Hello,
on android, Is there a way to let the user ask to resend the confirmation email?
cheers,
Tal
This is definitely needed.
It is currently not supported, we will add it to the roadmap
is there any workaround ?
(e.g: we will send to the user independent email, using <tag> to send the confirmation link)
You could retrieve the user object, delete it in the storage and re-register. The caveat would be is the user would need to have a system generated password.
-
Who generates this password?
-
how can the user get this new password?
-
If you were to re-create the user, your app would generate the password
-
You can deliver the password to the user using the Send Email API
I’ve tried querying the user using his email and password like this:
String email = mTxtEmail.getText().toString().trim().toLowerCase();
String password = mTxtPassword.getText().toString();
final IDataStore<BackendlessUser> dataStore = Backendless.Data.of(BackendlessUser.class);
dataStore.find(new BackendlessDataQuery(“email LIKE '” + email + “’ AND password LIKE '” + password + “’”), new AsyncCallback<BackendlessCollection<BackendlessUser>>() {
and received a fault message:
Invalid data query parameter: password. Users table cannot be queried by passwords.
so if I can’t query by password, and I let the user use the resend confirmation option without entering a password then it’s not secure
You cannot query by password for the reason that passwords are encrypted in the storage. As a result, referencing password in a query would not work.
I understand.
Is there a way then to do the email confirmation?
You could try implementing them yourself by adding beforeRegister event handler in custom business logic.
I’m not sure I understand how this flow could work.
the user will choose “resend confirmation email”,
then what would happen in the server side?
- Retrieve user object with all the user properties.
Delete the existing user object.
Create/register a new user object with the same properties and a temporary password.
A confirmation email will be automatically triggered by the system.
You would need to send an email to the user to inform them of the system assigned password so they can login.
but how can I retrieve the user object without adding the password to the where clause.
the security issue is that user a can delete user b’s row just by knowing his email address.
usually the process is that only once the user presses the link in the email the password is being reset.
in this case, the password will be reset once the user presses the ‘resend confirmation’ button.
but how can I retrieve the user object without adding the password to the where clause.
String whereClause = "email = '" + emailAddress + "'";
BackendlessDataQuery query = new BackendlessDataQuery( whereClause );
Backendless.Data.of( BackendlessUser.class ).find( query );
the security issue is that user a can delete user b’s row just by knowing his email address.
Yes, you can. Retrieve it as shown above and then delete like this:
Backendless.Data.of( BackendlessUser.class ).remove( userObj );
Ok,
So I understand that the user row will be deleted, but at least the user will receive an email with a new password, correct?
to receive the new password, I understand that I need to do password recovery, and not registration confirmation, since the registration confirmation template does not contain a password field. correct?
So I understand that the user row will be deleted, but at least the user will receive an email with a new password, correct?
A user will receive an email when you register a new user account AND IF the backend is configured to send out emails for the user registration event.
Registration confirmation does not contain password, so you’re correct, you’d need to perform password recovery.
And that means 2 separate user actions, right?
Not necessarily. The registration email (the one where user confirms their email address) is optional - you can turn them off in the app.
You mean turn it off programatically from the android code?