Developing an API for mobile clients on Laravel . I use Laravel Passport as a user authentication and issue a Personal Access token when I log in to the system.

I can not figure out how to implement an email confirmation system (mobile phone - it does not matter) when registering a user. It is necessary that the confirmation takes place using a четырёхзначного числа - the code.

Traditionally, sites send a letter with an activation code after sending the registration form and only after that activate the account. As far as I understand, in this case the user record in the database will already exist. Accordingly, until the user confirms it, it is theoretically possible that another person will come during this time and will want to create an account with the same mailbox. And here in the database there are 2 non-activated records. Sooner or later, one of the users activates the account, then what to do with the second? Of course, I understand that the activation code is temporary, but it does not solve this problem.

I do not like this approach. I wanted the user record to be created only after he confirmed the password and registered. How, then, to arrange the logic on the server and communicate with the client?

I roughly thought of the following:

  1. User enters your email
  2. Mobile client sends custom email to API
  3. The API creates an entry in a separate table, where there is a correspondence email - code
  4. The API sends an email with a code to the mail
  5. The user enters the code in the email confirmation field and fills in the other fields of the registration form.
  6. The mobile client sends all user data to the API along with the code.
  7. The API in a separate table (users) creates a user account.

How safe is this approach and what are the disadvantages? What do you advise?

    1 answer 1

    The user enters the code in the email confirmation field and fills in the other fields of the registration form.

    This does not work, usually you first fill in everything, if you have successfully completed it, then it remains to enter only a verification code to activate. Therefore, it is necessary to make all the same :)

    It is quite normal practice to create a label for non-activated users, for example, users_not_activated — to store there everything that the user has entered, in order to transfer from this label to users , he needs to enter the correct code.

    When he enters the code, we look for the users_not_activated table by the email-code fields, if we find them, we transfer them to the main one, and immediately execute another request to delete all records in users_not_activated with the current email . And all;)

    If you are afraid of garbage, then I will calm you, an indexed search and with a few million will work quickly, so there are no problems, everything is within the limits of error. Especially since you can record the creation time of a record in this temporary table, and once a week clean up the old (irrelevant) records.

    • I'm not trash scared. To me, the pipeline itself seems to be a crutch. But thanks for the answer! - rugleb
    • @rugleb is your option, it seems much more crutch) first send the soap, then enter the code, then fill in the fields. And if the page is lost? In the version proposed by me, you can easily indicate the activation url in the letter (that is, not to enter the code, but simply click on the link). - Manitikyl