[Bug?] users may add themselves to any application?

rozek · August 7, 2021, 6:26am

Perhaps, I am misunderstanding s.th., but if not, then

any user may easily add him/herself to any VoltCloud application even if not wanted by the developer.

Procedure

the user submits {{application_url}}/api/auth/register with his/her details
VoltCloud responds with a confirmation email
the user submits {{application_url}}/api/auth/confirm providing the token he/she received

An application developer has no chance to intercept that procedure and make additional tests

The only alternative for the developer is to disable email confirmation at all and implement it him/herself.

As a consequence, the built-in email confirmation mechanism seems only be suitable for VoltCloud applications which are free and open for everybody…

Am I right?

james · August 7, 2021, 12:46pm

You are correct. There is currently no way to disable registration. However this is a feature we’d be happy to implement in the future. This would allow a developer to manage their user list manually. You can actually do this today, but there’s nothing to stop a savvy user from calling the endpoints directly.