I am using devise for user authentication, how i can request from user, after clicking on sign in button, to enter sms code which is automaticaly sent to his mobile phone, for successful sign in.
I followed some instructions from internet, also i made twilio and got API key, but still no idea how to finish this.
We need more info for a complete answer (if possible).
First you need a sms provider (you seem to have chosen twilio).
Then you need code to be able to send sms using that provider.
https://www.twilio.com/blog/2012/02/adding-twilio-sms-messaging-to-your-rails-app.html
Then you need the logic. This is one way of doing it.
I am assuming you are using a database with login credentials.
Add a new table with 3 columns (adding another for primary key would not hurt), one columns for user_id, one column for a code, the next for a date.
Then when a user want to login create a code (numeric or not) and add the code to the table with current date and user_id, then send the sms to the users phone number and redirect the user to a page where he can enter the code. When he enters the code you compare it to your row in the database and validates it, having the date will make it easy to add a timeout of the code so that the user would have to enter the code in 60 seconds or what time you would prefer. You would have to send a id to the page where the user enters the sms code so you know which user it is, and that should of course be checked against the table. Using this approach makes it easy to track all tries the user has made.
A tip would be to add a limit on the numbers of sms per day/hour the user can use. Then he would be locked out for the rest of the day and would have to try again tomorrow. Otherwise someone with a user/pass could send thousands of request and forcing you to send out that many sms costing you a lot of money. That of course depend on is you debit the sms to the users account in some way..
Just wanted to mention it..
As my way....may be this process
create a dumy page for devise login .. in which take login details
Find users details from db and send him/her message
After submit on dummy page, next step will be to enter message otp code
after submit on this .... match otp of user with send otp
if it is correct than logged into device panel by api's
Related
We are tracking a forgot password workflow action using adobe site catalyst. The flow happens something like below
User requests for forgot password
He provides the email address and clicks on create new password
New password generation like is send to his email address
User clicks on this link and generates a new password
First 3 actions occurs in the same browser. The 4th activity can occur in the same browser or a different browser. Because of this, site catalyst considers that user as a different one (different visitor ID) and considers that as a totally different visit. Ideally the number of users who completes activity 4 should be less than that completes 1,2,3.
But for us, we are seeing more users who completes activity 4 which could be because of this different visitor issue.
Can someone please suggest a better approach to solve this?
You might want to try overwriting the Visitor ID.
I do not know how your site works in the backend, but generally, and theoretically (as I have yet to be asked by clients on to implement this):
Extract the Visitor ID when the user provides the email address and clicks on create new password. You might want to check the appendVisitorIDsTo (Cross-Domain Tracking) function out and see how the Visitor ID query parameter is implemented.
Send the Visitor ID along with the email address to your backend controller that spits out the template forget password email.
In the template forget password email, append the extracted Visitor ID as a query parameter in the reset link.
In DTM (if you are using DTM), modify your Marketing Cloud Visitor Service tool enable this configuration: overwriteCrossDomainMCIDAndAID.
When the user clicks on this reset link, the Visitor ID should be the one that is initially created for the user.
You might want to read this answer as well.
I am just starting to work with, and learn AWS. I am using the services in the AWS Mobile Hub and so far have set up the Sign In & Sign Up methods.
Everything works fine, and now I am working on the Forgot Password and Update Password.
Problem:
The problem is, is that the way AWS has set up the Forgot Password is that:
You first enter a username and then after the user enters a username AWS sends a verification code via SMS to the phone number associated
with that username.
That's an issue because it means that anyone can enter any username and a text message will be sent, resulting in my SMS payments increasing and to be honest it just looks sloppy.
What I want to have done is that:
After a user enters a username, they then have to enter the phone number associated with the account
Then if it matches, it sends the SMS.
Question
How do I check if a user exists in a userpool?
And then if it does, how do I get the user attribute associated with the phone number to check if it matches the phone number that the user enters?
Is this even possible? Can I even get the credentials of a user who isn't the one logged in?
Thanks in advance!
Cognito User Pools does not currently allow you to get attributes for a user (such as phone number) without that user having signed in and gotten an access token.
The admin apis can do the lookup you're looking for, but they shouldn't be called from the client as that would mean you have to embed credentials. If this is a must have for you, you could potentially secure those credentials by wrapping it in API Gateway or something along those lines and then call that from your client.
Here is how you should do it:
1) Create a web API using the APIGateway. Ideally you want to restrict access with an API Key, which you should bundle with your application.
2) Connect a POST method to a Lambda function, which will
(a) perform the necessary checks (whether the phone number specified is indeed the correct one, etc), calling the admin_* functions.
(b) issue the client version of the password reset, which will trigger the sending of the SMS code.
I want to disable push notifications to user who has still not accepted the request for the group.
Note
This answer is valid as per my experience with quickblox framework 2.7 and below. As quickblox is releasing newer version's of framework very frequently you might find a better API for doing it in future. Till then you can make use of this approach.
Answer
I dont think you can disable push notification for a specific user in group using Quickblox api.
When you send a message (QBChat) to a group everyone in the QBChatDialog gets the message including the person who is sending it out him/her self.
There is a Privacy List to prevent the user from receiving message from specific users, but that requires a initiation from user's end. So I dont think that will help you much here. This feature can be used to block a person/group from sending message to user.
Solution
Your best bet would be, not to add the user to group until the user accepts the group request. Implement your own logic to send out the request to each user in group and keep adding the user when he/she accepts the request.
1> Send out QBChat message with a specific custom object with data like group id, group type, group name and all other necessary data, which will differentiate it from other QBChat messages to all the user in group.
2> On receiving this special message, show a UI specific to deal with it, like an alert with "would you like to join the group??" and button accept or deny
3> On tapping accept, make a WS call to your own server and in your server api add the user to specific group for which he has agreed to join.
Because you have already populated QBChat message with object which contains the info about the dialog, you should be able to inform your server easily for which group user has joined.
Once user joined to group he will continue to recieve all the messages in group
EDIT
Here is a detailed answer to your question in comment :)
I was pretty much sure you will ask this question :)
In order to add the occupant id to an existing QBChatDialog group we used the rest api of Quickblox. Remember I told you dont add all the participants to group initially, add them one by one after they accept to join group ?? When user accepts to join the group we call our rest api which in turn invokes the quickblox api and adds the current user id to group :)
You can easily find api for that in API section of quickblox. In case you din find it gimme time till Monday lemme ask my API developer and update u on the same
There is CATACH with this approach.
QB docs clearly says only the owner of the group can add the members to the group. That means just because you have a REST API you cant add the user to group. You will need to have the valid session id of the group owner. You will get the session id when you login, I believe you are very much aware of it :)
Now how on earth will I get the group owner session id ??
Here is the approach we followed. We had foreseen such issues might arise long way before we started the project :)
When user sign up using our app we save his username and password in our server db and generate a random username and password and create a Quickblox account with that usrname and password for the user and we save this quick blox username, quickblox password and quickblox user id for that user :)
So though sign up actually deals with two servers user will always feel like he is dealing with one server and he continue to think he is using his username and password to login to chat.
But in reality when user uses his username and password to login to app in login response we get the quickblox username and quickblox password that server had used to create the account. On receiving it app uses QB framework to login to quickblox account with that username and password :)
This way user is never aware of his quickblox username and password and userid :) Gives us lot of control as well :)
That being said :) now when a user creates a group and sends out a special QBChat message containing custom object, in that custom object along with details of dialog he also sends his quickbloxuserid :)
Now when user who recieves the special QBChat accepts the request, we extract the dialog id (to which he is intending to join) group_owner_id (id of user who created dialog and sent out this special message) and sends it to our rest api along with his own id :)
Once API recieves the group owner id, it fecthes the QB username and password from its db and log's in with that and gets a valid session id and finally adds the user to group with that session id.
Note : Quickblox allows user to login in multiple devices at a time that means it entertains multiple valid session id for user.
Hope I made my point clear :) Happy coding.
I am trying to create a sort of recall system where an admin sends a message to the entire user base via email after which all users have to confirm the message by navigating a link in the email (Confirmation token) and retyping the message in. The would a submit button on the page which will check if messages match then clears a confirmation flag in the database. I am stuck on where to even begin here. I am not worried about comparison logic in the controller. I am confused about how to generate the confirmation tokens, sending them, then redirecting users to a page for confirmation. At the moment I am use Devise with Active Admin but I am open any other gem suggestions. If any of you could give me a link to a similar tutorial or problem that would be great! Yes I have done research before asking but it most results had little relevance.
U could do this with devise
I'll share what was recently done by me, which is almost similar to your Q.
I did not use Confirmation link or any token.
Only Admin can create user.
On creation of a user, an email is sent along with id and password.
Upon user login for first time, redirect him to edit account for only password change.
Note: U can use friendly token for generating random password.
I am sending link to an registered user. When they click the link i want them to redirect to access
their account without any authentication(login). But when they access site normally they
should do login. I am using Digest/sha for password encryption.Any one have idea?
You can try Following..
You have to send the link to their mail account.
so user can access the account with in 5 minutes.
After Five minute this link is not worked.
You have to pass the some unique key with the link.
like.
www.google.com?id=12d123e33ert
You have to generate unique link each and every request for user.
And store into one database table. with the Email ,timestamp.
If user dont click to this link within 5 minutes.
you have to clear the database whose timestamp is bigger than 5 minutes using the crone job Functionality of the server.
If Eamil and link key is matched with our store key than user can access the website.
otherwise not.
You got my Point?
The simplest way to do this is to use a lot of the same logic that the forgot password functionality uses here in this Railscast:
http://railscasts.com/episodes/274-remember-me-reset-password