I am using Laravel 5.4 to make an in-house app that does not have any authentication (out of my control). A user submits information, and an email is sent to a manager with the info and they can either accept/reject it by clicking on a button. If they click on the accept button a new window opens up where they can do stuff like change the user submitted information.
A token is generated and sent in the email so when the manager presses the accept button the token is sent along in the URL. How can I verify that the token is valid (matches what is saved in the database) before allowing them to make any updates or changes? Is possible to block access to the route so they cant even open the webpage if the token is invalid?
I would also appreciate other ideas on how to best protect the app without using authentication
Related
I have a newsletter powered by an laravel application. It lets subscribers select an area and set some filters to receive mail notifications on new housing for sale.
To solve this in an easy way for the user I did not want to use passwords and a long registration process with names etc. Instead, you just get an email, in that email there is an edit link with a secret token:
https://myapp.com/subscribers/42/edit?token=gwoi6n4ginagrpoargp4ar5gp14a
Would this be considered a safe approach?
When a user clicks the link, it is over HTTPS so it is encrypted, but it will still show in the current browsers history..
Will I get flamed for doing this and if so what are some ways to improve it?
with encrypted data in ssl communications yes it's safe. but in my opinion there is some offers:
1-remove token word from the address.
2- this link should not show the user edit page directly. instead sends arguments to a controller and controller redirects user to a new page with a clean link. just save token in the page for authorizing your user.
3- why not to produce longer (just a bit longer!) tokens?
4- for being safer each link should have an expire time. new link will be sent with each newsletter mail.
After Parse.com have introduced new revocable session that gets destroyed when a user logs out, is it possible to build a reliable login process using "magic links", ie. a user receives an email including a link, and gets logged in in a web browser after clicking that link?
Previously, sessions in Parse were long lived and implementing a magic link login process was a matter of providing the user with his/her session token and having the client call Parse.User.become(<sessionToken>).
This approach will fail with new revocable session if a user is not already signed in to the Parse server when generating and clicking a magic link, since there will not be any session to give the user that he/she can use in the call to Parse.User.become().
Any clarification if this is possible to accomplish this with the new more secure type of revocable sessions in Parse, or suggestions on how to achieve this, are welcome.
Is it possible for me to create an application that can send our requests to access to users' Google Calendar so that I can see the events in there and be able to add, edit, and delete events?
I do not want the users to log into my website to enable this access. Rather, I want to be able to send this request, perhaps via email.
Alternatively, perhaps they could log in the web app and authorize access themselves somehow.
One option would be to e-mail the user a link to the OAuth 2.0 consent screen. The users would still need to open the link in a browser, sign in to their Google account (if not already signed in), and click the "Authorize" button to grant your application access to their Google calendar events.
First, you will need to register your application as a Web App in Google's Developer Console (just like for any other application) and obtain a client_id. Be sure to fill in the name of your application and a link to your website in the "OAuth consent screen" section, because these values will be shown to your users when they click the authorization link.
Then, follow these steps:
Send the user an authorization link in an HTML e-mail message. The link should be constructed according to the guidelines in "Redirecting to Google's OAuth 2.0 server", and pay attention to the following aspects:
Ensure that the redirect_uri parameter in the authorization link points to your application.
Since you already know the e-mail address of the user, consider including the login_hint=<email address> parameter to bypass the account selection screen.
Important: provide a value in the state parameter so that you can link this authorization request with the user.
The link should be placed in an <a> tag somewhere in the body of the e-mail: Allow access to my Google calendar
When the user clicks on this link, their browser will open and show the standard Google consent screen:
Once the user has made a choice, their browser will be redirected to the redirect_uri which you have provided.
Make sure that the redirect_uri will work even if the user isn't signed in to your application. Capture the state and authorization_code values which Google appends to the redirect_uri, and then return a confirmation page (e.g. "Thank you for giving us access to your Google calendar" would be a good idea).
Using the state and authorization_code values, follow the rest of the standard OAuth 2.0 flow and retrieve a refresh_token which will allow you to access the user's Google calendar from your application.
Keep in mind that the calendar owner (the user who is clicking the link in the e-mail and granting your application consent to access the calendar) may not even be a user of your application. This is why it is important to provide as much information as possible on the consent screen and in the confirmation page.
Since your confirmation page will be loaded even if the user does not grant your application consent, you could take the opportunity to give the user a full description of why you are asking for access to their calendar and provide a link that will take them back to the consent screen. This should increase your success rate.
Every request your application sends to the Google Calendar API must
include an authorization token. The token also identifies your
application to Google.
Your application must use OAuth 2.0 to authorize requests. No other
authorization protocols are supported. If your application uses
Google+ Sign-In, some aspects of authorization are handled for you.
The details of the authorization process, or "flow," for OAuth 2.0
vary somewhat depending on what kind of application you're writing.
For more details on the workflow to gain access click here. Once your app has access, it will be able to view and edit a user's calendar events, depending on the approved permissions.
Is there something similar to the email verifcation feature where a system admin could validate user sign-up/registration requests?
Background: We're building a system with a closed community, where new users can join only if an admin has verified their sing-up data.
Ideally the admin should just receive an email that there's a new registration request and validate the request directly from the email.
The emailVerified column is protected - it can only be updated by the system in response to the target user clicking the link in the validation email.
An admin can not "tick" this field on behalf of another user.
However. From your brief description of the background I would suggest that you want the users to click the link - after all it serves to validate their email address. If you are creating your own app there is nothing to stop you adding your own column to the user model (or preferably a related table) and implement code in your sign up that also checks this extra column. Of course this is more work - but likely not excessive - and you get the desired workflow.
I wonder if the new iOS App Extensions feature supports my case? If so, would I use Share or Action?
My case is similar to a Share but not really sharing, just making request of my service. Here's the use case:
From an item in a host app, the user taps the button for my extension, which the app developer has placed there
The host app opens my extension passing a couple of bits of relevant data from the item the user was on
Check if the user is authorized to use my API (has API auth token)
If authorized, present a very simple form (probably two select lists) with Submit and Cancel buttons. No content or text editing
Upon submit, post to my API and receive a response that the request was accepted or an error with validation details. Upon errors, ask the user to try again or cancel. Upon success, return to the host app
If not authorized, ask if they are already a member of my service
If already a member, present a login form and perform authorization over the API, storing the auth token that is returned, then proceeding to step #4
If not a member, present a signup form asking for email and some minimal setup choices, storing an auth token, then proceeding to step #4