If you want to use email as your unique sign in key, it would save you a lot of trouble in future development of your website if you make a custom User model using AbstractBaseUser. If you want i can post a sample working code
In reference to your second question - You can use Cryptographic signing in Django (https://docs.djangoproject.com/ja/1.9/topics/signing/) to produce a key. Further send this key as a link (eg www.example.com/verify/:some_crypto_key:) and send it as a link to user's email address. This key will contain user id and time stamp. If you receive a request on that link, it means that email is legit. You may find a package that does a similar task maybe.
EDIT:
Implementation (short way) - As the user signups on your website, Immediately ask him/her to verify account using the link you have sent to the given email. If you do not receive a response from that email within a given time (say 20 mins), delete that user entry. This means that you can not let the user access your website until he/she verifies the account.
Flaw - Consider a situation where the user has submitted a wrong email. It is obvious that the user will never be able to verify it but for those 20 mins if co-incidentally the actual user with that same email tries to signup on your website, he won't be able to access. This is very unlikely. Also this user will receive an email from your website saying that user has signed-up on a website (so here you can provide another link, 'if this was not you, please click here' kind of thing)
Unless you have a burning desire to write your own custom user model, which will let you replace the username field with the email, I would recommend using something like Django AllAuth. It includes email verification (as outlined in your question), and can be set to use email as username fairly easily. It's a well established library with lots of support, and will be more immediately usable than rolling your own.
(That said - rolling your own is an illuminating experience, and RA123's point is the answer you should accept if you're going down that road.)
I have the same concept as mentioned in this question(generating a unique random email address for each user in rails app. When the user sends an email that that randomly generated email address, we process the body and store in db.
I followed the following steps:
Deployed my app in Heroku
Created a sendgrid account and configured the username and password to heroku(to get the sendgrid addon).
added griddler gem and followed the steps mentioned in griddler.
Configured the parse webhook in sendgrid with my host and url.
Here comes the main problem:
I registered to coludmailin and it generated the single email address. I don't really understand how to receive uniq emails to my rails application now. I tried white labeling the cloudmailin.net in sendgrid but it doesn't work(may be am wrong here).
Googled a lot but didn't understand how to proceed from here. Can someone please help me in solving this issue. Appreciate if I get a good step-by-step reference
There are two options to do this with CloudMailin.
Option 1:
On the free plan you can use a + in order to separate the email address given to you on CloudMailin and still create a unique email address that each customer can respond to. For example:
If you CloudMailin email address is example1234#cloudmailin.net you can use example1234+unique_id_54321#cloudmailin.net. CloudMailin calls unique_id_54321 the disposable part of this email address. This way you can send an email out and state the sender of that email is example1234+unique_id_54321#cloudmailin.net and then tell one user from another.
Option 2 (the better option):
However, the best way to do this is to use CloudMailin's custom domains. You can then receive anything#yourdomain.com.
With custom domains enabled you set CloudMailin up to be your MX server. Then any email coming into yourdomain.com goes direct to CloudMailin (you can use app.yourdomain.com to avoid conflicts with your regular email if needed).
You can then send email out with the sender as user-12345#yourdomain.com, task-12345#yourdomain.com or any other unique identifier. When you receive the email from CloudMailin the envelope will show that the email was sent to user-12345#yourdomain.com and you can then use this to resolve who the user was.