I am currently having an issue in which users sign up with a different email than that with which they checked out (their data gets stored in our backend by email address). However, I’d rather not block signups outside of checkout, because (as of now) I also allow signups before purchasing the product. I could automatically generate an account for users on checkout, but that wouldn’t change anything if they then signed up with another email later.
My current thought is that I’ll add ways to try to ensure they sign up with their email from checkout. To that end, I’ve just added a feature that saves their email in localStorage on checkout and will autofill on the combined login/signup page. Obviously, though, that will only help if they use the same device. My other thought was that I’d include a token on each email as a parameter on outgoing links to our portal, that would also autofill their email on login/signup for other devices.
My primary question is whether the above italicized sentence is bad security practice. I do use NextJS (along with React) so some of it is rendered server-side, but I’m thinking I’d have to handle that query parameter on the client side(?), in which case I’d probably have to create an unauthenticated endpoint for converting tokens to emails. Thus, anyone who intercepts the URL (with enough motivation) can also figure out my customers’ emails. Is this a reasonable risk? Am I being unnecessarily paranoid? If not, what’s an alternative way to achieve the desired result I’ve described? I’m open to ideas.
Would also welcome comments about the aforementioned practice of saving plaintext customer emails in localStorage.
Additional context: I use Firebase for authentication, everything is written in Typescript.
2
Answers
First of all, if anything touches the client, consider it as compromised until proven otherwise. You cannot rely on client side code, ever. If you do, you must revalidate server side.
Let’s start simple with a plain text email in the link. There are basically two risks:
But risk is a factor of impact and likelihood. At the Internet scale, you can consider likelihood as "almost certain", even for low value assets.
The impact of these events happening will guide the controls you put in place to prevent it. If it is just a display issue, you might not have to do anything. Saying "Welcome (wrong email)" might not be worth the trouble of fixing.
But if you rely on this value to do some form of authentication, then you must ensure:
You will probably also need to think about these requirements:
This could be a whole project, but replacing the email with a "token" will work:
generated_timestamp+emailand maybe some context, like an account number or something. For example[email protected]_123456. A timestamp in minutes or hours is good enough.When the server (remember, the client cannot be trusted) receives the token it will:
A couple of notes about key management:
currentkey, if it fails try with thepreviouskey if you have it. If it fails again, rejectcurrent,futureandpreviouskeys will ease deploymentfuturekey to your algorithm, and use it as a signal that it is now thecurrentkeypreviouskey after N days (or after thefuturekey becomescurrent), because you will reject those token regardless.What this reminds me of is the unsubscribe link at the bottom of mailing list emails. Those have a token as a query parameter, that leads to a page where you can configure email notification settings without having to log in. Sometimes the page itself will say something along the lines of
modifying email settings for [email protected]
and to my understanding this seems to be the same as what you are thinking. If so many large companies do this with no issue, perhaps it might be ok for you to do as well.
My second thought is if a malicious actor intercepts this URL, wouldn’t they already know or be able to know the customer’s email, since the URL is contained inside the email?
I certainly agree with @ixe013’s very good answer that this isn’t secure if it is a method of authentication