I'm a beginner to rails and I'm having trouble with signing users in when they click on the registration email. I'm calling a login method (sign_in) and then directing them to the a page in the site, but the logic does not work. I am using Sorcery for generating the activation email. My repo is Here. I would appreciate any help, I'm a beginner still learning. Thanks in advance.
There's nothing magical about the email -- well, okay, it's probably got a capability tacked onto the end of an URL that lets you know the email address exists long enough to receive one email -- but once they sign in using your login method, it should store a cookie in the browser with a reference to the session id. (Or store session data directly in the cookie... up to you.)
So long as the same browser is used from the email clicking to the normal site use, the cookie (and its reference to the session id or session data) should still be valid, and they should still be "logged in".
Related
I am trying to find a way to distribute a Ruby on Rails app selectively by sending them an email with the link that logs them in. This should be the only way to get to the page hosted at a unique subdomain. Additionally, we don't plan on having a login wall so the access would need to be guarded by using Cookies or the Query URL params.
A couple of questions regarding this:
Is it possible to leverage cookies exclusively to achieve this? I.e Any way to embed cookies within the URL sent in the email itself?
An approach I felt that might work is to embed the user ID (encrypted) in the URL in the email. In order for the users to not need to bookmark this URL or go back to the email to access this link, I was planning to store their session ID via a browser cookie. Any issues with this approach?
How to avoid wandering users(i.e users who haven't received this email) to access this page (i.e a nice way to raise a 404 error)?
Any other cleaner ways to accomplish this task?
Is it possible to leverage cookies exclusively to achieve this? I.e
Any way to embed cookies within the URL sent in the email itself?
No. You cannot "embed cookes in a URL". Cookies are set via the SET-COOKIE header in a response or through JavaScript.
An approach I felt that might work is to embed the user ID (encrypted)
in the URL in the email. In order for the users to not need to
bookmark this URL or go back to the email to access this link, I was
planning to store their session ID via a browser cookie. Any issues
with this approach?
Yes. You should generate a random token thats not tied the users id.
How to avoid wandering users(i.e users who haven't received this
email) to access this page (i.e a nice way to raise a 404 error)?
Create time limited access tokens that can only be used once by the user. There really is no other way for you to actually know that the person requesting the URL is the recipient of the email.
What you are describing can be accomplished with Devise Invitable which is a pretty good community tested point of reference if you want to reinvent the wheel.
When you invite a user Invitable creates invitation tokens which are stored in the users table. This is just a random string. There are also timestamp columns that expire invitations automatically.
The token is included in the URL in the invitation email as a query parameters.
When the user clicks the link the controller looks up the user based on the token and nulls users.invitation_token so that it cannot be used again. This stores the user id in the session and takes the user to a screen where they edit and finalize their account by setting a password.
I am trying to create a sort of recall system where an admin sends a message to the entire user base via email after which all users have to confirm the message by navigating a link in the email (Confirmation token) and retyping the message in. The would a submit button on the page which will check if messages match then clears a confirmation flag in the database. I am stuck on where to even begin here. I am not worried about comparison logic in the controller. I am confused about how to generate the confirmation tokens, sending them, then redirecting users to a page for confirmation. At the moment I am use Devise with Active Admin but I am open any other gem suggestions. If any of you could give me a link to a similar tutorial or problem that would be great! Yes I have done research before asking but it most results had little relevance.
U could do this with devise
I'll share what was recently done by me, which is almost similar to your Q.
I did not use Confirmation link or any token.
Only Admin can create user.
On creation of a user, an email is sent along with id and password.
Upon user login for first time, redirect him to edit account for only password change.
Note: U can use friendly token for generating random password.
Am I really that bad of a googler or is there no guides out there on how to reset a password WITHOUT simplemembership using tokenlink?
I want the anonymous user to input the mail of the account, send a mail with a link and when visiting that link the user is able to reset the password without the old password. I am not using simplemembership!
I know how to send emails and all that but I have never created a token and use it for the link in the mail etc. Are there any decent guides that could help me with this?
Side note, I'm storing all my user information in azure tablestorage.
Thanks
Stack Overflow isn't the best place to be asking overly broad "How do I do this?" questions, nor "recommend me a tutorial or guide".
(Having said that, I like the question/problem)
It should be fairly simple.
The user clicks on the "forgot password" link.
Generate a random string ("token"), such as a GUID and store it (such as in a database). Also store the time that it was generated or an expiration date.
Email the user a link to your site with the appropriate token.
The user comes back to your site. If the token exists and was done within the expiration time (15 - 30 minutes?) then give them a form to change their password.
Further reading
Resetting ASP.NET password - security issues?
Best way for a 'forgot password' implementation?
I've upgraded to Devise 3.2.1 and Rails 4.0, and I'm trying to figure out my signup now that one doesn't login on confirmation.
I allow users to create a message and specify the recipient of the message via an email address. Then I send emails notifying the recipient that they've received a message on the service. If the recipient doesn't have an account on the service, I create the account without a password, and the email I send to the recipient acts a confirmation email. With prior versions, the recipient would then click on the link, thus confirming, and then be taken to a password creation stage and then finally, they'd have a confirmed account created with password and can go see the message.
With Devise 3.1, they no longer allow login via confirmation as they consider it a security risk, however I fear it may greatly increase the complexity of my sign up process. I can no longer redirect to a password creation page as they aren't logged in. I'm toying with the idea of taking them to a special signup page or creating the account and then sending a special form of password reset.
I don't want to notify them via email, then send them a second email as a confirmation. That adds unnecessary complexity to my signup.
I wondered if anyone else has dealt with this issue and how they handled it. I'd like to avoid using:
config.allow_insecure_sign_in_after_confirmation = true
as that will go away soon and is really not the right way.
Is there a secure, yet fast way to do this with Devise 3.2?
Thanks!
I'm switching to using sorcery ( https://github.com/NoamB/sorcery ) for greater control over authentication and building my flow with that.
This is precisely the problem that devise invitable gem solves in a secure manner. I would recommend using this tool, rather than trying to hand-roll your own solution which is more likely to contain security flaws.
The gem workflow is basically:
An admin invites a new user.
The new user is created with a random password. (I actually helped write this bit!)
The user is sent an invitation email. (This is fully customisable in how it works, but has some simple default settings.)
The user receives a link, which contains a URL with a unique invitation_token.
After clicking this link, the user must choose their real password.
I'm trying to do the following: I have a page with a form for login and password.
Is it possible to use this form for both registration and authorization. For example i'm visiting the page for the first time and enter my email and password. Then if such email already exists i get an error, otherwise an account is created for me. Searching for the way of implementing this gave no results.
Does anyone know hot to make it possible?
This approach has one drawback: If user mistyped password then he would probably never login again. Solution - to use email for password recovery.
Other approach is to let user input email and while user will type password check if email is already in database. If it's not available then add password confirmation field to the form.
How to make it possible? Just program the necessary logic on server-side and client-side.