Meshcentral: Feature Request - Account Creation Requires Email Validation
Yesterday I enabled new account creation from our login page, with domain filtering set to the corporate email. The domain filtering works great, however I've noticed I can create new accounts using nonexistant emails that have corporate domain. These get the same permissions as accounts made with valid emails, and has me wondering what the email verification actually accomplishes besides the green checkmark.
A bad actor who finds/knows the login page and email domain could flood the server with new accounts using fake emails. The risk may be low, and can be further reduced by restricting permissions on new accounts, but it could still become a massive headache
Would it be possible to implement a configuration option which prevents account creation pending email verification?
MatinatorX
All 4 comments
Good catch.
Ylianst
on 19 Apr 2020
Published MeshCentral v0.5.11 with a new email verification login screen. It blocks login until you provide and verify a valid email address. Testing and feedback appreciated.
Ylianst
on 21 Apr 2020
Closing this since it's probably fixed. Let open a new issue if needed.
Ylianst
on 23 Apr 2020
@Ylianst This works if you create the user yourself, but if the user creates an account from the login screen themselves, the system automatically logs them in immediately after account creation, bypassing verification. Only if the user then logs out and tries to log back will the verification screen show.
MatinatorX
on 24 Apr 2020
Related issues
petervanv
路
3Comments
PathfinderNetworks
路
3Comments
MailYouLater
路
3Comments
MailYouLater
路
4Comments
guerby
路
3Comments
Most helpful comment
Published MeshCentral v0.5.11 with a new email verification login screen. It blocks login until you provide and verify a valid email address. Testing and feedback appreciated.