How can we validate if the given email in reset credentials form is a valid email, not to check if he's a registered user but to validate if the email format is right.
How can we handle this?
I tried adding username validation in flows of authentication for reset credentials, it validates the email as expected but when the email format is wrong it takes me to different page and throws below error.
{"error":"invalid_grant","error_description":"Invalid user credentials"}
But I want to handle it in the same page with custom error messages.
Any solutions to this?
Related
I have a process of adding new users that requires me to send two emails. One from Keycloak to ask the added user to create a password and one inviting them to my site.
I would like to use only one email sent by my site, not Keycloak. I know I can modify the reset email sent from Keycloak, but I would rather just send the email from my site.
Is there a way to get a password reset link or token from Keycloak so that I can insert it into my email?
If i send an invalid emailaddress via SMTP to gmail, after mailFrom and rcptTo. If rcptTo address is invalid, gmail sends 550 User not found. But yahoo is sending user not found only after DATA part is send. Is there any way to find email validity before DATA part
Validating user after rcpto send is not mandatory. It is up to developers choice whether to validate user before DATA part or after. Please refer to this https://www.freesoft.org/CIE/RFC/1123/92.htm
If you want to validate user before DATA, you can use third party email validators and clean your contact list and then send for only validate users
I am using Cognito in my service and I want to enable my service to change email address.
In my frontend, I added code like this.
const email = 'foo#example.com'; // input
const user = await Auth.currentAuthenticatedUser();
await Auth.updateUserAttributes(user, { email });
I found this updateUserAttributes not only send verification email, but also change email address and set Email verified false before verification success.
When a user send wrong email address, I think, the user will no longer login, because the user cannot access to verification code and login old email.
Is there functions like rollback old email address in Cognito?
After some digging, I found the related issue
I found this updateUserAttributes not only send verification email, but also change email address and set Email verified false before verification success.
Unfortunately, this is Cognito side problem, and now there is no way to solve it fundamentally.
In the issue, Can-Sahin approach may help you.
Try to send a sample of an email and receive a notice that the Marketo send test failed.
There are two token-related reasons that Send Sample may fail:
You may have an invalid value for a token in your email. If there is an incorrect token value, the send sample will not work.
Example: If you have the token for first name written like this {{lead.FirstName:default=Hello}}, when you try to approve the email Marketo will let you know that the token value is incorrect. The correct token value is {{lead.First Name:default=Hello}}. For this example if you change the token value to {{lead.First Name:default=Hello}}, Marketo will allow you to approve the email and it will allow you to do a send sample.
You may have a token in the From or Reply-To line that is not populating with an email address
Example: If you have a token in the Reply-To like this one, {{lead.Email Address:default=edit me}}, then the Send Sample using the default will have "edit me" in the Reply-To, which is not an email address. Marketo cannot send an email without a Reply-To email address, so the Send Sample will fail.
If any of the above does not apply, run the following tests and provide the information to Marketo Support
Clone the email in question and test to send as a sample
Create a new email and test to send as a sample
Send the email via a live campaign or a single flow step to a test lead
I have a website where a user can login using MVC5 Identity. (Although this question is not specific to that technology)
For a user to register with this website we must have spoken to them over the phone and an account manager must go through a registration form which sets up an "unverified" account for the user.
Following this the user is sent an email verification link, along with a generated password to login. The registration you would normally fill out pre-login is done post-login.
So I was wondering if in this scenario I can simply treat the users first login as email verification becuase the only way they get their password is from the email.
Is there any way this could be exploited and open up any security holes/allow validation without owning the email?
Edit:
Wanted to add the password is temporary (expires after a fixed period) and the user will be able to drop into a password reset form and a have a new one emailed if they don't do it in time. If the user has given us the wrong email I assume most will phone us.
I do not see this having any exploitation or holes and you are right to think this can be used as the email verification. Try it, and see how it works. Maybe after the temporary password is typed the user is prompted to type in a new password of their choosing.