Change registration flow to be email-based

#What is this about?

The standard and current registration flow in which a user submits account data (esp. email address and password) all to one form reveals whether or not a user with that email address exists.

#Why is this important?

This may be may attacks on user accounts easier, and users may not want their usage of bouts.app to be known. See OWASP's authentication cheat sheet for more information.

#How to fix it?

This will require having a mailer set up in order to send emails. The registration flow should look like:

  1. User GETs /register
  2. User sees a register form asking for an email address
  3. User completes and submits the form
  4. Response tells user a link to confirm the account was emailed
  5. User clicks link in email, fills in password and other fields to create account

#When should this be fixed?

Around MVP status, or before. It will be very similar to the password reset flow, so they should be implemented around the same time.

#Other information

This is not a vulnerability, but a possible security and privacy enhancement.

Assigned to
2 years ago
2 years ago
priority:med type:security