How to use a custom confirmations URL in Devise - devise

I'm looking for a way to use a URL provided as a parameter in the POST request to create a user as the confirmation URL for confirming my Devise user model. The use case is that I have a rails application acting as an API for a frontend react app (setup using webpack) and I want the URL in the confirmations instructions email sent to the user to link to the frontend app, which would then send an API request to the backend to manually confirm the user, instead of the user visiting my backend API URLs themselves.
I want it so that the backend could potentially be used with other clients in the future, so the URL to be used must be variable. Currently I'm trying to pass it in the API request to create the user, and then somehow I would need a way to get this variable into the Devise mailer.
The end goal looks something like this:
# app/views/devise/mailer/confirmation_instructions.html.erb
<p>Welcome <%= #email %>!</p>
<p>You can confirm your account email through the link below:</p>
<p><%= link_to 'Confirm my account', #custom_confirmation_url ? "#{#custom_confirmation_url}#{#token}" : confirmation_url(#resource, confirmation_token: #token) %></p>
where #custom_confirmation_url is the variable holding the value of the URL passed into the POST request to register a new user.
I was potentially thinking of simply redirecting the user to my frontend after the confirmation, with something like this but I don't see how I'd make it work with multiple frontend clients, if I went that route.
I'm open to thoughts on whether or not this approach is even worth considering, or if there's a more stylistically correct way of accomplishing this.

Related

Can environment variables be set at run time (production) in a rails app?

I have a web app i am building whose core functionality involves performing automated CRUD tasks on amazon. Given the correct user login and password, the app user will be able to delete and add addresses on amazon. I am using selenium web-driver with mozilla agent for the automation task. At the moment, the user-name and password are hard-coded in the application.yaml file using figaro gem. What i want is for anyone accessing the app to be able to enter their own amazon username and password so the address deletion and removal process happens on their own amazon account.
Is there a way i can capture the current users's login and password via a form (with their consent of course) and set these as environment variables at runtime in secrets.yaml. So the login name becomes
amazon_user_name: <%= ENV["SECRET_USER_NAME"] %>
and the password becomes
amazon_pass_word: <%= ENV["SECRET_PASS_WORD"] %>
Or is there an overall better and neater way to get this done?
Just to further clarify and simplify: All i want to do is allow users a means of logging into their amazon account via my app so my app can perform the address automation (adding and deleting shipping addresses in bulk) on their amazon account. Any secure means of accomplishing this is welcome.
for a per user setup, the easiest thing would be to set it in the user session, encrypted if you like.
like this:
session[:super_secret_pass] = 'somepassword'
then pass it down from the controller to where you are invoking it.

Instagram API - Redirect url

I have a plugin that need some instagram infos of my application.
This plugin just show photo feed.
I have created the application on the instagram developers and get my client id, but, what's the redirect url? I put my website link because i really don't understand what is that.
What i need is:
id: 'MY PROFILE ID',
redirectUrl: 'http://www.kyriosfestival.com.br',
clientId: 'MY CLIENT ID FROM MY APPLICATION',
accessToken: 'GENERATED FROM INTERNET'
And it's not working.
I have used a access token generated from internet, and i don't know if is this the problem.
What is the real form to use that?
Anyone?
Thanks!
Must be late, but will post an answer, so that maybe it will help anyone some day.
For all your Instagram API calls, you need to receive a valid access token.
You can get one by implementing authentication (client-side or server-side), full guide can be found here.
So for example, if you choose to go with client-side authentication,
you should direct a user to authentication URL, which will looks like this:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token
After that, user will be redirected to your redirect page (REDIRECT-URI). This REDIRECT-URI should match the URL you have specified in Manage Clients section.
After the redirect happens, you will get the access token in the URL of the page you've been redirected to.
http://your-redirect-uri#access_token=ACCESS-TOKEN
You can then extract your ACCESS-TOKEN from url and start making API calls.

Rails Doorkeeper - Redirect to homepage instead of authorize page

I have a weird problem when I try to use door_keeper gem with rails app. The problem occurs when I use Oauth2 gem to get the token. But at the part I have url :
http://0.0.0.0:3000/oauth/authorize?response_type=code&client_id=199f27a02764f1ef1d31c2860b83ef93c0cc3dc26886d2b3d76b8ef1e935f3ae&redirect_uri=http%3A%2F%2F0.0.0.0%3A3000%2Fcallback
it doesn't redirect to the page we authorize and get token but it redirects directly to http://0.0.0.0:3000
what's the problem I have here, it should redirect to application authorize page first, shouldn't it ?
The authorization page requires some user to be logged in. You set up that in the resource_owner_authenticator block and it should look something like this:
resource_owner_authenticator do |routes|
# Put your resource owner authentication logic here.
# If you want to use named routes from your app you need
# to call them on routes object eg.
# routes.new_user_session_path
User.find(session[:user_id]) || routes.new_user_session_path
end
In this case, if the user is not in the session when it tries to access /oauth/authorize, it gets redirected back to new_user_session_path.
Only when the user was found from the session, you'll be able to see the authorization page.

Rails Customize the eventbrite omniauth callback url

I am using eventbrite omniauth to authenticate the user. With reference to https://github.com/k504866430/omniauth-eventbrite I included the gem and created a file omniauth.rb file as:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :eventbrite, ENV['EVENTBRITE_CLIENT_ID'], ENV['EVENTBRITE_CLIENT_SECRET']
end
On the show page of each event there is link to Authenticate with eventbrite.
events/24
= link_to "Authenticate with Eventbrite", "/auth/eventbrite"
When the user allows to access I want the callback url to redirect to same event page.
Thus I need to know how to pass the event_id in params so that the application can return to the same event page and how should the callback url be defined in routes.rb file
Eventbrite's OAuth2.0 implementation does not allow you to define the OAuth callback URL as a querystring parameter. This callback_url can only be defined by configuring your Eventbrite application key's 'redirect_uri' setting.
Pass-through of custom querystring parameters (such as an event_id) is also not supported.
Besides, you'll need to do a bit of follow-up work AFTER the user arrives back on your site.
If you need to redirect a user after they return to your website, I would consider stashing the 'redirect_url' (and possibly the event_id as well) in the user's browser session or another data store.
Setting up a single landing page (to match your redirect_uri) should allow you to complete the OAuth2.0 handshake before sending the user on to a url of your choice.

Auto login user to third party site without showing a password to him

Background
We are integrating third party email solution into our site. When a user goes to the Mail page it must be automatically authenticated at the Mail site.
For now, the Mail link points to our page which automatically submits a form with the user's login and password. After clicking submit the user is redirected to the Mail site with authentication cookie.
The problem with this approach is that we do not want the user to see his Mail password, because we generate it automatically for him and there are some sane reasons not to show it.
Question
Is there any way to receive mail authentication cookies without sending the login information to the client and performing form.submit operation from the client's browser? Is there a better way to do what I'm trying to do?
Edit
Of course "I am trying to do it programatically". Looks like that there are no sane solution except pass these login/password to the client. Looks like we must accept that user can see his mail password and somehow make sure he cannot use this information to change password to some other value we will not know.
Edit: I didn't read the post correctly, I thought he was trying to login to a remote mail application, not one hosted on his own server. Ignore this answer.
When you login to the remote third party mail website, they will create a cookie (since HTTP is stateless, it's the only way it knows the user is authenticated unless they store some kind of session ID in the url). When you send the user to that site, the site needs to know how to authenticate the user. Even if you logged in from your application and grabbed the cookie, you can set a cookie on the users browser for another website. The only way for this to work is if there is some kind of development API on the third parties website you can hook into, or they allow you to use session id's in the URL.
Possible solution but has a security risk
If they allow you to set a session_id in the URL (for instance, PHPSESSID in PHP) then you could grab the session ID and append it to the URL when sending it to the user. I don't really like this idea since if the user clicks on a link in an e-mail, the new page will be able to check the referrer and see their session ID in the URL. This can become a huge security risk.
Lookup topics related to your mail vendor and "Pass-through Authentication." You did not mention what vendor/software you are using for your web mail solution, so I can't help you very much there. Other than forwarding the user's information (in a post request) to the login handler.
Generate unique IDs before sending an email and put them as hidden instead of username/password into form. Make them disposable (usable only once or usable once before successful entering the site)