Backendless Support
 
Answered

Resend of confirmation email

Hello,

on android, Is there a way to let the user ask to resend the confirmation email?

cheers,

Tal

Leave a Comment

Comments (28)

photo
1

This is definitely needed.

photo
1

It is currently not supported, we will add it to the roadmap

photo
1

is there any workaround ?

(e.g: we will send to the user independent email, using <tag> to send the confirmation link)

photo
1

You could retrieve the user object, delete it in the storage and re-register. The caveat would be is the user would need to have a system generated password.

photo
1

1. Who generates this password?

2. how can the user get this new password?

photo
1

1. If you were to re-create the user, your app would generate the password

2. You can deliver the password to the user using the Send Email API

photo
1

I've tried querying the user using his email and password like this:

String email = mTxtEmail.getText().toString().trim().toLowerCase();

String password = mTxtPassword.getText().toString();

final IDataStore<BackendlessUser> dataStore = Backendless.Data.of(BackendlessUser.class);

dataStore.find(new BackendlessDataQuery("email LIKE '" + email + "' AND password LIKE '" + password + "'"), new AsyncCallback<BackendlessCollection<BackendlessUser>>() {

and received a fault message:

Invalid data query parameter: password. Users table cannot be queried by passwords.

so if I can't query by password, and I let the user use the resend confirmation option without entering a password then it's not secure

photo
1

You cannot query by password for the reason that passwords are encrypted in the storage. As a result, referencing password in a query would not work.

photo
1

I understand.

Is there a way then to do the email confirmation?

photo
1

You could try implementing them yourself by adding beforeRegister event handler in custom business logic.

photo
1

I'm not sure I understand how this flow could work.

the user will choose "resend confirmation email",

then what would happen in the server side?

photo
1

  1. Retrieve user object with all the user properties.
  2. Delete the existing user object.
  3. Create/register a new user object with the same properties and a temporary password.
  4. A confirmation email will be automatically triggered by the system.
  5. You would need to send an email to the user to inform them of the system assigned password so they can login.

photo
1

but how can I retrieve the user object without adding the password to the where clause.

the security issue is that user a can delete user b's row just by knowing his email address.

usually the process is that only once the user presses the link in the email the password is being reset.

in this case, the password will be reset once the user presses the 'resend confirmation' button.

photo
1

but how can I retrieve the user object without adding the password to the where clause.

  1. String whereClause = "email = '" + emailAddress + "'";
  2. BackendlessDataQuery query = new BackendlessDataQuery( whereClause );
  3. Backendless.Data.of( BackendlessUser.class ).find( query );

the security issue is that user a can delete user b's row just by knowing his email address.

Yes, you can. Retrieve it as shown above and then delete like this:

  1. Backendless.Data.of( BackendlessUser.class ).remove( userObj );

photo
1

Ok,

So I understand that the user row will be deleted, but at least the user will receive an email with a new password, correct?

to receive the new password, I understand that I need to do password recovery, and not registration confirmation, since the registration confirmation template does not contain a password field. correct?

photo
1

  1. So I understand that the user row will be deleted, but at least the user will receive an email with a new password, correct?

A user will receive an email when you register a new user account AND IF the backend is configured to send out emails for the user registration event.

Registration confirmation does not contain password, so you're correct, you'd need to perform password recovery.

photo
1

And that means 2 separate user actions, right?

photo
1

Not necessarily. The registration email (the one where user confirms their email address) is optional - you can turn them off in the app.

photo
1

You mean turn it off programatically from the android code?

photo
1

No, from Backendless Console http://take.ms/qMKGT

photo
1

So this is not a solution,

because the whole topic is about resending email confirmation

not canceling it all together

photo
1

Sorry, my comment was out of this scope

photo
1

With the proposed changes, you should not rely on Backendless to mail anything automatically - everything should be done out of the custom code.

We will add support for resending email confirmation, but I cannot commit to a specific timeline for when this will be available.

photo
1

"When confirmation is required, users can not login until email is confirmed"

We should choose whether we'll allow the user to login or not based on the email confirmation status. I, for example, want to not allow the user to log in 7 days after the account is created and the email is not confirmed yet. And then I'd resend the confirmation email.

photo
1

There is a default implementation and then there is an infinite number of use-cases where you can built any kind of logic that suits your app. With the default one, it works as we document it. For everything else you'd add your custom code and use the provided APIs (where makes sense) to get things done.

photo
1

Yeah I understand. I will investigate how I can use an external service like MailChimp to implement this behavior within a server side script.

photo
2

Did you know there is an API for sending email in Backendless? If it will make it any easier, here's the doc (it is for iOS, there is a selector for languages in the upper right corner):

https://backendless.com/documentation/messaging/ios/messaging_sending_email_rest.htm

photo
1

Ah yeah, there's that. I will give it a try then. Thanks

photo