I have a requirement for an authenticated user to be able to send an invite to someones email address. On clicking this invite, the user would be prompted to sign up, and on completion, would be associated with the same account as the originator.
I am struggling to design a secure mechanism for ensuring the invited user is associated with the intended account, and no other.
(If it's of help, I am using Ruby 2, Rails 4, and the sorcery gem for authentication)
The following works:
Use Sorcery User Activation submodule
On 'invite' action create User (non-active) and attach her to the account. Send invitation email with activation link, e.g. http://example.com/users/:token/activate.
In your users_controller#activate:
user = User.load_from_activation_token(params[:token])
... # update user fields, e.g. set password
user.activate!
Related
I have devise invitable gem
Hooked up in my app as well as devise.
Everything working fine. When I create new user, they are saved in database and mailer sends email an email address. User clicks on email, sets password and then is logged in.
But sometimes these users lose their email or rather can’t find it in their email inbox. I’d like to have a resend invite button on the users index page.
When user clicks resend, I want the invites user to get another email sent to them.
Had anyone successfully accomplished this with devise invitable? If so, can you share how?
The gem adds a resend_invitation configuration parameter on your invitable-enabled model. From the docs:
resend_invitation: resend invitation if user with invited status is invited again. Enabled by default.
So, calling .invite! again on a record that's marked as invited will do the trick for you.
I'm building a system using Devise as the gem responsible for handling users.
What I'm looking for it's a way to send the confirmation email always to the same email(it would be the admin), so that he can choose if the person should, or not, be allowed into the system.
You can refer to this How To to let admin confirm the user before signin, you probably won't need comfirmable module.
Within a rails app i'm working on. I'm trying to add the ability for users to signup simply by entering their email address and then confirming their account via the confirmation email. I don't want the user to have to enter in any password. How would I go about doing this?
This example is useful, but requires for the user to enter a password: https://github.com/plataformatec/devise/wiki/How-To:-Email-only-sign-up
Should I just automatically use one password for all users?
Devise is built for authentication, which is either a password, or a quick check with a social network that this is actually the person they claim to be. The email address is used as identification.
If you just want to identify a person by their email, I suggest you create your own system for it. You can even add some of the Devise features in if you like. First, create a User model with an email attribute:
rails generate model User email:string
Once you've migrated the database, create a controller for it:
rails generate controller users
Then create a Session model and let each User create sessions by logging in. There'll be plenty of great tutorials on the web of how to create a system like this. Writing helper methods like current_user or user_signed_in? should be quite easy too.
Now for the last point, if you want people to sign in after they signed up using the email confirmation, how will you make sure that it is actually the same person signing in as the person who confirmed the email? Any malicious user could simply use an already confirmed account to sign in, unless you have to do an email confirmation every time you sign in...
So while you can do the above, I would seriously recommend to have some kind of authentication, whether it be with a password, or using OmniAuth to connect to social networks. There's a railscast for that here.
Not sure if this would help you, but based on the simplicity of the authentication process, I would suggest not to use Devise at all. You can just create an action in your SessionsController, which will compare the params[:email] (or however you are calling it in your app) against the emails listed in the UsersTable.
I am developing an application which uses Devise for user authentication. It performs all standard task that Devise handles (e.g.: Email verification during user sign up). But a user may have multiple email addresses to access his account and I want to verify all those addresses too.
My design is: user will get a email field in his profile page to add another email address to access his account along with his existing email address. After clicking submit, an email verification will occur like first time sign up process and user will be able to use both of this email address after successful verification.
Is there any gem available for this? If I need to implement it by myself, how can I do this without breaking the existing system?
It's very late to reply but recently I faced similar issue and found one gem which lets user have many emails, user can login with any email, set one email as primary, and provides support for confirmable, authenticable and validatable for each email.
Here is the link to gem:
https://github.com/allenwq/devise-multi_email
Hope it helps someone facing same situation :)
I need some gem that will allow users to interact with rails app through email, without need to register. For example: I publish something for sale, accompanied with email, and all of controls (CRUD, and submitting) I get on my email as links (delete, update, and so on). I'll like to, somehow connect it to devise, with opportunity of further registration using the same email with shopping history.
To publish something(services or products) for sale User has to fill:
name, email (validates unique), phone. That may or may not be used for future registration using devise.
in the same form may be: pictures, description, and other fields of product.........
the idea is to store: id, name, email, phone in user db without password, or be somehow pending for registration
Just create your own CRUD controller with authorization based on some hash that you will add to the URL. Store those hashes in the database and verify if user is legitimate to perform action.
Warning: anyone with the valid URL will be able to perform these actions.
Well, in comment you wrote that you want it to integrate with Devise. Devise supports login tokens but for existing users. You should then somehow virtually register them. Easiest approach would be to:
Include user email in the URL with some tolen
Check if we already have such user - add token verification here
user = User.find_by_email(params[:email])
if user.nil?
user = User.create(field_1: value1, field_2: value2)
end
sign_in(user)
redirect_to after_sign_in_path(user)
Done. User is authenticated based on the email and token included in the URL.