[Cosmo-dev] account activation link persistence

[Travis Vachon]

Hi folks

I'm working on the design for account-activation-by-email, and wanted  
to sanity check on a data persistence issue.

The way we want this to work (I believe) is that when a user signs up  
for an account, they should be sent an e-mail with a link something  
like "http://osaf.us/cosmo/account/activate?id=ag3de98435jsdf45".  
When a user goes to that page, we should look up the id hash and  
activate the account associated with it. To ensure good security, one  
should not be able to calculate the id hash that corresponds to a  
given username.

This suggests that we need to store a mapping from id numbers to  
usernames somewhere in the database. I have a couple of ideas for  
this, and wanted to see what you all thought:

1. Store each id number as a server property that looks something  
like "cosmo.account.activationId.ag3de98435jsdf45=username". This  
would reuse existing infrastructure, and would probably be the  
easiest on my side. The downside is that it would clutter up the  
server property space, and it might be trickier to implement  
expiration dates.

This doesn't seem like a good idea.

2. Create a new datastructure specifically for these activation ids.  
This would be a table that mapped activation ids to a usernames and  
expiration dates (or creation dates). The only downside to this is  
that it should be done before the upcoming sharing data model branch  
so I don't have to work on this feature in the branch. I don't  
anticipate this taking too long, but I'll have to dig deeper into  
hibernate (I ain't scerr'd ;) ). At the very least, I'd like a sanity  
check before jumping waist deep into this.

In either case, I'd also like to keep track of a seed number for the  
activation id that is incremented each time a user signs up to avoid  
activation id collisions. Is there any reason not to use a  
ServerProperty for this?


Thanks a bunch,

-Travis