I implemented a feture that sign-up requires an email confirmation. It sends an email to the address a user provides during sign-up process, and you can confirm it exists and is reachable. This prevents a kind of people from creating many spam accounts.
For current implementation, when provided address is used for an existing user,
- A) Plume doesn’t send any email to anyone, but,
- B) Plume says that an email was sent to the address.
How do you think about this behavior?
A’s purpose is:
- not to send annoying emails to existing users.
B’s purposes are:
- not to inform to the signing up person that there is a person you can contact using the email address, and,
- not to inform that there is a user on Plume who you can attack by trying many passwords.
(Updated on 2021-01-07)
Confirmation email is sent once when a user signs up (registers), so users can log in without email confirmation. And users have been before this feature is enabled don’t need to be confirmed.
Any comments are welcome. I want to release this feature as version 0.7.1 in several days if there is no problem.
You may try this feature today using the latest source code or Docker image. It requires running migration before restarting Plume:
% plm migration run
SIGNUP environment variable to
% SIGNUP=email plume
Thank you for using Plume. I hope you mamage Plume instances with comfort.