Email verification with Strongloop loopback - verification token returned

Question

I am currently developing an API. I am using Strongloop (Loopback).

I am trying to implement email verification for when a user registers. I have a "user" model which extends the built-in "User" model.

Right now, when the user registers (POST /users), an email is sent with a link to /users/confirm with the three appropriate parameters i.e. uid, redirect and a token. When the user clicks on the link, the latter's email address is correctly verified (emailVerification field becomes true).

However, I've noticed that when making a POST request on /users, the response contains the verification token. Is this normal? Isn't the verification token be accessible only via the sent email?

Because as it is, by making a POST request on /users and getting the verification token in the response, one can easily send another request to users/confirm with the appropriate parameters (which includes the verification token) and verify the email address even if the address doesn't exist.

I am new to Strongloop and maybe I'm missing something. Can you guys help?

Answer 1

I just finished the example. See:

https://github.com/strongloop/loopback-faq-user-management