Support Topics Documentation Slack YouTube Blog

Resend of confirmation email


(Tal Seren) #1

Hello,
on android, Is there a way to let the user ask to resend the confirmation email?

cheers,
Tal


(John Swanson) #2

This is definitely needed.


(Mark Piller) #3

It is currently not supported, we will add it to the roadmap


(Tal Seren) #4

is there any workaround ?
(e.g: we will send to the user independent email, using <tag> to send the confirmation link)


(Mark Piller) #5

You could retrieve the user object, delete it in the storage and re-register. The caveat would be is the user would need to have a system generated password.


(Tal Seren) #6
  1. Who generates this password?

  2. how can the user get this new password?


(Mark Piller) #7
  1. If you were to re-create the user, your app would generate the password

  2. You can deliver the password to the user using the Send Email API


(Tal Seren) #8

I’ve tried querying the user using his email and password like this:

String email = mTxtEmail.getText().toString().trim().toLowerCase();
String password = mTxtPassword.getText().toString();
final IDataStore<BackendlessUser> dataStore = Backendless.Data.of(BackendlessUser.class);
dataStore.find(new BackendlessDataQuery(“email LIKE '” + email + “’ AND password LIKE '” + password + “’”), new AsyncCallback<BackendlessCollection<BackendlessUser>>() {

and received a fault message:
Invalid data query parameter: password. Users table cannot be queried by passwords.

so if I can’t query by password, and I let the user use the resend confirmation option without entering a password then it’s not secure


(Mark Piller) #9

You cannot query by password for the reason that passwords are encrypted in the storage. As a result, referencing password in a query would not work.


(Tal Seren) #10

I understand.

Is there a way then to do the email confirmation?


(Mark Piller) #11

You could try implementing them yourself by adding beforeRegister event handler in custom business logic.


(Tal Seren) #12

I’m not sure I understand how this flow could work.

the user will choose “resend confirmation email”,
then what would happen in the server side?


(Mark Piller) #13
    Retrieve user object with all the user properties. Delete the existing user object. Create/register a new user object with the same properties and a temporary password. A confirmation email will be automatically triggered by the system. You would need to send an email to the user to inform them of the system assigned password so they can login.

(Tal Seren) #14

but how can I retrieve the user object without adding the password to the where clause.
the security issue is that user a can delete user b’s row just by knowing his email address.
usually the process is that only once the user presses the link in the email the password is being reset.
in this case, the password will be reset once the user presses the ‘resend confirmation’ button.


(Mark Piller) #15

but how can I retrieve the user object without adding the password to the where clause.

String whereClause = "email = '" + emailAddress + "'";
BackendlessDataQuery query = new BackendlessDataQuery( whereClause );
Backendless.Data.of( BackendlessUser.class ).find( query );

the security issue is that user a can delete user b’s row just by knowing his email address.
Yes, you can. Retrieve it as shown above and then delete like this:

Backendless.Data.of( BackendlessUser.class ).remove( userObj );

(Tal Seren) #16

Ok,

So I understand that the user row will be deleted, but at least the user will receive an email with a new password, correct?

to receive the new password, I understand that I need to do password recovery, and not registration confirmation, since the registration confirmation template does not contain a password field. correct?


(Mark Piller) #17
So I understand that the user row will be deleted, but at least the user will receive an email with a new password, correct?

A user will receive an email when you register a new user account AND IF the backend is configured to send out emails for the user registration event.

Registration confirmation does not contain password, so you’re correct, you’d need to perform password recovery.


(Tal Seren) #18

And that means 2 separate user actions, right?


(Mark Piller) #19

Not necessarily. The registration email (the one where user confirms their email address) is optional - you can turn them off in the app.


(Tal Seren) #20

You mean turn it off programatically from the android code?