Restrict access to url sent with Rails ActionMailer to recipient only - ruby-on-rails

I've got a url I am sending users through ActionMailer. The person receiving the email is not a registered user. I want to restrict access to that certain url so only someone getting to it from the link in the mail can access it.
Is there a known way to do that?
One thought i had was to add a token parameter to the url and validate against it when trying to open the link.
Any better ideas? Thanks!

Related

Rails app Query params and Cookie based login

I am trying to find a way to distribute a Ruby on Rails app selectively by sending them an email with the link that logs them in. This should be the only way to get to the page hosted at a unique subdomain. Additionally, we don't plan on having a login wall so the access would need to be guarded by using Cookies or the Query URL params.
A couple of questions regarding this:
Is it possible to leverage cookies exclusively to achieve this? I.e Any way to embed cookies within the URL sent in the email itself?
An approach I felt that might work is to embed the user ID (encrypted) in the URL in the email. In order for the users to not need to bookmark this URL or go back to the email to access this link, I was planning to store their session ID via a browser cookie. Any issues with this approach?
How to avoid wandering users(i.e users who haven't received this email) to access this page (i.e a nice way to raise a 404 error)?
Any other cleaner ways to accomplish this task?
Is it possible to leverage cookies exclusively to achieve this? I.e
Any way to embed cookies within the URL sent in the email itself?
No. You cannot "embed cookes in a URL". Cookies are set via the SET-COOKIE header in a response or through JavaScript.
An approach I felt that might work is to embed the user ID (encrypted)
in the URL in the email. In order for the users to not need to
bookmark this URL or go back to the email to access this link, I was
planning to store their session ID via a browser cookie. Any issues
with this approach?
Yes. You should generate a random token thats not tied the users id.
How to avoid wandering users(i.e users who haven't received this
email) to access this page (i.e a nice way to raise a 404 error)?
Create time limited access tokens that can only be used once by the user. There really is no other way for you to actually know that the person requesting the URL is the recipient of the email.
What you are describing can be accomplished with Devise Invitable which is a pretty good community tested point of reference if you want to reinvent the wheel.
When you invite a user Invitable creates invitation tokens which are stored in the users table. This is just a random string. There are also timestamp columns that expire invitations automatically.
The token is included in the URL in the invitation email as a query parameters.
When the user clicks the link the controller looks up the user based on the token and nulls users.invitation_token so that it cannot be used again. This stores the user id in the session and takes the user to a screen where they edit and finalize their account by setting a password.

Can I know if a link in a email was clicked in Ruby on Rails?

I want to track my sent emails in Rails. I searched and discovered that I can do somethings like this. But I also need to know if a specific link in the email was clicked. Is this possible?
Another idea I had is to know where the user was before the page. For example, the link takes you to page X. Can i know where the user was just before the page X - so I would be able to know if was an email page?
Yes, it is possible to know if the user clicked the link via the sent email. A simple solution to this can be using an extra parameter in the links sent via the email. Something like ?email=true. This way, you can retrieve this email parameter in your controller and know the user clicked the link in the email.
Your request.referer will be nil if redirected from an email. So this technique of checking the user's previous page will not work

How do I send a user a temporary, expiring URL using ActionMailer?

I have a Ruby/Rails app with a class, Engagements, and an ActionMailer mailer that sends out mail each time an Engagement is created. I want to include a link in that email that goes to a page on my site that creates and displays an item for the user. I want the link to expire after one click and I want the real URL (website.com/items/itemid, for example) that it's going to not to be shown. How can I achieve this? Thank you for any help on this.
you could add two fields to your model: token and has_expired (default: false) to your model.
ActionMailer would send the link with the generated token, once the user click the link and the token is validated, set has_expired to true.
If user tries to go again, expired is true so don't show the page ... i guess same thing would happen if user tried to go with invalid token.

How do I associate notification mail reply to user's inbox?

I have an Rails web-application where a user can send message to any other registered user. Once a user sends a message to another user, another user gets a notification on application and also by email in his/her personal email inbox (Like basecamp).
I want to implement this functionality where if a user reply to a message from his/her personal email inbox(say gmail/yahoo), the message becomes available in the application and receiver gets a notification as usual.
As I could understand, we’ll need to associate a unique id and set it as reply-to field in notification mail. Any help in the right way to approach this problem will be very much appreciated.
Thank you
We are already using sendgrid. And sendgrid provides web-hook for emails. Which is quite easy to integrate with a rails application. It also uses mails gem. I'll keep posted if I find anything new on this.
I'm still working on finding out how to associate unique id in reply-to field in email. Any help on this will be much appreciated.
Thanks,
Chandan

Rails sending emails through an outside email service

Alright so I've got an app in which users can send 'invitations' to other users to download files. What I'd like to do is set it up so that rather than using ActionMailer I can ask users for their username/pass to their Exchange email account and then send the invitations through their account. Ideally I'd like it so that after sending an invitation through their site it will also pop up under sent emails in their account. I'm a bit unsure about how to go about this besides a rough idea of a few ajax calls and wanted to see if anybody had any experience in something similar/good ideas about how to structure this.
Thanks ahead of time!
You would still need to use ActionMailer to send the email. However, you would be routing the email to be sent from ActionMailer through the user's SMTP server.
msg = MyMailer.some_message
msg.delivery_method.settings.merge!(#user.mail_settings)
msg.deliver
Where in the above mail_settings returns some hash with appropriate keys IE
{:user_name=>username, :password=>password}
There is more information regarding this on this post. How to send emails with multiple, dynamic smtp using Actionmailer/Ruby on Rails

Resources