【发布时间】:2020-03-16 05:30:57
【问题描述】:
我正在使用 MERN Stack 创建一个社交网站。首先,用户可以简单地使用电子邮件和密码注册,但这意味着任何人都可以使用任何随机电子邮件并可能向数据库发送垃圾邮件。所以我翻到了这个视频https://www.youtube.com/watch?v=76tKpVbjhu8 并实现了它来要求电子邮件验证。
现在的问题是,即使用户注册但没有验证他的帐户,其他用户也无法使用相同的电子邮件创建帐户,因为它说用户已经存在。这意味着如果某个恶作剧者注册了一个帐户: 姓名:约翰·多伊 电子邮件:johndoe@gmail.com 密码:123456
并且无法验证他的帐户,如果有一天真正的johndoe来尝试注册一个帐户,他将无法注册它,因为它已经存在。
如果在设定的时间内无法验证他的帐户,是否会自动删除用户。
这是我的用户架构
const mongoose = require('mongoose');
const UserSchema = new mongoose.Schema({
name: {
type: String,
required: true
},
posts: [
{
type: mongoose.Schema.Types.ObjectId,
ref: 'Post'
}
],
profile: {
type: mongoose.Schema.Types.ObjectId,
ref: 'Profile'
},
email: {
type: String,
required: true,
unique: true
},
password: {
type: String,
required: true
},
isVerified: {
type: Boolean,
default: false
},
date: {
type: Date,
default: Date.now
}
});
const User = mongoose.model('User', UserSchema);
module.exports = User;
注册路线
// @route POST api/users
// @desc REgister a user
// @access Public
router.post(
'/',
[
check('name', 'Please add name')
.not()
.isEmpty(),
check('email', 'Please include a valid email').isEmail(),
check(
'password',
'Please enter a password with 6 or more characters'
).isLength({ min: 6 })
],
async (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
const { name, email, password } = req.body;
try {
let user = await User.findOne({ email });
if (user) {
return res.status(400).json({ msg: 'User already exists' });
}
user = new User({
name,
email,
password
});
const salt = await bcrypt.genSalt(10);
user.password = await bcrypt.hash(password, salt);
await user.save();
const payload = {
user: {
id: user.id
}
};
let profile = new Profile({
user: user.id
});
await profile.save();
user.profile = profile.id;
await user.save();
jwt.sign(
payload,
config.get('jwtSecret'),
{
expiresIn: 36000
},
(err, token) => {
if (err) throw err;
const url = `http://localhost:3000/confirmation/${token}`;
transporter.sendMail({
to: user.email,
subject: 'Confirm Email',
html: `Please click this link to confirm your email for signing up for MERN Blog <a href="${url}">${url}</a>`
});
res.json({
msg:
'Thanks for signing up! An email has been sent to your email for verification. Go ahead and verify your account'
});
}
);
} catch (err) {
console.log(err.message);
res.status(500).send('Server Error');
}
}
);
module.exports = router;
确认路线
router.post('/confirmation', async (req, res) => {
const token = req.body.token;
//Check if not token
if (!token) {
return res.status(401).json({ msg: 'No token, authorization denied' });
}
try {
const decoded = jwt.verify(token, config.get('jwtSecret'));
const user = await User.findByIdAndUpdate(decoded.user.id, {
isVerified: true
});
const payload = {
user: {
id: user.id
}
};
jwt.sign(
payload,
config.get('jwtSecret'),
{
expiresIn: 36000
},
(err, token) => {
if (err) throw err;
res.json({ token });
}
);
} catch (err) {
res.status(401).json({ msg: 'Token is not valid' });
}
});
【问题讨论】:
-
您需要自动执行此操作。首先你需要创建一个api来移除一个周期内未验证的用户,并安排一个job调用这个api。
-
我提供了一个粗略的答案,您是在寻找代码示例还是只是一般策略?
标签: reactjs authentication mongoose mern email-verification