I'm looking at using Spark for a new project but I'm not that keen on the current registration process. I've not been able to find a demo to play with so I can only go by what I have seen on live sites that use Spark.
From what I can see, it works like this:
That's all fine but there's something else that I don't like and that I consider to be a small security issue (in my use case) and against best practice (according to Troy Hunt):
A bad actor can load the registration form, enter any email address and Spark will confirm if that email address is in use on the system. In my use case for a local service, a small business could be using my service and another local competitor could enter the known email addresses of a rival to confirm if they are using the service.
My ideal solution would be to enter the registration details then:
With this flow, a valid user with an unregistered email address can create an account with no problems, a valid user with an email that is already registered (maybe the user forgot they had an account) will get a reminder email and a bad actor will not get any information regarding active accounts and email addresses that are using the service.
I guess my questions are:
Have I got the current registration flow correct? Does Spark confirm if an email is in use from the registration page by default? Can Spark be configured to work as per my ideal solution?
Sign in to participate in this thread!
The Laravel portal for problem solving, knowledge sharing and community building.
The community