I'm building an API and a Mobile APP in Xamarin. I don't want to confirm the phone number as I'd have to use Twilio or other SMS providers, instead, I want to confirm an email. At the same time, I don't want to create an email token to be sent to the user with a link to click, as API is not MVC and won't have any views.
Instead, I want a 6 digit code to be emailed to the user and then I will create an endpoint in the API where the user will submit that code via the mobile APP, to confirm the email. For example:
var code = await _userManager.GenerateChangePhoneNumberTokenAsync(newUser, newUser.Email);
This creates the code, notice I am passing users email rather than the phone number. This code is now emailed to the user, and the user enters this in the mobile APP. Then:
var confirmed = await _userManager.VerifyChangePhoneNumberTokenAsync(newUser, code, newUser.Email);
This confirms that the code is correct. The boolean resulting from this I will then use to manually set EmailConfirmed in the DB to true
It works. Is it acceptable though? Is there any reason why I shouldn't be doing this?
One reason that pops up is that even though it's just a validation code, semantically the function is for phone codes, so it could have some "gotchas" introduced in the future if you use it for e-mails.
By reading the source you can see that the implementation is currently based upon RFC 6238: Time-Based One-Time Password Algorithm, which is generic enough for the e-mail usage as well.
Thus, you know that by using the same method, it's as secure as the RFC 6238 specification as implemented in ASP.NET Identity Core.
You can't just use the class because the access modifier is internal, but following the same idea, there are OTP Libraries for .NET based on the same principle.
Using one of them would ensure that the implementation is as clean and generic as possible in my opinion, but for the quick and dirty solution with the current version of ASP.NET Identity Core, I'd see no issues with the approach.
I/we at www.dr.dk are working on a Sonos integration with the bare minimum functionality. This means that we wish to apply anonymous access in this first version of our Sonos integration.
In the API documentation
https://musicpartners.sonos.com/node/289#toc0
is says 'Finally, you can decide not to use any authentication, also knows as anonymous access. ...'
Which we read as an option to not to implement authentication endpoints like 'GetAppLink(...)' etc.
So now we have teste our service and it appears to work fine, as far as we know. Therefore we have now started to fill out the application registration form.
In the registration form we find the following required fields regarding authentication as depicted in the image below
Screenshot from the application registration form
As we see it these fields are related to authentication and seems somewhat confusing to us. So with our logic - anonymous authentication means that no test accounts or customer care accounts are needed etc.
So the question is. What are we missing ?
You can just mark those as N/A for each of the fields.
I am using Circuit Unify to work. However, I would like to save or export messages in a conversation into a file to save for better documentation. Currently it seems impossible on Web App as well as Desktop App. Thus, I want to make an extension (or app?) to do the work.
My question is: Where is the best place I should start with? How can I make an extension to Circuit? Is it possible to make such extension (or app)?
Your comments and suggestions will be greatly appreciated
Your best option is to use the Circuit JavaScript API to retrieve the messages using the API getConversationItems for example. Each item (aka message) contains the url(s) to download its attachments.
Now there are a few different ways this could be done.
Option 1: Using a bot
Create a bot (client credentials grant) that can be added to a conversation by a member of this conversation using the regular "Add participant" button on the Circuit client. This bot then has access to all messages of this conversation and can listen for new messages being posted. The bot can listen for a specific message (command) being sent, such as /export. When this command is sent, the bot retrieves all the data of this conversation to be exported, creates a pdf (or what ever format is required) and attaches this to the conversation. Alternatively the bot could also save that pdf in some other location, but that may pose a security issue.
Option 2: Using a separate web app
Create a web app on which users login using their Circuit credentials via OAuth (implicit or authorization code grant type). The app then acts on behalf of the logged on user. The app can list the conversations the user has access to (getConversations API) and show a button to export the selected conversation. The app then does the same as the bot in option 1 to create the pdf, but instead of posting the pdf to the conversation, the web app will download the pdf.
Option 3: Create a chrome extension
I do not encourage this option as there is no official way yet to extend the Circuit webclient. This means a new Circuit webclient version may break the extension. Using the chrome extension it would be possible to add an "Export" button in the UI and using some internal APIs get the data to be exported.
There is a plan to create official extension points to allow the developer to extend some part of the Circuit webclient and also use the JS SDK in a Chrome extension.
Note: You could also use the Circuit REST API instead of the JS SDK to
retrieve the messages.
I am trying to use the new .NET methods of sending email (System.Net.Mail), but I have various troubles along the way. My VB.NET app allows users to gather info and email it out based on the smtp server specs they set. Current issues are sending using STARTTLS (i think thats what its called) and doing things like authenticating via POP before being granted the ability to send.
I have had great reliability using CDO to deliver mail in the past as a part of a vbscript I wrote, and am going to look at integrating that over Net.Mail.
Is there a problem with using CDO to deliver email, over current .NET methods? Is it deprecated, or bad practice? Is there any limitation based on current email technology?
Am I totally going to wrong direction, and should instead, use a precompiled SMTP Mail application I can drop in as part of my application? I have seen people do this over writing their own code to deliver mail. If you like this method, what are some good choices?
I'm trying to develop a REST API web service. I have a question about how to handle user activation email. Currently, the API service handles email sending.
Here is the flow I have at the moment:
User registers via the client application
Client application POSTs to API service
API service validates and adds the user to the database
API service sends the User an activation link
User clicks on the activation link, which will take them to the client application activation page
Client application activation page POSTs to API service
Done
Here is where I currently see the issue:
Because the API service is currently sending the email, the client application does not have control over the look and feel of the email. And there may be URLs in the email that should point to the client application.
Another option is instead of the API service sending the activation email, it will return the activation key to the client application. The client application will then be able to send the activation email to the user.
Two issues I see with this strategy:
Security, as the activation key is now exposed to the client application.
Not DRY, as each client could be responsible for email sending.
What do you think is best way to handle this?
I would like to allow the client application to customize their email, as well as include client-specific URLs (activation page).
TL;DR
Create a small service for developers to create templates, let them declare which template they want to use when POSTing to your activation API
Summary of the problem:
e-mail needs to look different for every client app
sending mail should be implemented once
solution should be secure
There is no need for the e-mail to look different every time. So there's no need to send the e-mail format with the POST request.
Instead one of the following can be done:
1 Create a separate API endpoint to define templates and let the client app choose one of them when POSTing the request for activation.
This is not exactly secure, at least poses a challenge to make it safe if you want to accept HTML from the client apps.
Recommended solution:
2 Create a tool for developers (in the same website where they get their API key) that accepts templates and aids creating them. Client app can choose one of them when POSTing the request for activation. Fragment of the request body being something like:
...
"template": "foobar-app",
"fields": {
"title": "Welcome to foobar app",
"username": "jim78"
}
...
No HTML in the fields allowed.
This lets you have pre-defined templates prepared by the developer that can be used by your e-mail sending service and no bug in client app can cause the e-mail to become unsafe. Also, you get a place where the templates can be worked on and tested. (the developer can send them to himself to debug - making e-mail templates is horrible, belive me)
You'll be able to support your developers/clients better in the future and prepare a set of working templates tested in multiple mail clients.
A point about security and trust. Typically you send an activation email that contains a url link that has the activation code. The purpose of the email is to validate that the email is valid and that the user has access to that email. The only way the user could have received the verification link is through the email.
If you pass back the activation link to the client then anyone who has access to your API has access to the activation code. If they have access to the link they can bypass the verification process. This is really easy if you have a web app, as they just need to drop into the browser developer mode to see the link. If you have a fat client then they could snoop the network if you are not using encryption like https. They could also, if they were dedicated, decompile your binary (this is why you d not store keys in your binaries).
A backend should never trust a client to implement a security procedure because it never knows when it has been compromised. The safe and correct way is to do the activation email on the server side.
Another way to look at this, is that it is similar to the client saying "yes the user is authenticated so give me all the data"
As for the templates there are plenty of good answers above. I would suggest having a catalog of templates and a list of arguments that can be replaced.
So the way I achieved this in my opinion is quite a nice way. So I took the methodology of how JSON Web tokens work and applied it to my activation links. I'll explain how it works:
I have 2 web servers, one which handles the REST API, and one which handles the spa.
So the user registers, and the request is sent to the API. The response is then returned to the SPA at which point if successful sends a request to the SPA Backend which signs a token with the user's credentials, the purpose of the token (which is this case is to verify the email address) and it's expiry date.
This token is sent to the user's email address, however on the REST server there is a receiving route that will decode the token and if valid, verifies the email address.
This does mean that technically only 1st party clients can authenticate the email address as they are the only ones that can know your cipher secret. If your secret was freely handed out, then the problem would occur that anyone could verify their email address.
I hope this helps!
EDIT: another way would be to pass a template built in handlebars or something that swaps out variables for actual values. Then have the REST api render it, and email it. (This is probably the best way imo haha)
Your API could have an IEmailBodyFormatter object that is passed as a parameter to your API call....
I'd extend step 2 with additional post-data sent to the server:
"mail":{
"placeholder":"someStringChoosenByClientWhichWillBeReplaceByActivationCode",
"subject":"Hey there, please activate",
"ishtml":false,
"body":"SSdtIHRyeWluZyB0byBkZXZlbG9wIGEgUkVTVCBBUEkgd2ViIHNlcnZpY2UuIEkgaGF2ZSBhIHF1ZXN0aW9uIGFib3V0IGhvdyB0byBoYW5kbGUgdXNlciBhY3RpdmF0aW9uIGVtYWlsLiBDdXJyZW50bHksIHRoZSBBUEkgc2VydmljZSBoYW5kbGVzIGVtYWlsIHNlbmRpbmcu"
"attachments":[
{
"content-type":"image/png",
"filename":"inline_logo.png",
"content":"base64_data_of_image"
}
]
}
This would allow the client full control over sent message, but the activation procedure (mail generation & delivery) is still handled by the service.
Everything except the activation key can be generated for every user by the client (e.g. using "Hello XYZ" as Subject).
I'm not sure whether it's an good idea to allow html-Mails ("ishtml":false,), this depends on your application and the amount of time you want to spent implementing this.
Allow the client to manage their own email template(s). When they post a new user registration, allow them to specify which template to use. Then your application is sending the email message, but clients can control what it looks like.
POST /email-templates
{
"subject": "Complete Your Registration",
"body": "<html>Follow this link to complete your registration: {activationLink}. It is valid for 45 minutes.</html>"
}
POST /registration-requests
{
"name": "John Q. Public",
"emailTemplate": "/email-templates/45"
}
I think the proper way is to expose the activation key for the client to do whatever it wants with.
You could also add another endpoint to send the activation key for the user.
Returns user. (with the url like User/{userid} and other resources url like User/{userid}/ActivationKey)
User (POST)
This can returns the current user and other resources like Email, Activate, etc.
For info about the key (like dates, expiration, etc)
User/{userid}/ActivationKey
from there you can extend it as long as you want with :
Preview activation email:
User/{userid}/ActivationKey/Email (GET)
Update activation email with template, smtp server, etc of the email. :
User/{userid}/ActivationKey/Email (PUT)
Create (and send) activation email, possible with date to send or other send options (text-html versions, etc) :
User/{userid}/ActivationKey/Email (POST)
You could possibly list all email sent and preview them in another endpoint if necessary.
User/{userid}/Emails (GET)
User/{userid}/Emails/{emailid} (GET)
I join nauktur on the idea of letting the client send you a template of his email. (And +1 for talking about a way to test, because I agree on the awfulness of mail "development").
But why so complicated ? Client apps mean developers, so why not let them give them your default template (with HTML), let them play around if they want to, and send you back the version they prefer ?
It's not a lot of work for you (just a new field in the client table and a new route), and it gives them a lot of options.
Here is a basic example where we'll be exposing some parameters so that they can play around with the HTML without even having to know them :
app.name
app.description
activation_code
user.* registering info
Basic template
{
title: "Your activation code for %{app.name}",
body: "<p>Hi, you've been registered on %{app.name}.
<p>%{app.description}</p>
<p>Follow this link to confirm your inscription."
}
Register new template
Then the client says : "I prefer to have a more simple mail, but I want his name in it !".
[PUT] /api/email/templates/client_id
{
title: "Your activation code",
body: "<p>Hi %{user.fullname}, Follow this link to confirm your inscription."
}
And here you go. Let them play with HTML, it allows way more personalization.
There's no harm in it except for their image on their clients if they mess up, but they're their clients.
Security issues
It was pointed out that attackers could get access to the token of the client app could inject malicious content in the template. First of all, the risk is already so high if the token leaks, that this is the last of your concerns. Still, if you're scared of this, disallowing img tags and making the content of a tags match the href attribute should solve your issue.