Asana accounts can have multiple emails associated to them, but getting a user from the API only returns 1 email. So which one will it return? Is there a concept of a primary email?
https://app.asana.com/api/1.0/users/me
Great question. Users typically have multiple email addresses when they are in multiple domains. If the API call has a domain context, such as GET /workspaces/:id/users the email addresses for each user will be their registered domain email for the workspace identified. This goes for querying followers of projects and tasks as they can only exist in a single domain.
However, when your query does not have a domain context, such as GET /users/me the behavior is a bit more undefined. The reply will not change from call to call unless the user has changed that email address, but there is not a notion of a "primary" email address you, as an API consumer, can apply to that response.
Hope that helps.
Related
We are seeing a few users for which the graph API returns only a primary email despite knowing that there are multiple SMTP addresses configured for these users. We are observing this on the List Users endpoint as well as the Get User endpoint.
When using the $select parameter to include the otherMails and proxyAddresses properties, both come back as empty arrays. Microsoft365 admins for the tenant to which these users belong have provided us with screenshots demonstrating that some of these users have at least one email alias configured in addition to their primary email.
I'm curious if there's any scenario in which it would be expected that otherMails and proxyAddresses would be empty despite the presence of aliases on a user? Or if there's a particular way in which the request to the List/Get users endpoints must be crafted to get these fields to come back non-empty. According to the docs it seems like a collision between SMTP addresses across directory objects might cause this, but I'm certain that's not the case for all of the users for which we're seeing this issue.
I'm using the Microsoft Graph API within a PowerShell script to automate the creation of Microsoft Teams teams. I am obtaining email addresses from a database of a proprietary non-Microsoft application that does not contain the Microsoft User Id. The Microsoft User ID is needed in order to add members to the Teams.
I am using the Microsoft Graph URI:
graph.microsoft.com/v1.0/users/
to obtain the User Id.
Unfortunately, that database sometimes contains an email alias rather than the user's primary email address. When the script attempts to obtain the person's User Id using an alias, the Graph API call returns an error.
For example, when the primary email is address is "jsmith#abc.com", but the database contains his alias "joe#abc.com" I was expecting to be able to call that API with a filter such as:
graph.microsoft.com/v1.0/users?$filter=alias eq 'joe#abc.com'
but I can find no such filter option.
I would appreciate any tips on how to solve this problem.
The user object has a property called otherMails. This is a multi-value property.
The filter syntax is different for multi-value-properties.
To filter users by alias, you'll need to use:
https://graph.microsoft.com/v1.0/users?$filter=otherMails/any(c:c eq 'joe#abc.com')
I have a User model with authentication.
If logged in, the user can update his newsletter subscriptions preferences (i.e. option/optout)
However, I'd also like to give limited access to the page for the user who hasn't confirmed his account yet (through a link in an email).
He wouldn't be able to change any other information but the subscription preferences.
Right now, I can only unsubscribe a user from one newsletter.
What I'd like is to have a form with all the subscriptions available.
What would be the process to do so to make it secure?
(i.e. the user wouldn't be able to change the email/username to update another user from the link provided)
You can generate a random SHA1 or MD5 hash using Ruby's Digest module and inject it to the link you send out to the user.
Make sure to check the hash matches the user's email, a rough algorithm is as follows:
Create a hash for the user in question and store it in the database:
user.email_hash = Digest::SHA1.hexdigest(user.email)
user.save
Within the controller method handling the email verification, check if the hash matches the user's details
if current_user.email_hash == params[:email_hash]
# A match, process the activation and invalidate the hash
user.activate
user.invalidate_hash # This can set the email_hast to nil, for example.
else
# Someone's trying to be sneaky, or accessing an invalidated hash
end
There are ways to make this more secure, for example having a combination of a user's username and email to create the hash, putting the endpoint behind a rate limit to prevent brute force attempts at guessing hashes, etc. but this should provide a good starting point.
Finally, don't forget to require the digest\sha1 module (require 'digest/sha1') in any files that need it.
A pattern that many newsletters use is to generate long random tokens and inject them into the link URLs provided in the e-mail. Each random token maps to an user; that way, by checking the token parameter, it is possible to get the user associated to that e-mail.
As an example, suppose the newsletter page is /newsletters/settings. The actual link sent by e-mail is /newsletters/settings?code=12345678901234567890, where the code parameter is different per user, or even per user and sent e-mail in some cases.
These tokens have security implications, though. For instance, if a newsletter is forwarded to another person because they forward the original e-mail. If they don't remove the links, third parties could impersonate the original user and manage the subscription as well.
I am using the Survey Monkey api to get the url's of surveys I have created which allows me to display surveys from within my application. To do this I have to send my key and authorization with the request.
What concerns me is that Survey Monkey has an api 'create_flow' that allows surveys to be created. Using fiddler I can see my requests including the key and authorization token. As far as I can see, this means that anyone could use this information to access the api and create a new survey on my account, which I do not want.
Is there any way to stop someone from creating new surveys using the API and the auth token? I'm not really bothered about people getting access to the survey details or Uri's as all they can do is post junk survey results that only I will see, but I absolutely don't want anyone else to be able to create a survey that will be presented to all my users with potential malicious text.
It is not possible to make an account read-only.
So if I'm understanding correctly, you're shipping an application which contains your api_key and access token?
This is very much not recommended - the access token is equivalent to your account password, it gives full access to your account.
If you want a way to dynamically list your surveys, the best way to do it is create a proxy web app / API you host yourself. When someone hits that address, it uses the access token / api key you've stored on your box and grabs the list of surveys and then returns it to your app. This is the only safe way to do this.
My colleague have made our site that we can log in using external login. They way it works is that the code checks if the username from external site exist in Mvc Entityframeworks UserProfile table in the database, if it doesnt exist it will create a new user. What we want to do is only to bind the external to a user in the databse and not to create a new user. And we decided to use the email to bind, so the program will check if the external email exist in email column that is related to userid.
If the external email exist in the database you can log in with this account and get the correct priviliges that this userid have.
My question is how can i get the email from external with a simple code and maybe even put it in a property so i can compare with the emails in database