Summary

The account recovery form being developed at T399742: Integrated on-page form for EmailAuth recovery requests is currently missing a verification step. This means that requests using that form have unauthenticated emails. To counter this the form should first verify the email.

Background

• This is a problem because it allows for spammy requests and means we cannot trust the user has control of the email they claim to use.
• The process we are imagining is as follows:
• User submits the mediawiki account recovery form
• MediaWiki sends a verification email with a token
• User clicks the verification link
• MediaWiki creates the Zendesk ticket

User story

• I am not receiving email authentication codes sent by Wikimedia sites when I attempt to log in. This is probably because:
  • The email address on my account is no longer active or I do not use it anymore
  • The email address on my account has a typo in it and thus was never verified
  • My email provider is blocking emails from Wikimedia
• I click a link leading to the Account Recovery form (T399742)
• I input my details (username, old email if I remember it, current email, additional comments if necessary) and submit the form
• MediaWiki sends an email to the provided address with a verification link, and I am told on the form success screen to find/click it
• I go to my email and click the link
• The request is sent to Zendesk with the now-verified email

Technical notes

• Zendesk provides a verification API documented here.
• I assume we will probably need somewhere to store the request before it is sent (while we are waiting for the user to verify their email)?

Acceptance criteria

• MediaWiki form is deployed - T399742: Integrated on-page form for EmailAuth recovery requests
• Verification step is implemented
• Documentation is updated