Users should be able to change their email address #13
Description
A user should be able to change their email address. There should be a safe process for this.
The process is as follows:
- A user submits their new email address
- A verification email is sent to the new email address (with link to confirm change)
- A notification email is set to the current address (with link to cancel change)
- Once confirmed, the old email is deleted and the new is now the primary
- A notification email is sent to both addresses (old and new), confirming process complete (if a group account, notify all management level users). Process complete means both cancelled and done.
Some other technical notes:
- Emails are hard deleted with an audit-log entry in the events table
There are some additional email rules that need enforcing:
- Emails cannot be shared between accounts
- Group accounts do not permit login by email
- There is only one email change in-flight at any time
- Starting a new email change, cancels all other in-flight email changes
- All accounts must have an email address
- Once confirmed, it cannot be cancelled
- If confirmed in error, they must contact support to revert
This begets a total of 3 or 4 new transactional email templates:
- confirm email change action: has link to confirm
- cancel email change action: has link to cancel
- completion notification