I am sending email to user, in that email one link is there to redirect that user to rails application. I want that link to be in encrypted form with domain name for example:
https://www.domain_name.com?hdurstihnzdfalgfgdfhdrbnhduolsasrtyumyrtyr
when user click on this link, he should directly redirect to controller method we specified in that URL which is not visible.
Controller and methods given in URL may vary according to user.
So my question is how we can do this in rails.
If I encrypt controller name, method name and parameter we passed. How routes file come to know where to redirect this URL? How to decrypt this in routes file and redirect internally to decrypted URL?
Life will be easier if you can do a slight modification to your url, something like:
https://www.domain_name.com/enc/hdurstihnzdfalgfgdfhdrbnhduolsasrtyumyrtyr
Then you can create a route for that path to redirect where you want.
get '/enc/:encoded_path' => "controller#action"
This would give you access to params[:encoded_path], which would equal hdurstihnzdfalgfgdfhdrbnhduolsasrtyumyrtyr in this case. From there, you could decode in the controller and then redirect however you want.
That's not the right approach. Here's what you can do instead:
Create a new controller action, say for instance, activate.
def activate
activation_token = params[:auth_token]
....
your logic to do whatever with this token
end
Create a corresponding route:
match '/activate' => 'your_awesome_controller#activate'
Now, when you email your users, I'm guessing you're sending some sort of activation token. If not, create two new fields in your users table:
activation_token:string
activated:boolean
Use some unique string generation algorithm to generate your activation_token and email it to your user:
yourdomain.com/activate?auth_token=user.activation_token
Related
So I'm currently in an attempt to make my own account verification system and I'm using some parts of Djoser as a reference. let me try to walk you to my question
Let's say you're to make a new account in Djoser app
you put in the information of your soon to be made account including email
submit the form to the backend
get an email to the whatever email account you put in earlier to verify your account
click the link in your email
get to the verify account page
now in this page there's a button to submit a UID and a token and both of those information lies in the URL.
My question is:
What are those tokens? is it JWT?
How do they work?
How can I implement that in my own projects without djoser?
The answers to your questions are immersed in the own code of djoser.
You can check djoser.email file and in the classes there, they are few methods get_context_data().
def get_context_data(self):
context = super().get_context_data()
user = context.get("user")
context["uid"] = utils.encode_uid(user.pk)
context["token"] = default_token_generator.make_token(user)
context["url"] = settings.ACTIVATION_URL.format(**context)
return context
So get the context in the class where is instance, and in this context add the 'uid' (this is basically str(pk) and coded in base64, check encode_uid()), the 'token' (just a random string created with a Django function from your Secret key; you can change the algorithm of that function and the duration of this token with PASSWORD_RESET_TIMEOUT setting) to use temporary links, and finally the URL according the action which is performed (in this case the email activation).
Other point to consider is in each of this classes has template assigned and you can override it.
Now, in the views, specifically in UserViewSet and its actions perform_create(), perform_update() and resend_activation(), if the Djoser setting SEND_ACTIVATION_EMAIL is True, call to ActivationEmail to send an email to the user address.
def perform_create(self, serializer):
user = serializer.save()
signals.user_registered.send(
sender=self.__class__, user=user, request=self.request
)
context = {"user": user}
to = [get_user_email(user)]
if settings.SEND_ACTIVATION_EMAIL:
settings.EMAIL.activation(self.request, context).send(to)
...
The email is sent and when a user click the link, whether the token is still valid and uid match (djoser.UidAndTokenSerializer), the action activation() of the same View is executed. Change the user flag 'is_active' to True and it may sent another email to confirm the activation.
If you want code your own version, as you can see, you only have to create a random token, generate some uid to identify the user in the way that you prefer. Code a pair of views that send emails with templates that permit the activation.
This project is something like a social networking site built on codeigniter.
Here my default controller is MyController.php (which loads the login page)
and say my domain is aravind.com
In my application each user will have a unique id.
and what my requirement is, the particular page of the user should get opened when
the unique_id of the user is given immedetily after the domain name.
ie, aravind.com/123 should open the user page whose unique id is 123.
I know this can be acheived by placing a controller and a function in between the
domain and the unique_id, (like : aravind.com/Search_class/search_func/123).
But by doing so the url of the particular user becomes lengthy which is not acceptable.
So I require a logic to sort this issue.
Note:
I have other classes and folders in my controller package, SO the required soln should be
wise enough to diferentiate my classes and folders in the controller package with the UniqueID.
So for differentiating I can say like the classes and folder name will be of continuous String
Where UniqueID starts with an underscore (_).
The same thing is done in facebook, like if we type facebook.com/aravind.pillai.983, it will open my account,
where as if the url goes like facebook.com/settings it will open the settings page for
the user who have an active session.
Set route["404_override"] to one of your custom class (say Search.php).
So wheneven a user tries to enter with an invalid url it will be redirected to Search.php.
Here using $this->uri->segment(1) you will get the value of the first uri segment.
You can write a logic there to identify whether the user entered a valid unique_id or not.
Now you got the uri value in one class (Search.php).
You should use routing where you can set every routes you want. In APPPATH.'config/routes.php' file add this:
$route['(:any)'] = 'Search_class/search_func/$1';
You should read documentation about routing and check other examples.
Also, pay attention that application will always check for Search_class/search_func/$1 in first URI segment so you need to put this rule at the end of routes.php file. Before that rule you need to set other rules like:
$route['about'] = 'pages_c/show/about';
$route['contact'] = 'pages_c/show/contact';
// then after all declared routes, you can set wild card placeholder
$route['(:any)'] = 'Search_class/search_func/$1';
I have posts, where users able to delete or edit them. And when I redirect them I was sending url with id number, like: test.dev/delete/15, where 15 is my id of post which should be deleted. Then I tested sending id in route like route('delete',['id' => $post->id]). In the end I realized that both methods include id number in url. I mean, for url it shows url test.dev/delete/15 and for route it shows test.dev/delete?id=15
So I was wondering if we can send id, without showing them in url, I am afraid that curious users may try to get use of these flaws
As you will always have to display the id somewhere on the page to send it through either a hidden field or id in the url all of which a user can change. That is why you should check in the Back-End if the user has privelege to delete that post or not
Assume I have a site with a unique URL for users, e.g. abc.com/user1.
I want users to be able to create their own user urls like abc.com/user1 to abc.com/foo
The problem here is that my site has static pages such as: about, help, contact, download.
On the profile page, when users change their url, i apply this validator to their new profile url:
'username' => 'required|alpha_dash|max:20|min:3|unique:users'
In this situation, if the user chooses their new profile url to the same as a Route of my app (help, about, download...), their URL looks like: abc.com/about, this is troublesome.
Of course, the Validator will return true because that name is valid: min=3, max=20 and unique in "users" table ( "users" table not contains any control, of course).
To solve this, I add name of some Route to "users" table (about,contact,download...), so they cannot make their profile URL like abc.com/about,
But this is not good idea, because I might add more Routes in future.
PS: I dont like URL like abc.com/profile/user1, must be abc.com/user1.
Please help me to solve this.
You can use Route::getRoutes() to get all registered routes in your application
$routes = Route::getRoutes();
foreach($routes as $route){
echo $route->getUri(); // getUri will return the url pattern it matches
}
Now you can use this to check if the username doesn't appear in your routes.
But be careful! If you want to add routes in when the application is running you will have to check everytime that there's no user that has taken the name you want to chose.
Here are some possibilities
1. Call static page routes first
You can either call the static routes first and then at the end you do a catchall like lukasgeiter suggested, or you might even do a check in the controller and go through your static pages first. The problem here is that the user can create the user (e.g. "about") but then when they call that page, they would see the about page, even though they've correctly created the username, this might create a confusion.
2. Blacklist
Another way would be to create a blacklist for these usernames, so that people can't even register these types of usernames (this would be similar to your solution of pre-creating those usernames, but this way would be a bit cleaner and more easily expandable). Using this you will always have the trouble that someone will have used the username, once you want to use it as a static page. E.g. when you want to expand into another country.
3. Static pages on one level lower
E.g. you can create the static pages one level lower, such as abc.com/static/about, so there would be no clash.
4. Prepend character before username
This is the way I went, because the other ways were technically a bit too risky for me. So I chose the '#' sign for my users. So abc.com/#ThisIsMe is my current solution. It works in different languages (as opposed to abc.com/profile/thisisme would only work in languages, where profile is the correct term)
I think Flickr went from flickr.com/username to flickr.com/photos/username. Google+ doesn't really let you decide, but makes suggestions (AND adds the +). Twitter and Facebook let users choose their own, I would assume they have a blacklist. LinkedIn uses /in/.
I'm using Azure ACS in my ASP.net MVC 3 website (hosted in Azure too), the scenario is this:
A user first enters my website and fills a one field form, then they need to chose a provider and login, but first I want to store the field value so when they come back from login I'm able to create a profile with this value for the loged in user.
So I believe when they first enter the site and then leaves to login and enters the site again those are two different sessions am I right? and that's the reason the stored data using session state (through SQL Server) is not present when they come back after login am I right? if this is true what would be the best approach then? if not then I'm doing something wrong storing temp data right?
Thanks
UPDATE:
I have discovered that HttpContext.Application state works keeping the data, still I'm not sure if it's a good idea to use it in a controller considering it's in Azure, will it work on production properly??
You can pass state around in the WS-Federation redirect sequence using the wctx URL parameter. In the action that handles the initial POST request, you should get hold of the form parameter you want to keep, then redirect to you identity provider selection page (this will have to be a custom page) with the form parameter appended to the URL. When the user selects an IP on your page, you can pass the parameter on again using the wctx parameter. The WS-Federation passive requestor profile says that this should be returned to you eventually when the IP redirects the user back to your site.
This has some details
http://msdn.microsoft.com/en-us/library/bb608217.aspx
Edit: To get the wctx parameter out of the request when the user finally comes back to your app. Put something like this in the action code:
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
if (fam.CanReadSignInResponse(System.Web.HttpContext.Current.Request, true))
{
string wctxValue = this.HttpContext.Request.Form["wctx"];
}
My preference is to have the wcxt parameter represent a redirect URL (URL encoded) with your parameter as a query parameter in that so it be a URL encoded version of this:
wctx=https://yourserver/yourapp/yourpage?yourparameter=foo
Then the action that was receiving the redirect from the ACS would simply pull out the value of wctx and do a redirect to it without any more processing. This keeps things simple.
Another approach would be to save whatever data you need to pass around in the Database, and just pass around some ID that refers back to the database record. You'll pass this ID to IP and back through wctx (as Mike mentioned above).
This will solve the issue of limited length of URLs (in case your data is very large). Of course you would need to manage deletion of this data, but this shouldn't be hard.