Confirm multiple emails with devise - ruby-on-rails

I am using rails+devise. I want the user to be able to confirm multiple e-mails (the app would send for each address a mail with a "confirm" link, and then the user have one or many confirmed mails). It is possible to confirm one with :confirmable (doc :
http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable )
I thought that i could play with
- (Object) resend_confirmation_instructions
by changing the address but this is not the best solution.
Is there a solution with devise or do i have to implement this specific functionnality?

You'll have to implement this yourself. Devise has one email per account, by default.
You'd not only need to handle multiple emails, but presumably you'd also want multiple confirmation_token's, along with multiples of the other database fields relating to email confirmation (find them in the devise migration file that gets generated). I don't imagine this will be a simple thing to solve with devise.
However, this sounds like a counter intuitive thing to do. Perhaps you should update your question to include the requirements of your app, and the reason why you need to get confirmation from multiple email addresses. Someone may have a solution for how to architect your app such that it doesn't need this feature.

Related

Can I always require confirmation with Devise on Rails?

I've been asked to implement 2FA with email codes, like you get from Steam (and many banks), after you haven't logged in for awhile. I initially thought this would have been a flag I could turn on in the Devise config, but I can't find ANY place on the internet that talks about something like this. The desired process would be to generate and email a one-time pad to enter into a confirmation screen. Every reference I've found to 2FA with Devise refers to using things like SMS or an authenticator app.
Working within the framework of Devise, it seems like this might possibly boil down to unconfirming the user every so often, maybe like every other day. That way, the next time they log in, they get another email with a new link to "re-"confirm the login. The best I can find is Warden::Manager.after_authentication to set user.confirmed_at = nil, but this doesn't seem to be doing what I want.
Thanks to a friendly person on Github, I was directed to the Devise plugin, https://github.com/Houdini/two_factor_authentication, which does exactly what I wanted. I knew someone had to have already written it!

Ruby on Rails authentication without user name?

In all of my Rails applications I have a User model with name, email and password attributes (among others).
This seems to be the standard approach when building Rails apps.
The more Rails apps I build, the more I begin to wonder why the User.name is even necessary.
Wouldn't it be easier to just omit the user name everywhere right from the start?
From a user perspective, the sign up process will become easier. Instead of filling in four fields (username, email, password, and password confirmation), the user will have to fill in only three.
According to some usability experts this might increase the number of sign ups.
In addition to that, users will also have to remember less data, i.e. only their email address (which most people have memorized anyway).
So what might be negative implications of this approach?
I couldn't think of any so far.
You might need to make emails from your app personalized, maybe with greetings such as `Dear <%= username %>.
This doesn't mean you have to put name as one of the sign-up fields. You can put in the update form only, when the user edits their profile. Then you can make the edit_user_registration_path the after_sign_up_path_for devise.
I don't think using username is "standart" approach with rails apps. In fact, devise's vanilla approach is using only email on models.
However, being able to accept username or email has many other advantages. You may have other scenarios where users do not register at all. I mean, perhaps you are also creating accounts for users without any registration and you don't know their emails, if so using email will not be an option.
In some applications, we use more then 3 authentication strategies. Some users do not have a username or email at all..
In short, i think it really depends on your scenarios. But i am sure that using both email and username is not a rails convention.
If the main goal is a frictionless signup process then an OAUTH strategy would be the best way to go (4 fields of info down to two clicks), however you may want to collect the user info at a later time for a more personalized feel depending on what info you can capture from the callback.

How should I secure a private rails application from outside users?

I need to build an application that will only serve people in my workplace. Currently, everyone has a specific company email, which has a unique domain and format.
I created a regular expression that only validates our company email addresses, and configured the application to require email confirmation. This seems like it should be sufficient, unless a malicious person:
Finds a flaw in my expression.
Finds a way around confirmation.
Somehow gets a company email address.
I feel like this isn't secure enough though. Maybe I need to take it one more step, with some kind of pre-approved email list or something?
I'm curious if anyone else has faced this problem. (Most likely.)
Ok, here is my solution:
This will enable a second level of security:
On the User model, create a boolean field called user_active.
Then, create an Admin page that will only allow your admins to check/uncheck accounts.
Then, you can call User.user_active? before logging your users in.
This makes it much harder for somebody who manages to sneak around your security to access your app.
This would be a pain with tons of users, but if you only have 200 or so, this will work.

Devise, skip confirmation until user tries to do something meaningful

I want to let new users signup and browse my site without having to confirm their email addresses, until they try to do anything meaningful like create a new project, upload a video or leave a comment.
Does Devise have any hooks for doing this sort of thing?
Try to do it in combination of postponing email confirmation via allow_unconfirmed_access_for and confirmed? for specific actions, like described in similar question1 and question2.
BTW, starting from Devise 2.2.4 allow_unconfirmed_access_for accepts nil for unlimited access without confirmation.

Best way to send registration email (DEVISE)

Devise allows you to customize mailers here.
https://github.com/plataformatec/devise/wiki/How-To:-Use-custom-mailer.
However, I can also make a my own actionmailer like here.
http://railscasts.com/episodes/206-action-mailer-in-rails-3
When a user registers on my site, I would like to send two different emails, one to myself with the registration information and one to the user to thank them for registering.
What is the best way to do this? or is there a method that devise has that would allow me to do this? I was thinking of creating a hook(call back) in the model after a user is created. However, that would mean if I manually create a record, the registration emails would also be sent out. I don't want an email to be sent out if I manually create a user. Any advice?
You could have a callback such as after_create :send_email_to_admin
def send_email_to_admin
# your implementation
end
You would also put a conditional so it doesn't send an email when it's yourself creating the record manually. I do not think Devise offers such an option.
3 workarounds if you don't want to send email to your manually created users.
Create users at first, then add the hook.
Add a special pattern on the email of your manually created users. Say (.*)-very-weird-suffix#weired-email.com. You judge this pattern in the hook.
Add a field in users table to check if the account is created by you. I really don't recommend this unless creating accounts is part of your daily job.

Resources