Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce friction for invited member signups #1649

Open
KevinTriplett opened this issue Jul 18, 2024 · 3 comments
Open

Reduce friction for invited member signups #1649

KevinTriplett opened this issue Jul 18, 2024 · 3 comments

Comments

@KevinTriplett
Copy link
Contributor

KevinTriplett commented Jul 18, 2024
edited
Loading

Currently, invitations require the invited to enter their email address. This part is okay because the person may want to use a different address.

The friction comes if the email they enter is the same used for the invitation, they have to re-verify their email by entering a code sent to the same email address.

I propose skipping email verification if the email submitted in the signup form matches the email in the "Join" from the link in the invitation email.
@KevinTriplett
Copy link
Contributor Author

KevinTriplett commented Jul 18, 2024
edited
Loading

@tibetsprague, may I tackle this one? I have several groups that I want to invite people to reduce their friction in migrating to Hylo.

@tibetsprague
Copy link
Contributor

hmm, but then couldn't someone else use your invite link to sign up as you? I suppose thats an edge case but possible 🤔

@KevinTriplett
Copy link
Contributor Author

KevinTriplett commented Jul 19, 2024
edited
Loading

Valid edge case -- I thought of several mechanisms*, only one felt valid:

Alice forwards the invite link to Bill, wanting him to join her in the same group (I'm assuming pronouns here). But she forwards it before using it, so Bill accidentally signs up with Alice's email. This can potentially be avoided by showing Bill the signup email address in an input, so he has a chance to change it.

I feel like posting this on Hylo Dev Circle as a proposal. You don't need to respond if you agree with this as a next step.

  • other mechanisms:

  1. Nefarious: Bill has access to the Alice's email. Bill signs up and Alice gets the welcome email. Alice is curious why she's getting this welcome email and goes to the site and potentially regains control via "forgot password" feature. Which Bill can regain access using the same mechanism, since he has access to her email. But Bill can change the account email. But Bill could have spoofed Alice with this other email address all along, so this feels weak to me.

  2. Nefarious: Alice forwards the invite link to Bill. But this is unavoidable with the current system, since Alice can let Bill signup using her email and forward the verification code to Bill.

  3. Accidental: Alice forwards the invite link to Bill, wanting him to join her in the same group. But her invite will not be valid if she's already a member, so this is guarded against. In this case, we could offer Bill an input to enter his email, although that might lead to Alice, forgetting she'd already signed up or clicking an old invite link, to create multiple accounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tibetsprague @KevinTriplett