Rails gem for token authentication of outside data? - ruby-on-rails

I'll describe my question through my use case -- I (using the tweetstream gem) receive and process tweets on a push basis, and for some of those events, I reply to the user with a link to a signup form for my website. Currently, users have to do auth via twitter on my site before they can submit the sign up form so that I can securely verify that they own that twitter account they claim to be.
However, that is preventing a lot of conversion, so I would like to remove the login with twitter step. My thought then, was that on receiving an event, I could hash their twitter user_id with a random string I store, and add that hash (token) as a query param on the signup link. The link would autofill the token into a hidden field in the signup form, thus (I think?) allowing us to verify the user's twitter id again on form submission.
The one caveat to this is someone could use another user's signup link and appear as them, but this isn't a concern in our case because due to the nature of the signup data. Doing that maliciously wouldn't make sense, and doing it unintentionally, we can do by displaying the apparent twitter handle prominently on the form. Account access post signup will still require login with twitter so that isn't an issue either.
So my question then is, does this seem like a sound approach, and are there any rails gems that have this functionality or would be useful? (Basically a custom version of how authenticity token protection works I think) Thanks!

I think a better approach is not having a signup form and instead simply letting people login using twitter. Is there really something you need them to manually fill in on the signup forum that you can't automatically retrieve when they login with twitter?

Related

Rails app Query params and Cookie based login

I am trying to find a way to distribute a Ruby on Rails app selectively by sending them an email with the link that logs them in. This should be the only way to get to the page hosted at a unique subdomain. Additionally, we don't plan on having a login wall so the access would need to be guarded by using Cookies or the Query URL params.
A couple of questions regarding this:
Is it possible to leverage cookies exclusively to achieve this? I.e Any way to embed cookies within the URL sent in the email itself?
An approach I felt that might work is to embed the user ID (encrypted) in the URL in the email. In order for the users to not need to bookmark this URL or go back to the email to access this link, I was planning to store their session ID via a browser cookie. Any issues with this approach?
How to avoid wandering users(i.e users who haven't received this email) to access this page (i.e a nice way to raise a 404 error)?
Any other cleaner ways to accomplish this task?
Is it possible to leverage cookies exclusively to achieve this? I.e
Any way to embed cookies within the URL sent in the email itself?
No. You cannot "embed cookes in a URL". Cookies are set via the SET-COOKIE header in a response or through JavaScript.
An approach I felt that might work is to embed the user ID (encrypted)
in the URL in the email. In order for the users to not need to
bookmark this URL or go back to the email to access this link, I was
planning to store their session ID via a browser cookie. Any issues
with this approach?
Yes. You should generate a random token thats not tied the users id.
How to avoid wandering users(i.e users who haven't received this
email) to access this page (i.e a nice way to raise a 404 error)?
Create time limited access tokens that can only be used once by the user. There really is no other way for you to actually know that the person requesting the URL is the recipient of the email.
What you are describing can be accomplished with Devise Invitable which is a pretty good community tested point of reference if you want to reinvent the wheel.
When you invite a user Invitable creates invitation tokens which are stored in the users table. This is just a random string. There are also timestamp columns that expire invitations automatically.
The token is included in the URL in the invitation email as a query parameters.
When the user clicks the link the controller looks up the user based on the token and nulls users.invitation_token so that it cannot be used again. This stores the user id in the session and takes the user to a screen where they edit and finalize their account by setting a password.

In rails 4.2, using Facebook oauth through devise, I want users to reauthenticate before changing their account details

I am in the process of adding social media oauth login and registration to an existing site. I've followed the overall process described here:
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
Currently, if a user wishes to change their account profile (including email address, password, etc.) then they need to supply their existing password. This is to prevent cookie stealing style attacks, or damage caused by people leaving accounts logged in on public machines.
However, if a user has registered using Facebook then a randomised password is set behind the scenes and the user is not aware that a password exists in our system.
This could make the simple process of updating the user profile a confusing and off-putting task. How do we present the password to the user, and how do we explain that it's different to the Facebook password?
I would like to present a Facebook pop-up or interstitial to the user before they change their account details, to force them to re-authenticate using their Facebook password, but I can't immediately see a way of supplying multiple callback URLs, or passing form data.
Is there a feature or workaround that would let me achieve this?
Please let me know if including any code would help, but you can assume that I'm using a standard Rails app running Devise and the Facebook oauth strategy, with code snippets described in the link above.

tracking user invite through oauth login

I'm building an app where the user will receive an invite to join a team.
The invite link is unique to the user, and when the user hits the sign-up page, they they can login using oauth (google).
After the user goes through the authentication and gets passed back to my app, I need to get their invite code, so I can look it up in the db and add them to the correct team.
I thought I could pass a state variable to the oauth provider which would get passed back to me like auth?state=INVITE_CODE, but when I send a state parameter to google in my auth request, it doesn't respond at all.
What's the best way to accomplish this?
I'm using express passport if that makes any difference.
I was WAY over thinking this, so hopefully this will help somebody else.
If you look at the res.headers.referer it is actually your original link, not the link from the oauth provider, which I expected.

Custom verification emails

I am trying to create a sort of recall system where an admin sends a message to the entire user base via email after which all users have to confirm the message by navigating a link in the email (Confirmation token) and retyping the message in. The would a submit button on the page which will check if messages match then clears a confirmation flag in the database. I am stuck on where to even begin here. I am not worried about comparison logic in the controller. I am confused about how to generate the confirmation tokens, sending them, then redirecting users to a page for confirmation. At the moment I am use Devise with Active Admin but I am open any other gem suggestions. If any of you could give me a link to a similar tutorial or problem that would be great! Yes I have done research before asking but it most results had little relevance.
U could do this with devise
I'll share what was recently done by me, which is almost similar to your Q.
I did not use Confirmation link or any token.
Only Admin can create user.
On creation of a user, an email is sent along with id and password.
Upon user login for first time, redirect him to edit account for only password change.
Note: U can use friendly token for generating random password.

In rails, how can I import a user's facebook contacts when they sign up?

I have a signup form, and I wanted to make it so that they have the option of recommending this signup to all their friends in facebook.
Is there a rails API/gem for doing this?
Is there an appropriate name for this?
Thanks!
Looking at the Extended permissions documentation, you don't get access to the email addresses of a Facebook user's friends (search for email and note the second column reads not available). If that's what you're trying to achieve, it's almost certainly not possible, without the user contacting each friend and asking them to visit your app (which I would imagine would have quite a low take-up, if only through inertia).
I guess you have two options:
popup a javascript before submitting the form to prompt the user wether he wants to share it with friends. You will use the js api http://github.com/facebook/connect-js (see the dialog section). This solution would avoid doing server side connection to the facebook api
Have a look a the Facebooker gem to do a stream_publish

Resources