In my rails app, im implenting mobile verification, through OTP. (Using active_model_otp).
now my customer requirement is he want the Email verification also through OTP(means an email with 6 digit otp needs to send to the email. if he enters it, the email verification should happen.)
currently the email verification is happening, through a confirmation link, that is getting sent to the user at the time of user registration(Devise default email verification functionaly)
now my question is how can implement the OTP verification in this context, can i use the same gem to accomplish it ? when i checked the gem document i did not found any info related to email verification using otp though this gem(active_model_otp)
do i need to change these gems (devise, active_model_otp) to implement it or we need to implement it manually.
He John, i am doing the same, yet not finished it dough, so can't share the code right now. Essentially, my idea is to make additional /mfa/otp_qr and /mfa/otp_mail controllers (and views) and a parent view for users to select either mail or qr authentication, ie in /users/registrations/edit.html.erb (and route it after, accordingly).
Active_model_otp gem just handles sec.codes generation/comparision, not how to display those to user (ie with QR code) or send it via email (i guess SMS is also doable).
Related
I am trying to create a sort of recall system where an admin sends a message to the entire user base via email after which all users have to confirm the message by navigating a link in the email (Confirmation token) and retyping the message in. The would a submit button on the page which will check if messages match then clears a confirmation flag in the database. I am stuck on where to even begin here. I am not worried about comparison logic in the controller. I am confused about how to generate the confirmation tokens, sending them, then redirecting users to a page for confirmation. At the moment I am use Devise with Active Admin but I am open any other gem suggestions. If any of you could give me a link to a similar tutorial or problem that would be great! Yes I have done research before asking but it most results had little relevance.
U could do this with devise
I'll share what was recently done by me, which is almost similar to your Q.
I did not use Confirmation link or any token.
Only Admin can create user.
On creation of a user, an email is sent along with id and password.
Upon user login for first time, redirect him to edit account for only password change.
Note: U can use friendly token for generating random password.
I am creating a rails app that requires sign up with twitter feature.And my application is based on email marketing service.Various types of email we will send user for the updates.
My concern here is that,twitter does not provide the email ID in response while authenticating a user via twitter API.
And now if I am creating that user in my database and allowing him to sign up by skipping some validation (Like email field is required). Then what should happen in the situation when my application will try to send the email to users.And this twitter user is not having email ID.
It will just skipped.
Is there any proper flow that I can use,so my app will work in correct flow.
Thanks!
Twitter doesn´t give you the email via API.
This works if you are using omniauth-facebook gem for example, but twitter doesn´t offer you the email - you have to create a workaround.
For example ask the user in a second step to fill in his/her email adress.
I've upgraded to Devise 3.2.1 and Rails 4.0, and I'm trying to figure out my signup now that one doesn't login on confirmation.
I allow users to create a message and specify the recipient of the message via an email address. Then I send emails notifying the recipient that they've received a message on the service. If the recipient doesn't have an account on the service, I create the account without a password, and the email I send to the recipient acts a confirmation email. With prior versions, the recipient would then click on the link, thus confirming, and then be taken to a password creation stage and then finally, they'd have a confirmed account created with password and can go see the message.
With Devise 3.1, they no longer allow login via confirmation as they consider it a security risk, however I fear it may greatly increase the complexity of my sign up process. I can no longer redirect to a password creation page as they aren't logged in. I'm toying with the idea of taking them to a special signup page or creating the account and then sending a special form of password reset.
I don't want to notify them via email, then send them a second email as a confirmation. That adds unnecessary complexity to my signup.
I wondered if anyone else has dealt with this issue and how they handled it. I'd like to avoid using:
config.allow_insecure_sign_in_after_confirmation = true
as that will go away soon and is really not the right way.
Is there a secure, yet fast way to do this with Devise 3.2?
Thanks!
I'm switching to using sorcery ( https://github.com/NoamB/sorcery ) for greater control over authentication and building my flow with that.
This is precisely the problem that devise invitable gem solves in a secure manner. I would recommend using this tool, rather than trying to hand-roll your own solution which is more likely to contain security flaws.
The gem workflow is basically:
An admin invites a new user.
The new user is created with a random password. (I actually helped write this bit!)
The user is sent an invitation email. (This is fully customisable in how it works, but has some simple default settings.)
The user receives a link, which contains a URL with a unique invitation_token.
After clicking this link, the user must choose their real password.
I am developing an application which uses Devise for user authentication. It performs all standard task that Devise handles (e.g.: Email verification during user sign up). But a user may have multiple email addresses to access his account and I want to verify all those addresses too.
My design is: user will get a email field in his profile page to add another email address to access his account along with his existing email address. After clicking submit, an email verification will occur like first time sign up process and user will be able to use both of this email address after successful verification.
Is there any gem available for this? If I need to implement it by myself, how can I do this without breaking the existing system?
It's very late to reply but recently I faced similar issue and found one gem which lets user have many emails, user can login with any email, set one email as primary, and provides support for confirmable, authenticable and validatable for each email.
Here is the link to gem:
https://github.com/allenwq/devise-multi_email
Hope it helps someone facing same situation :)
I am building an email app in ruby on rails and I had a basic version which just used to send emails using AWS SES but recently I received a mail from AWS team saying that most of the email which I have sent had bounced back and they will discontinue my account if I send emails to the bounced email ids.
Is there any way to verify before sending email to any address that whether that email exists or not and valid or not.
Any gem or work around will help me a lot
The general way to do this is purely from a system design point of view. If you are going to collect an email address from one of your users and send them email periodically, or as events happen etc, then you should first ask them to "verify their email address". This typically involves generating a unique token, putting that into your database, linked with the user, then sending an email containing a URL with that unique token in it. The user clicks the link, which goes to a controller in your Rails application that matches the token against the user. If they can't follow that link, they can't read your emails, so don't send further email to that address.
If you obtained the email addresses through "other means", you're down to setting a Return-Path address on the outgoing email (bounces will be sent here), then checking that mailbox for bounces. I'm also often suspicious of how people happen upon a list of email addresses that didn't come from users consenting to an agreement with your website.
You could use the Mail gem to do this, but you need to know how to set up an SMTP server that pipes the email into your Rails application, which is not straightforward without prior experience. You can also use a variable Return-Path address (VERP), such as <some unique hash>+bounces#your-domain.com, where <some unique hash> references the email address in your system. This takes away the pain of trying to parse and interpret the bounce email, since the address it is sent to tells you who the bounced recipient is.