Web applications commonly require that users register using a valid email address. A working email address is crucial for common tasks, such as resetting passwords and account management. Email verification is also essential for ensuring signups are from real users.
The purpose of this article is to provide a high-level overview on implementing email verification using Node, Express, and MongoDB. This tutorial will be using Mongoose as a ORM for MongoDB and NodeMailer for sending out emails.
Node Express MongoDB
This tutorial is meant to act as a general guide. Most likely, implementation details will vary based on your Node application.
It’s not rocket science, but here’s the verification workflow we’ll be using.
  1. A user registers for an account. The user is created, but the user still needs to be verified via an email confirmation. The user cannot login until their account is verified.
  2. A verification token is emailed to the user.
  3. The user receives the verification email in their inbox. A link is provided in the email that passes the verification token back into your application.

Creating Your Models

We’re going to need to make a couple of modifications to your database to support email verification.

Tracking Verification In Your User Model

To get rolling, we’re going to need a way to distinguish which users have been verified. To track verification, we’re going to add a new isVerified flag to the User model. Notice that the default value for isVerified is false.

Create Token Verification Model

When a user signs up, we’re going to create a verification token within Mongo. We need a new model to handle our verification tokens.

There are a couple of interesting points regarding our verification tokens:
  • Not surprisingly, you will need to provide the userId of the user the token is issued.
  • More interesting, there is a powerful feature in Mongo called “expires” that sets a documents time to live, known as TTL. In the model above, the TTL expires attribute is set to 43200 seconds, meaning the verification token document will automatically delete itself after 12 hours. This means users will have 12 hours to activate their accounts before their verification tokens expire. If a user doesn’t confirm their account in time, they can request a new verification token.

Registering Additional Routes in Express

In addition to your normal Sign Up and Login functions, we’re going to need two new routes in Express.

The first route will be used for token confirmation. The second route will be used in case a user needs to resend a new confirmation token.

Tying Everything Together In Node

The majority of work to implement email verification is done in Node.

Log In

First, we need to add a small bit of logic to our login function to ensure all users have been verified. If a user has not been verified, return a status code of (401) Unauthorized with the appropriate message.

In the example code below, we’re using token based authentication. It would be easy to change the code to use Passport instead. Really, all you need to do is modify your login code to check for isVerified.

Sign Up

When a user signs up, instead of logging them in immediately we are going to email them a confirmation token to ensure they provided a real email.

We’re using a couple of packages, crypto and nodemailer, to assist in token creation and emailing.

Token Confirmation

You are also going to need a Node function for confirming verification tokens. It’s important to remember that based on the TTL in our model that verification token will automatically delete themselves after a set period of time.

Resending Tokens

It’s inevitable that some users will not be able to verify their account before their token expires. We’re going to need a mechanism for reissuing confirmation tokens.

Voila! Your Node App Now Has Email Verification

Your web application is now ensuring users register with real, operational email addresses. This should help in keeping out some of the riff-raff and make sure users can regain account access when needed.

Again, this tutorial was meant to provide a high-level guide and the implementation details will most likely vary based on the specifics of your Node application.

Josh Greenberg is a developer, partner, and founder at Codemoto based in Boulder, Colorado. I’ve been developing commercial web applications for the last twenty years. With a long history in C#, ASP.NET, MVC, I’ve been mostly focused on NodeJS, Angular, Express, and MongoDB for the past few years.

Comments

4 Comments on "Email Verification in Node, Express, and MongoDB"

Notify of
avatar
Sort by:   newest | oldest | most voted
Mark Niles
Guest

This concise article was perfect for me getting email verification stitched into my MEAN app. Thanks for taking the time to put this together.

Jim Marstick
Guest

Just what I needed. Clearly written and it works! Helped me out big time.

Lou Godard
Guest

Nice job. You just saved me a bunch of time. Much appreciated. Cheers!

Mike Tase
Guest

Thanks much man. This saved me alot of time and effort. Good job.

wpDiscuz
web
mobile
desktop
cloud
Get in touch! We would love to discuss your next software project.