Confirmation Email with Node.js

Fantastic tutorial. Didn't mention things like User signup/login which is great considering most people who are looking for user email auth have that already completed. Concise, clear and very useful. Thanks Ben!

rsac

i really wish if the whole app had videos, thank you so much for your effort

rosalyna_

Was just going to implement this into my own project & i was looking for ways how to do it.
Nice share! Cloning it now to see how it all fits together.

Cheerz!

dzengiztafa

Awesome video! I would like to throw out an opinion if that's alright.

If you're still a small platform, it's probably better to allow your user some time on the platform without confirming their account + maybe 1 sign in without confirming. This is because going to one's email account is an additional step, which creates friction, and if they don't necessarily know what you're about (you're a small platform, after all) then that might be enough to make them forget about.

So for most of us, after they attempt to register an email, I would create an account for them in the db with a confirmation field showing the number of successful sign-in's prior to confirmation, as well as how much time has passed since they created their account. If this time passes, use client side JS to log them out, and server side to keep them logged out until they confirm. The nice thing about this approach is that the user can start using your product quicker, and hopefully *want* to keep using it. At that point, verifying their account doesn't seem as arduous. Also, I recommend setting permissions on the various (paid) services on your platform to push them in that direction. For example, you can't complete any purchases until your account is verified, or something like that.

If you really wanna push people a little more vigorously, I'd suggest having a fixed bar at the top that "moderately" breaks the theme of your site (indirectly make them wanna get rid of the eye sore) and use that as a reminder to get confirm their account. You may choose to display this indefinitely, or perhaps only until some eventual timeout. If I join a platform and spend 30 minutes doing stuff on it, I'm more likely to confirm my account. Obviously, platforms like Instagram have the luxury of forcing you to confirm or else lose your account. That might be the way to go if you're a bigger platform. Oh, and I guess one bonus tip is that if the user doesn't confirm their email within some time of signing out or failing to sign back in (they've used up their unconfirmed sign-in's), then consider them disinterested, and send them an email notifying them that they have x time to confirm their account, or it will be deleted. Don't be pushy about it. Your platform isn't for everyone, and that's okay. Those that wanna vibe in your corner of the internet will stick with you. Hope my suggestions help someone.

I'm a founder working on JobParty, which is essentially "Twitch for jobs". With JobParty, you can livestream your skills, get rated, and get matched with amazing, highly relevant, opportunities". I hope to share my experience building a shiny, useful thing for cool people that are tired of throwing resumes into the digital void. I've applied to 100's of companies online and can confirm that looking for a job is, in fact, a job. Now you can stream your skills and demonstrate your ability, and go straight to the interview stage. No more applications!

You can check out my project at jobParty.co, or not. No pressure. That said, feedback would be awesome!

The MVP launches in the about 50 days!

ozzyfromspace

I'd love to see an updated version

darkmift

Awesome, yeah I was wondering a little about JWT, but was thinking UUID was simpler. But I've now changed my mind. Thank you!

kebman

I see you are storing data in database until user confirms the email address. Let's say I'm a malicious user and I just register thousands of emails without confirmation. In that case you are storing unnecessary data in your db. Is there any other best place to store data until email confirmation?

Rajkumar-opfd

Hey Ben, wouldn't this cause an issue if you allow users to change their email?
For example, if a user set their email and the confirmation is sent, but they then changed their email and then clicked the confirmation link from when they first set their email. This would set the confirmed property to true for whatever email address they changed it to without needing a confirmation.

You could put the email in the jwt, and then check that it matches the users email on confimation, but this would expose the user's email in the url since jwts are readable.

The only solution I can think of is to set a property on the user of when they last changed their email. So, if the time of email change is after the token iat (the time the token was issued at) then you would decline the confirmation.

peterlittle

Awesome vid! My only question is why put the confirmation endpoint outside of the graphql layer? Is there a benefit/is it hard to hit a graphql endpoint from an <a> tag?

stazrad

pretty good but i dont understand why it doesnt work for me.
JWT signed tokens have dots seperating 3 sections of the token, when i click the link that i send with email, it tells me page doesnt exist,
but when i remove the dots, it gets me to my localhost page

Mark-nmsm

Thanks Mr. B.. this really helped. keep up the good work

degraphe

2:29 I got an error: Cannot fimd name 'DataTypes'. ts(2304)

seeking

So if we tie this to frontend, we would have to just send a GET request to that route? Bad idea to send client directly to backend endpoint?

mr.random

Thanks for your help! Works excellent :D

juanchox

If you're not awaiting, then it's happening synchronously not ASYNCHronously... right?

JassarDev

Thank you for this tutorial, your both methods work perfectly. However only the asynchronous method (with try catch) work in production (tested in Vercel)

sofienabidi

Hello Ben, I just wanted to know what would happen if the token expires and there is no confirmation. By the time they register their account again, the account would already be registered from previous try. thanks

lokeshbajracharya

Can we use a similar strategy for Forgot password link?

yashone

Hello, thanks for the effort man, but im just begining and developping an app and i have a question.
What is the resolver.js i dd understood. I have like my modals, my routes, my controllers and my reducers! tell where should i put the nodemailer setup to send the email ?

soussivic

Hi I am trying to learn this, so far I can create, modify users and delete them. I need to verify them. I have a client and a server side set up, all these has to be done on the server side correct? Do you also have a tutorial that will catch the error on the server side and send it to the client side? Thanks.

nicolocarloparazo