What is the workflow for a secure 'verify by email' system?

Question

I am thinking of a forum type system that will allow users to post/edit posts without an account but through e-mail verification.

So, you would fill out the form, supply email address, submit, and then receive a link in an email that would 'activate' your post. Same thing to edit. Click 'edit', receive email with link, link takes you to edit form.

I'm trying to understand the exact steps to securely do this. How do I create a link that will expire after some time period? How do I ensure it is coming from the email address and not just some bot cycling through potential url's?

Any help to get started in the right direction is appreciated.

I am using Python, flask, Postgres on Heroku.

Answer 1

Since you are using flask, you might want to look at itsdangerous library:

https://itsdangerous.palletsprojects.com/en/2.0.x/

Using itsdangerous, the workflow could be something like:

1. User enters the email and post.
2. Generate the secure link using itsdangerous module which can be tied to the specific email
3. Once the user receives the email and the specific URL as generated in step 2, they can click on it to confirm the post. You could even add an extra layer of check when the user clicks this URL where you could ask them to enter their email address again and then match it against the email tied to the URL.