Forem Creators and Builders 🌱

Andy Zhao
Andy Zhao

Posted on

Should we prevent accounts with no emails associated with them?

I think this is more of a bug than anything, but our authentication requires people to sign up with a social provider (Twitter, GitHub, etc). Sometimes the account doesn't have an email associated with it, whether it's because of:

  1. a bug on our end,
  2. a bug on the provider's end,
  3. the provider account does not have an email associated (for ex. Twitter phone number sign up)

For #3 specifically, it causes problems on a Forem's end, because we end up having no way of contacting the person if we need to.

What do you all think? I think we should fix this "bug" and ensure that people signing up have an email associated with them, but curious to hear people's thoughts if they think otherwise.

Oldest comments (4)

Collapse
 
vaidehijoshi profile image
Vaidehi Joshi

I think we should fix this "bug" and ensure that people signing up have an email associated with them, but curious to hear people's thoughts if they think otherwise.

I 100% agree! Ensuring that a user has an associated email will also be beneficial for preventing spam signups, contacting users (in the off-chance that we need to for security + safety purposes). It also allows for fallbacks for password resets and allows us to "verify" someone's identity through email confirmation 👍

Collapse
 
ben profile image
Ben Halpern

I think we need a better flow of accounting for this in onboarding. So yes, they're allowed, but we immediately make people fill in their email upon registration— just to close the loop on necessary functionality.

We should fix the bug, but the fact that we've always wanted to err dramatically on the side of "not spying on you", so with DEV the fact that we have this bug is not the end of the world.

Collapse
 
nektro profile image
Meghan

no. or rather, make it a config option

Collapse
 
zoedreams profile image
Kara Rawson

yes, this is a security issue. you should also make sure to verify the address to, and prevent people from posting until they have verified. i think twitter requires this.