I have a newsletter powered by an laravel application. It lets subscribers select an area and set some filters to receive mail notifications on new housing for sale.
To solve this in an easy way for the user I did not want to use passwords and a long registration process with names etc. Instead, you just get an email, in that email there is an edit link with a secret token:
https://myapp.com/subscribers/42/edit?token=gwoi6n4ginagrpoargp4ar5gp14a
Would this be considered a safe approach?
When a user clicks the link, it is over HTTPS so it is encrypted, but it will still show in the current browsers history..
Will I get flamed for doing this and if so what are some ways to improve it?
with encrypted data in ssl communications yes it's safe. but in my opinion there is some offers:
1-remove token word from the address.
2- this link should not show the user edit page directly. instead sends arguments to a controller and controller redirects user to a new page with a clean link. just save token in the page for authorizing your user.
3- why not to produce longer (just a bit longer!) tokens?
4- for being safer each link should have an expire time. new link will be sent with each newsletter mail.
Related
I am using Laravel 5.4 to make an in-house app that does not have any authentication (out of my control). A user submits information, and an email is sent to a manager with the info and they can either accept/reject it by clicking on a button. If they click on the accept button a new window opens up where they can do stuff like change the user submitted information.
A token is generated and sent in the email so when the manager presses the accept button the token is sent along in the URL. How can I verify that the token is valid (matches what is saved in the database) before allowing them to make any updates or changes? Is possible to block access to the route so they cant even open the webpage if the token is invalid?
I would also appreciate other ideas on how to best protect the app without using authentication
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?
Is there something similar to the email verifcation feature where a system admin could validate user sign-up/registration requests?
Background: We're building a system with a closed community, where new users can join only if an admin has verified their sing-up data.
Ideally the admin should just receive an email that there's a new registration request and validate the request directly from the email.
The emailVerified column is protected - it can only be updated by the system in response to the target user clicking the link in the validation email.
An admin can not "tick" this field on behalf of another user.
However. From your brief description of the background I would suggest that you want the users to click the link - after all it serves to validate their email address. If you are creating your own app there is nothing to stop you adding your own column to the user model (or preferably a related table) and implement code in your sign up that also checks this extra column. Of course this is more work - but likely not excessive - and you get the desired workflow.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.