How to create stormpath user without password? - stormpath

Some users of our application are admins. We want give them a capability to create new users. We think about the following flow:
Admin goes to "Users" page and clicks a "create a new user" button and fill new user's name and email address.
That new user retrieves an email with acknowledge that a user was created in our application.
The user clicks a link from email body and proceeds to "Set password" page and specify his password.
Is it possible to achieve such flow with angular + express? Is there any other possible flows which can be achieved?

You can create an invite-based flow, but you'll have to do some custom work with our libraries.
You'll need to work with the Stormpath Client and Stormpath Application directly, these are provided by the Stormpath Node SDK. Inside of your Express middleware, retrieve the client with:
var stormpathClient = req.app.get('stormpathClient')
and the application with:
var stormpathApplication = req.app.get('stormpathApplication`)
On the application, use stormpathApplication.createAccount() to create the user. When you pass the new account data, set the password to something that is very long, random, and un-guessable. If your Stormpath directory has email verification enabled, the user will get an invite email. That email should link them into your Angular application, to a custom view which will read the email verification token from the URL and post it to a custom middleware on your server. This middleware will need to use stormpathClient.verifyAccountEmail() to verify the token.
Then you can collect a new password for the user, and save it by setting req.user.password='new password', then calling req.user.save().
Hope this helps! I work at Stormpath and I am a maintainer of these libraries :)

Related

What should happen if a user sign up via social login and then tries to register with same mail?

In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.

How to Send an Email Verification for a Created User?

I'm trying to use Laravel 5.7's new email verification feature. Let's say I'm logged in as Admin inside the admin panel and I want to:
Create a random user via admin panel.
Send an email verification to that created user's email.
How can I accomplish this with the new Laravel 5.7 email verification feature?
The built in verification scaffolding provides a notification to do this. You just need to ensure that the user's verified_at is set to null and then
use Iluminate\Auth\Notifications\VerifyEmail;
$user->notify(new VerifyEmail);
This will resend a new email with a signed URL.

Laravel new user registration, activation with email and secure login

I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?

Impersonate current user when calling a Google API using service account & delegation of authority

There is a marketplace requirement that if a Google Apps for Work domain admin installs our app for their domain, the admin and any users from their domain should thereafter not see a scope auth screen when accessing our app. The act of installing the app for the domain should implicitly delegate domain-wide authority for the service account associated with our app.
In order to achieve this behavior, I am trying to do delegation of authority to a service account to work on behalf of, AKA impersonate, the currently logged in user.
The code snippet below shows the various attempts that I've made to get this to work. The only one that does work is to pass a domain superuser's email address as the "sub" param (AKA prn) when creating the JWT. However, this essentially elevates a regular run of the mill domain user's privileges to those of super user which is not the desired effect.
var client = new googleapis.auth.JWT(
'<serviceaccount>#developer.gserviceaccount.com',
'localhost.pem',
null,
["https://www.googleapis.com/auth/admin.directory.user.readonly"],
// null - // 403 not auth
// {'userId' : 'domainsuperuser#email.com'} // 403 not auth
// {'userId' : 'me'} // 403 not auth
// "domainsuperuser#email.com" // works!
// "{domainsuperuser#email.com}" // not a valid email error
// 'me' // invalid impersonation prn email address
);
Does Google honor any other ID than just the email address of the person you want to impersonate such as the special 'me' value?
It feels like we are running into a chicken and egg problem here. Essentially we don't want to hardcode the email address (especially not an admin email), so it feels like we have to make an API call. But we can't make an API call without impersonating a user.
You don't need to use a service account and domain-wide delegation in this case. Instead, simply go through the normal OAuth2 flow with the user, and the approval screen will be skipped automatically.
When the admin installs the app and approves your scopes, they are essentially automatically granting you access to those scopes for all users in the domain. And while it is a requirement that users not see the approval screen, you still have to go through the OAuth2 flow with them in order get the OAuth2 token. If you launch an OAuth2 flow for the user, and don't request any scopes not already approved by the domain admin and don't set approval_prompt=force in the URL, then the OAuth2 approval screen will instantly redirect to your redirect URI, making the process invisible to the user.

TweetSharp - Get User Email ID after login

I am using TweetSharp for user login in my asp.net mvc web app. All works fine but after login I need to save the user data in my DB as well. I cant find email from TwitterUser object after loging. How can i get user's email once the user is authenticated?
thanks
You cannot. The Twitter API doesn't return email addresses for users.
Take a look at the users/show documentation to see all the information you can retrieve.
If your app is whitelisted, you can now retrieve the email as part of verify_credentials https://dev.twitter.com/rest/reference/get/account/verify_credentials

Resources