Google Login - security

GoodDoctors · November 3, 2020, 2:48pm

I am very excited to deploy the login with Google - this is a great feature.
However, I need to figure this out before I can deploy.

Since we don’t verify user’s ownership of email address with ADALO sign up, how do I prevent others from hijacking someone else’s email.

Case

BadGuy creates a new ADALO login - hello@gmail.com
The real owner of hello@gmail.com signs in with Google login.
BadGuy signs in using ADALO login and steals his info

What’s your thoughts on best way to deal with this?

Thanks
Leo

ncmarc · November 3, 2020, 4:08pm

I am thinking you can make a field called ‘verified’ in the user table. Then when the user signs in, it goes to a screen if that field is not marked ‘yes’ in which it triggers an email to be sent with a a verify code. Then not let them go any further into the app unless they are verified.

You could generate the code with a random number or you can use the randomizer component which generates a UUID that would be perfect for the email. Good practice would also be to put a date field when the code was sent so that it expires after 2 hours or so.

GoodDoctors · November 3, 2020, 5:53pm

Good idea.
Perhaps let the Users do whatever they need to do on their first session (less friction) but subsequent Adalo login must be with verified email.
No need for verified email with Google/Apple login

system · November 13, 2020, 5:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
User data question Database	1	573	October 4, 2021
Adding authentication Get Help	3	659	December 25, 2021
User Email already Exists... Can't log in only create new on database Get Help	8	5779	October 3, 2021
User email verification when signing up Get Help	5	43	April 8, 2024
Log in approval submit Get Help	6	125	December 2, 2023

Google Login - security

Related Topics