Email Verification for Web App Registration - email

Im working on a SAAS web app/website and trying to figure out the best way to make the sign up/registration as easy as possible for the user.
So far, we've got it down to only a few fields for the user to fill in, as soon as they hit "sign up" I thought it would look nice to display a loading animation with "creating your account" and fade right in to the interface.
I've noticed that a bunch of successful web applications are currently allowing registration and sending the user directly into the application without requiring an email registration for access.
I just really need some clarification - is the email verification thing only around so the company cannot be accused of spamming users? (i.e. when they send out routine emails)
Is there any way around this? Obviously to use the app correctly, they would need to receive the routine emails. What are your thoughts on this?
Thanks Everyone

I am not sure whether the case was solved, but we did exactly the same solution at mailcheck.co when you try signing up, invalid emails won't be accessed.

Related

Keycloak: how to send email to admin upon user registration / how to create a custom execution for sending email

I want to alter the User Registration flow to allow for emailing someone when there is a user registration. For altering the flow, this question provides an example.
However, in my case, there is no execution I could add out of the box to email someone other than the user. How can I go on to create a custom execution for sending email in order to send email to admin upon user registration?
Alternatively, I could start continuously polling the list of all users and diff it. This solution using the python-keycloak would be similar to what is described here but for my case, it seems both inefficient and cumbersome, the cron job would have to run all the time.
Any other way to solve this problem also welcome!
Unfortunately, I suppose this feature is not (yet?) supported
If i get your question correctly, you want to be notified by mail when someone creates an account? if so you can implement that in your code by checking for the keycloak response(200 or 201) after account creation and then you notify the necessary email. You can integrate with sendgrid.

Facebook Developer Account always disabled after couple of days of using Messenger API

This is not exactly a programming related question but it is closely related to developing so I think it is pertinent.
I´ve been charged in my work with developing an app with access to Facebook Messenger. I needed a Facebook Account and I didn´t want to use a personal one (and I don´t use Facebook anyway) so I created a new gmail account to use it to sign up in Facebook, as user and as a developer.
After a couple of days of work, having created the page, my webhook, done some tests, etc., and investing a good deal of work hours, my account appeared as disabled.
I have to admit a didn´t use much of real info on this account (I´m kind of allergic to disclosing personal information unless mandatory), and the account was new so I thought that maybe that was the reason (they don´t give you any).
So I tried again a second time with an account I had been using for years (just for logging in some sites, not much of real information there neither, as I say I don´t really use Facebook), and after a couple of days, same results, locked account.
I can´t stress enough I don´t use the API extensively, I just send some messages to another user I have added as one of the application developers so I can test (that other account is never blocked, by the way). It´s not like I am sending hundreds of messages or anything like it. And by the way, I have never been blocked while I was doing something (so I could indentify my wrongdoing). It just happened that at some point when I was going back to work (first hour in the morning, or after lunch for example) I tried to log in again and then I got the warning.
So I have tried a third time, this time I have given all my real information, reluctantly uploaded a personal picture, given all my data to Facebook (yikes!).
And after a couple of days: damn, same result. Blocked account. Work lost. They prompt you to upload a picture to check your Id, but to no avail (no answer yet, not even a notice of any kind) and they don´t give you absolutely any reason why the have blocked you.
And if I go to https://facebook.com/help/contact/260749603972907 to fill the form where they ask you to upload an ID then it says that the email doesn´t belong to a disabled account!
What is the unusual activity they have detected? What have I done wrong? Has someone experienced the same problem? Has someone got any clue of what it is that I could be doing wrong?
Because I don´t want to go through the whole process once again only to get blocked in a couple of days.
Thanks.
EDIT 1:
Ok, after checking again now it recognizes the account as a disabled one. I have gone to https://facebook.com/help/contact/260749603972907 to fill the form and I have uploaded my ID (even though I completely disagree with disclosing that kind of information).
Honestly, I don´t know what it means by "shortly". It´s been two days now and I have not received any kind of notification yet.
By the way, I haven´t received any kind of notification (mail, sms, anything) during any step of the process EVER. No one. Nothing. Not even an automatic email response. Plain absolute silence.
Honestly, if Facebook uses a security system like this, that lets hackers in while blocks legitimate users, creating false positives and making us lose many hours of work, without any reason or notification or explanation, then Facebook security is plain wrecked.
And I cannot do anything less than to strongly discourage any developer to use it if they can avoid it (what unfortunately I can´t).
EDIT 2:
After some days I regained access to my account again. Without any notification, I just tried again and now it worked (really good communication policy, Facebook, congratulations).
My App had disappeared, so I had to go through the whole process again. And after sending ONE message to the API, this again:
And once again the asked me to upload a picture of myself (I think they already have enough pictures of me to make an album).
This is just plain crazy.

Masking an URL after redirect

We are building a SaaS solution which runs on SaaS.com for example. Our software should be white label for our resellers and their costumers. The costumers of our resellers are stored in an specific database witch is different for each reseller.
The reseller creates a button on his website [Login] which sends the customer resellerID.my.saas.com Our software gets the resellerID and selects the corresponding branding and database. This all works fine in an development environment at the moment.
We have only 1 thing which we need to solve and that is the url what the customer of the reseller sees in his browser. This is (after logging in) my.saas.com
We want that the customer of the reseller sees the domain of the reseller after they are redirected to our link (resellerid.my.saas.com), for example my.reseller.com
I googled a lot and asked our and 3th party developers how to solve this. Till now the only solution we found is using an iframe which has not our preference. This becouse this is not optimal for mobile views? and is out dated, isn't it?
I also tried to solve this with dns which i couldn't get done.
Is there any way to achieve what we want and when yes, how can we implement?
Hope on usefull responds becouse this part is verry crusial for our business.
Thanks in advance, Rogé

How websites like Facebook are protected against bot without any captcha

How websites like Facebook and Twitter are protected against bot during registration? I mean, there's no captcha at all on the signup form?
I want to create a signup form for a project, and I don't want bot during registration and Captchas are often ugly..
edit:
My question is really during the registration because I know Facebook uses Captchas once registred for the first time.
Facebook uses some sort of hidden spam protection, if you view source of sign-up form you will see things like:
class="hidden_elem"><div class="fsl fwb">Security Check</div>This is a standard security test that we use to prevent spammers from creating fake accounts and spamming users.
so capture becomes visible when javascript will think that you are a bot.
Where is few methods of making it harder for bots to complete registration without capture, things
like timing to fill out form, originators of mouse clicks events ect.
also random session based values in form (to privent direct submissions without downloading of the form first)
also some people use hidden form elements with common names like 'email' that is styled invisible in css but common simple bots will try to fill out all form fields and so you can block them if this hidden element have any value
twitter and fb spend lot of time on developing tecniques to block spammers i don't think they will made it public as it will be counter productive for them to fight the spammers.
But all the client side javascripts you can download from fb or twitter and study them if you want, because most of the protection will happen inside client not on server.
server could only issue some random session variable, check for valid headers in request, overall time etc. its really limited.
some sites are also use ajax exchanges between server and client during the time when user is filling out the form , mostly just to make it harder for bot developer to do simular fake exchanges of data.
Anyway, unfortunatelly where is no easy solution to do decent protection , espesially without captcha or some kind of question
also,
for submit button you can use image map instead of button,
you can dynamically create big image with a submit botton image drawn on it at random position using things like GDI in PHP and using css to display only portion of that image with the actuall button, and on server side check X and Y position of where mouse was clicked, this will be hard for bots to break.
Unless they use real browsers and just emulate keyboard and mouse. Anyway , as i said unfortunatelly where is no easy solution.
One way would be to send a verification to the user's email address or cell phone and obtain verification (so in that case, you would have to allow only one email address or cell phone per account)
Another option is to use "Negative CAPTCHA" or "Honeypot Captcha"
I don't know how Facebook and Twitter do it, but if you want to create something simple and that doesn't interfere with your site aesthetics, I know that some websites just ask the user to enter an answer to a simple math problem like "what is 2 + 3?". This is not the most secure way to do it, but it's just a thought.
Well you can always deploy hardware solutions as well to create Layer 4-7 firewall rules. You can create specific rules to look for the well known agents of bots crawling the web. However to stop newly created bots you need to know what agent they are using for the bot.
Since you don't want CAPTCHA, you can use Keypic - keypic.com - which is an invisible protection, no CAPTCHA needed. It's an efficient antispam method for any web form. Site users don't pass any tests which is good for the site as it improves the quality of the user experience and thus raises user engagement. The solution is a kind of an expert system which analyses the behaviour of the users and checks the databases, then makes a conclusion if the request comes from a legitimate user or a robot.
BTW, Twitter and Facebook still use CAPTCHA for password verification which is a very disputable method in terms of efficiency of such protection.
I had a problem with tons of bots signing up for my Nintendo site so I put a single image of Mario on the sign-up page (making sure nothing in the image data said "Mario") with the text "Who is this? Answer in one word." Haven't had a single bot sign-up since. Not sure if this is actually a good solution though, not sure how smart bots are. I'm kind of surprised that it worked.
In theory it might be keeping out a few legitimate users, but it is hard to imagine many legitimate users of a Nintendo site not knowing who Mario is...

Login/SignUp before my (UITabBar based) App Starts

I think I have what must be a very common problem to solve and although there are a few questions/answers on Stackoverflow/google which talk about very similar problems/solutions I havent managed to convert those particular solutions to meet my own requirements.
Essentially I have built my app, now I need to implement a layer, before the app can be used, that manages Authentication (Login/SignUp) and then Authorisation (does this user have a licence to run this app).
Authentication
present login view, if login then a web service is called to authenticate, if successful it will allow the user to move the authorisation (below).
If signUp then a 2 step signUp process is initiated, step 1: capture details (name, email, password, agree terms) step 2: validate email address using a token send to recipient.
Once you are authenticated i plan to update NSUserDefaults to skip this part on next use. (unless the user wishes to unregister the device with the user account)
For authorisation it is a simple web service call to verify if this user has access to this app. If the licence expires in <30 days then UIAlertView accordingly and allow the user to use the app. If no licence then offer user a choice of (try or buy(inAppPurchase)) and proceed accordingly.
I guess the 'detail' above is irrelevant really my point is to illustrate that it's a little more involved than displaying a single view.
I've found questions/answers suggesting presenting modal views and others adding subviews to rootviewcontroller in the appDelegate, but nothing that allows me to be more structured.
If anyone could point me in the right direction of some pertinent articles/examples that would be great. Or any views/opinions on an approach, I don't want to do this bit twice :)
The way it's done in https://github.com/Cocoanetics/MyAppSales
Will probably set you in the right direction.
I hope you keep in mind apple doesn't allow 'trial' apps:
2.9 Apps that are "beta", "demo", "trial", or "test" versions will be rejected