I am trying to find out if a user has an #facebook.com email for messaging but can not see where to request that I do request perms for their regular email and can get that, but can't see where to get their #facebook.com email. It's not included in https://graph.facebook.com/me/ and since there's no guarantee that they have set one up I can't assume that it's based on their username
If a user has a facebook.com email address it will be their {username}#facebook.com. However, just because a user has a username setup, doesn't mean there's a corresponding email for it. I've had a username since Facebook landrushed them, and just the other day I setup an email for it. There's no way to tell if they've set it up. Your best bet is to ask the user for an email address that your app can use.
Just go to your privacy settings and from there act as you are editing you email address then there is a Facebook email button setup there.
Related
I need to validate user's email before allowing them to proceed with account creation.
What will be the best way of doing so in Django ?
I was thinking of sending cookies with UUID which will be used during registration.
email_validation_DB:
UUID | Email | Confirmation Code | is_verified
Then, when user will click on register. UUID will be used to get the verified email address from email_validation_DB and proceed with account creation.
Instead of allowing users with only verified emails to proceed, I would suggest that you allow any user to register but activate their account only after they verify their emails.
What you can do is create a hash token and send the email with hash token and a link. When user clicks on the link, you can verify the token and activate the account. Here is a good tutorial about this - https://www.javatpoint.com/django-user-registration-with-email-confirmation
Alternatively, you can use a python package. Here is a good one - https://github.com/LeoneBacciu/django-email-verification. You can also use this package to add additional functionalities around email sending like forgot password etc.
In my user pool, I currently see two options for the login flow:
Using username and email adress
Using email adress or phone number
Option 1: The username is unique. You will get an error message if you try to register again with this username. BUT: The email address is not unique. You can try to register again with this email address. The user will then be created in the User Pool, but you will not be able to reconfirm this email address.
Option 2: The email address and / or phone number are unique. But the username can no longer be used to log in.
What do I want?
I need a mix of both options. I want my users to log in with username AND email address (which is the case with option 1), but I don't want to allow them to create multiple accounts with the same email address (they need a unique email as with option 2).
Is there an easy way to accomplish this? I couldn't find anything in the Cognito Console and feel like I need something like a custom Lambda trigger .... Thanks for any tips!
Your are already going into the right direction. You need a pre-signup lambda to do the check of email uniqueness for you. Should be relatively straightforward Here is the link to the documentation about how to set up such lambda:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
Your Lambda needs to be able to execute actions on the User Pool to figure out if user with a specific email already exists.
The easiest way to search for such users is to use the ListUsers API (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) with a filter to select only users having the email address in question.
I'm building a registeration portal for my website. I'm using Django. Any user needs to input unique username and email to register. How to enable email verification?
If you are asking about verification link inside the email that your app is going to send after users registration then maybe check this link
I have two question about usernames and emails
1. I judge username is a Email if '#' in username, and auth it follow:
email_user = User.objects.get(email__iexact=username)
authenticate(username=email_user.username)
Is that a good way that you recommended? or you may have a better advice?
I know a AbstractBaseUser can do it, but I think use User is more reasonable.
2. Should I store the user's email within the User.email field?
Imagine if I sign up a new user with:
username: '123'
email: '456#google.com'
and when I signup success, then I find that my email is wrong,
and now another user that email is '456#google.com' can't signup again.
I just want to a email is verified that can associate with the user.
what's your advice?
If you want to use email as your unique sign in key, it would save you a lot of trouble in future development of your website if you make a custom User model using AbstractBaseUser. If you want i can post a sample working code
In reference to your second question - You can use Cryptographic signing in Django (https://docs.djangoproject.com/ja/1.9/topics/signing/) to produce a key. Further send this key as a link (eg www.example.com/verify/:some_crypto_key:) and send it as a link to user's email address. This key will contain user id and time stamp. If you receive a request on that link, it means that email is legit. You may find a package that does a similar task maybe.
EDIT:
Implementation (short way) - As the user signups on your website, Immediately ask him/her to verify account using the link you have sent to the given email. If you do not receive a response from that email within a given time (say 20 mins), delete that user entry. This means that you can not let the user access your website until he/she verifies the account.
Flaw - Consider a situation where the user has submitted a wrong email. It is obvious that the user will never be able to verify it but for those 20 mins if co-incidentally the actual user with that same email tries to signup on your website, he won't be able to access. This is very unlikely. Also this user will receive an email from your website saying that user has signed-up on a website (so here you can provide another link, 'if this was not you, please click here' kind of thing)
Unless you have a burning desire to write your own custom user model, which will let you replace the username field with the email, I would recommend using something like Django AllAuth. It includes email verification (as outlined in your question), and can be set to use email as username fairly easily. It's a well established library with lots of support, and will be more immediately usable than rolling your own.
(That said - rolling your own is an illuminating experience, and RA123's point is the answer you should accept if you're going down that road.)
Has Facebook always verified the email addresses for their users?
I am building an app with Django (using python-social-auth) where I want people to be able to login with their Facebook account. As far as I understand, the email is always verified. Even in the case when the person who has signed up used his/her phone number. If they enter an email later on, this email will still be verified.
However, I am not sure this was the case earlier. Can we trust that all the emails have been verified by Facebook for all the accounts?
More recently, the short answer is: Yes, if you get email from Facebook, this is verified email.
Also, remember that users may not have it set (i.e. phone registration) and probably, if you want to handle them, you will need to extend your pipeline to verification.
(But that allows you to handle for example twitter)
Anyway, more info in twin topic: Is it possible to check if an email is confirmed on Facebook?
In case anyone finds this question again, as of 2021, Facebook's documentation says that the email obtained from Facebook needs to be verified.
"1. Ensure the Facebook Login email address is verified
If you use an email address as the unique credential which identifies each account, your app should verify that the email address associated with the person's Facebook account (and obtained during Facebook Login) is valid. You can do this by creating code in your app to send a verification email to the address obtained after Facebook Login."
Source: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1