springspring-bootrestemailconfirmation-email

Spring Boot: Confirming registration in RESTful


I'm working with Spring Boot and don't know how to design register confirmation process.

  1. Is UUID the best choice to generate random token? I've seen that people write "no, it's not" but they don't explain why and what is better
  2. A lot of people suggest also to avoid sending token via GET param because there is a risk that someone can steal it. They encourage to send POST requests with token in request body, but how to send POST request from email? Using ? But then my server should be able to process this request, but this type of request fits to REST application? Or meybe there is possibility to send POST request with json body from email?

I can't decide how to solve these problems.


Solution

  • UUID seems to be a perfectly fine solution for tokens. I don't see a problem with it.

    Regarding question 2: If you have tokens, that would be used multiple times, then indeed using that token in GET requests is a really bad idea. However, for a registration confirmation, you usually only have tokens that are valid for one use. So as soon as someone used a token, you should mark this token as invalid. In that case, using it in a GET request doesn't impose any security risks. Also, the token itself should just be used to mark the user account, but it shouldn't allow automatic login of the user, once he clicked on the link. Then you should be fine.