Hey,
For privacy reasons, I want to only store the hashed-salted version of a user's email (in favor of restoring the user's password for example).
It seems one way to go about this is to hook to action:user.email.confirmed and there generate a salt, created hashed email, store hashed email and salt and remove the non-hashed email from the db.
Then I would also need to also hook somewhere in the forgot email logic.
This would also require disabling email editing for the user of course.
The downsides of the above are:
I'm new to NodeBB (and web development in general), and would appreciate any pointers.
Thanks!
How would password resets be done?
@pitaj I was thinking to compare the hash of the provided email to the stored hashed emails in the db.
Ah good point. What about users who don't confirm their email?
@pitaj Yes, this is one downside of this approach.
Users with unconfirmed email will not be able to post, so at least there won't be posts associated with the unhashed email, but this is not ideal.
Nir S
You could instead only keep the email around until the validation email is sent, then replace it with the hash.
Thanks!
I guess I can hook to action:user.email.confirmed for reading the existing email and then replacing it with a hashed version.
However, password reset wouldn't work since it wouldn't find the uid for the (non hashed) email address provided (here).
We can add a hook for preprocessing the email before looking for the uid, but that won't be enough since later the email is sent according to the email field in the db (i.e. not the email provided by the user when asking to reset).
One possible solution is:
Does that make sense?
Nir S
