Set password on email confirmation

Hi,

I have a question about the new customer registration. Is it possible for a customer to set (or reset) their password when clicking the account activation link?

The user flow would look like this:

1. User is registered (I would skip password at all, or add a random generated one)
2. User receives a confirmation email
3. User clicks on the confirmation link
4. User is asked to set a new password

Is this possible to do with Backendless?

Thanks,
Justinas

Hello @Justinas_Grazulis

You can change the email template located in the Web / templates / registration directory and change its appearance and add the necessary logic.

Regards,
Inna

Hi @Inna_Shkolnaya,

Found it, thanks!

Hi @Inna_Shkolnaya,

Sorry, but I have to get back to this question. I am now implementing this logic I described above, but it looks like in the registration template I don’t have access to the user info (objectId). How exactly do you suggest I allow a user to set their password at this point (i.e. when confirming their account)?

For clarity, app ID I use: F2FE78BB-5D08-44FE-B074-6E7C29B49B03
And the example confirmation URL: https://api.backendless.com/F2FE78BB-5D08-44FE-B074-6E7C29B49B03/3C5DB85B-508D-46A2-8564-60397A31E006/users/confirmation

I expected the two IDs in the URL to be APP ID and user’s Object Id, but it seems it is not the objectId. Can you help out?

Thanks,
Justinas

Hi @Justinas_Grazulis!

To complete your task you should create custom confirmation page and custom API service which will set password and register user.

Workflow will be next:

1. You create user with specified email and some password. I recommed to register user and generate password inside of custom API service to exclude possible security problems.
2. Send confirmation email with link to your custom confirmation page. This page will contain form for configuring password.
3. When user fill password and submit form, it will call your custom API service method which will update password.

API service can be implemented in Java or in JS using Backendless SDK.
I think this approach should work for your case.

Regards, Andriy

Hi @Andriy_Konoz,

Thanks for the reply. From what you wrote, this means also disabling the “Require email confirmation” feature on the Backendless and handling confirmations (generating the custom URLs, sending the confirmation emails, checking if the password was already updated) myself, is this correct?

Thanks,
Justinas

I think you can try to modify template for email confirmation. In template you should replace default confirmation URL by your own. In this case there will be no need to disable email confirmation.

Regards, Andriy

OK, this is actually a great idea, which I was thinking about before. The question is how can I customize this URL so that I can also recognize a customer after redirection?

As I understand, the default confirmation URL is unique for that specific customer, and if I replace it in the template, I can only add a generic URL, for example, mywebsite.com/email-confirmation . But for this to work, I would need to add some parameters to identify the customer, for example, mywebsite.com/email-confirmation?objectId=xyz . Is there a way to do this?

I tried already to use the data from the default confirmation URL, which would be fine, but it doesn’t seem to be the user’s objectId.

Cheers,
Justinas

In confirmation URL instead of user object ID used special code. It is done for security reasons since this code generated once and expired after usage.In email template identity value is available. You can form your own URL and put it instead of {confirmation_url} placeholder. You can pass identity value to your custom page as URI param and then extract it in JS and add it to submitted form data.

Regards, Andriy

Yeah, this makes total sense, just what I needed. Thanks a lot for your help @Andriy_Konoz!

You are welcome!

I hope you will have great experience with Backendless.

Regards, Andriy

Hi, getting back once again on this, @Andriy_Konoz.

I just realized that passing {identity_value} through as a parameter (if I replace confirmation URL) is not great practice and it makes the email exposed. Would you guys consider adding {user_object_id} as an available value in the email confirmation templates? It would be better than passing a naked email.

Thanks,
Justinas

Hello @Justinas_Grazulis

We will be happy to assist you. I need to ask you a few more questions so I can understand the problem better.
Do you think that sending a letter to the mail@com address, in the body of the letter which will contain the mail@com, is unsafe?

In order for the value to be not an email, you can change it in the settings: Console - Data - SYSTEM DATA - Users - SCHEMA - TABLE EDITOR - IDENTITY.

I will also consult with the team about adding an {user_object_id} to the Confirmation Template.

Hi @Vladimir_Yalovy ,

Yes, in my use case (where I implement custom url for a customer to set their password), I would not want the emails exposed in the URL as a parameter. That allows any 3rd party to brute-force my URL with arbitrary emails and see if they can override the password (in my case, that might be possible if a customer account is still pending email confirmation). So passing the ObjectId would make a more secure approach for this kind of attack.

(The identity value for us still need to be an email for our users to login using their emails)

Hope this make sense,
Thanks,
Justinas

Hello @Justinas_Grazulis

I consulted with the team and we decided to add {user_object_id} value into email confirmation templates.
I created an internal ticket - BKNDLSS-23519.
After adding, we will additionally report in this topic.