How can I implement exclusive/invite-only user registration?

Question

I'm creating a site with user auth, and I plan to limit access using either invites or some other method.

The site is built on Node, Express, and MongoDB. I plan to use Passport JS, mainly because it's the only method I've learned (this is my first personal project).

The only idea I have is a "secret code" on the registration page. Thus only those I've told the code can register. I have a feeling there are more elegant or secure ways to handle this, and would love any recommendations!

Answer 1

I think your idea is correct in principle - it's the same method used for registration/beta keys for games. You generate a unique 'key' for each user you invite to register. They register with that key and it is marked 'used' in your database; this prevents other users from discovering that key and re-using it.

You could also use email addresses in essentially the same way. The email address that is used to register must be on your 'invite list'. And when you 'confirm' an address by sending a 'click this link to confirm' email you will have to generate another key for authenticity.

Therefore, upon registration with an invited email, you could generate a key as follows:

require('crypto').randomBytes(48, function(err, buffer) { var key = buffer.toString('base64'); // then save the key with the new user in the database });

Then send an email with a confirm link containing the key, for example:

https://www.mywebsite.com/users/confirm_email/{key}

This link would call a 'confirm_email' action on your server, look up the specified key, and enable the account it is associated with.

You might want to add an expiry along with each key creation for a bit added security. Maybe only 24 hours to confirm the email.

Answer 2

You don't need any secret codes if it's with invitations :

When someone invites someone else, you store the email invited somewhere. You simply need to check that a new user is "on your guest list" when he tries to register.

Of course, to be "secure" this approach assumes you actually checks that an email address properly belongs to the user that registers, for instance with a verification email, as done usually. The point is that you don't need an additional token.

Answer 3

One solution I can think of just generates the token using the senders token (use jsonwebtoken signed with expiry time and sender's token). Now when the user who is invited will receive the link, let say: http://localhost:5000/invite/${token} and the link is clicked then a GET request will be sent to the server so catch that request and then in that request in the backend decode that token and check your user database if that user exists i.e sender and token is not expired then it's valid invitation so now directly redirect the invitation receiver to the register page else send the message that invitation is not valid.

Hope this help. Let me know your views.