Disallowing link from opening in Forward email - authentication

we have a use-case wherein a notification email is sent out in response to some postings on forum. This notification emails carry a AHREF link which basically allows to launch the post page from the email itself. Additionally, these links carry an authentication token so that the user don't have to sign in when opening the page. This works fine in the normal use case, but in the scenario when the original recipient forwards the email to some other account we are not sure how we identify that the link is opened from forwarded email address. Can somebody provide some insight ?

There is principally no way for you to detect that a link was clicked in an email that was forwarded vs. an email that you sent directly to someone.
Do not put an authentication bypass in the link if the need to secure your content outweighs the need for user friendliness.
You can weigh allowing the user, once they log in, to set a persistent authentication cookie in the browser they logged in from. That way, if they click a link in an email and that cookie is set, they can get directly into the website. StackOverflow.com works that way, which is convenient and the downside risk is not too great. Fortunately my bank does not work that way. The potential for loss is much greater with home banking.

Related

How can I customize AWS Cognito default confim message?

I am using AWS Cognito to verif users' emails by sending verification links to users' email. After users click the links, a default confirm message "Your registration has been confirmed!" is shown. Is there a way to customize this message?
Thank you!
Currently (late June 2018) this still appears to be not supported. It is a pain because users should be redirected to the app in question after confirming their account, but currently they must navigate themselves.
There is a proposed workaround (essentially customizing the confirmation e-mail to send the user to your own API that performs the confirmation in a lambda), but I have not tried it. There does appear to be demand for this and AWS is aware of it as a feature request. I've seen them adding more customization abilities to the Cognito console recently, so keep checking there for updates.
If you're using the Cognito-hosted pages, you only get what you get which is going to vary depending upon when you're reading this message. Here in late 2019, the Cognito-hosted page redirects successful logins and confirmations (of phone/email) to whatever you specified as the redirect URL.
My issue is similar. After the user signs up, I want to customize the CSS of the confirmation page which doesn't appear possible. The confirmation page isn't great because it means that if the user closes the confirmation code entry tab before entering it, then their email is in the system but unconfirmed. And there's no way to confirm it. It's stuck. I'd like to have giant red letters that say "DO NOT CLOSE THIS CONFIRMATION TAB. CHECK YOUR EMAIL FIRST!" but there doesn't appear to be any way to do this at present.
The solution to any of these "how do I customize X of the Cognito-hosted flow" is either (a) look in the available UI customizations or (b) if they aren't available, change to an entirely hosted flow (still Cognito... just using your own pages and URLs).

Do not log my own visits with a tracking pixel (web beacon)

I'm adding a tracking pixel at then end of the emails I send via Gmail:
<img src="http://myserver.com/test/1pixelimage.png?id=track_emailSentToBob" />
and then I have a script on my server which sends me a notification via email when Apache sees 1pixelimage.png?id=track_* in the logs. It works perfectly.
Problem: I receive a notification each time I open my own email in Gmail's Sent folder.
I've thought about:
filter by IP: not working because I often Gmail on phone, which has a dynamic IP, changing very often.
filter by UserAgent (that I could customize, e.g. I could set user agent = blabla, and send me notifications only if user agent is NOT blabla): this would require that I install a UserAgent modifier extension on all my browsers (not possible on phone), so this is not a solution.
anyway, when opening an email in Gmail, Gmail caches the images, so the request would not be done by my own browser but by Gmail's image caching server
How would you filter out your own visits of the tracking pixel image?
Note: I don't want to use a third-party app that requires "Send, write, manage your emails" permissions on Gmail.
Do it the way you prevent tracking pixels from others, too. Disable HTML-Mail in your mail programs and adblock tracking pixels in your browser for webmail.
If the gmail app does not allow this, get another e-mail app. Loading content linked in a e-mail is a bad idea anyway. If you want an easy example, then think of read receipts for spammers ...
On the other hand: Why do you want to track others? They will be as annoyed as you, because they like their privacy as well.

PHP script to send and retrive sms from a website

I'm not sure where to begin, but got a case I need help from others where and if possible to solve.
Thing is, got a new alarm system at home, this system uses sms function so I can send a short code to my alarm asking for status if it`s ON or OFF, or i can turn it on/off from an sms.
Since both the sms number and code is strictly personal, I would not like to tell my carpenter the codes, but in the mean while he is working at my home, I can give him a login to my site, where he can see if the alarm is turned on or even turn it on/off by him self.
I would like to build me a website, that does the same.
Got a login to my site, when logged in, i would like the website to send an sms automatically, then retrieve the answer and display it on the website.
Is this even possible ? If so, anyone can past me in the right direction here ?
Thanks in advance =)
You can send an SMS from a website. Most mobile operators will gladly offer you an apropriate API.
For instance Deutsche Telekom has an API called "Developer Garden" that allows you to send SMS via a WebService and much more.
see here for an example: www.developergarden.com
Other providers may also offer such services.
you need an sms gateway ( we use these guys : http://inteltech.com.au/, but nearly any will do )
Your easiest option is to find one where you can insert SMS'es for sending via a URL, eg in our case the URL looks like this:
http://inteltech.com.au/secure-api/send.single.php?username=[user]&key=[longcode]&method=http&senderid=[id]&sms=[phonenumber]&message=[here's the message]
it's extremely simple to use. If your site handles the login otherwise, then you can use this for the rest.
Now, how to receive SMS'es is a bit tricker :)
But this provider, for example, offers you options to;
Send the reply as an email to a nominated email address.
Send the reply as an email to the original user who sent the message.
Send the reply as an SMS to a nominated mobile number.
POST the reply to your website or application . e.g. We can call a http/https request to your script
as you can see, both the email and the POST options are providing great ways to integrate.
I'd say if you don't handle incoming email already, then stick to the POST method.
voila :)

How do I detect Google account deletion?

I've just started working with Google OAUTH2 in order to add a "Sign in with Google" button to my web site.
According to the "Google+ Platform Developer Policies" section B.2.a.III, if a user deletes their Google account, I must delete all personal information I obtained from the Google API relating to them.
Does this apply to my web application as well? And if so, how do I detect that a user's Google account no longer exists? Surely, a successful login will only occur if the Google account exists; so how can I tell if a previously existing account is no longer there?
Maybe someone has a better approach, but a simple and practical solution would be have a link buried somewhere on your site that allows a user to request account deletion via email (assuming you still possess a valid email for him - if he deletes is Gmail and that's all you have then you have no way to contact him other than manually via phone or something).
The doc you link to says Give users a reasonably convenient way to delete any of their personal information you’ve obtained from the API.
So assuming you still have a valid email address, this would work:
Your FAQ says "What if I want to delete my account?". Links to account deletion page.
Account deletion page: What's your email? _____ (Continue)
Email is sent to user with (securely randomized) confirmation link.
Confirmation link is clicked by user which deletes all of his data from your site.
Success of that process is dependent only on your system and the email arriving.
(If you are concerned about complying to EU data protection law, you might want to implement this feature anyway - since one legally has the right to demand the deletion of one's own personal data.)

Mailchimp API (v1.3): addresses added with listSubscribe() don't appear in dashboard

I'm using Mailchimp's API (v1.3) to add email addresses to a subscriber list on one of our sites. Obviously, I'm using listSubscribe() and everything is working fine, for the most part (read: API call returns true, all of the data I'm sending to Mailchimp gets added/updated correctly).
The problem, however, is that whenever a new address is added, the things that are normally supposed to happen (in particular: email notifications to list manager, addresses showing up in the dashboard list status stream) aren't happening.
I've looked around for quite a bit and haven't found anyone with the same issue. Any ideas?
The default action of listSubscribe to add a subscriber is opt-in. This means that when you submit a listSubscribe the subscribed user will get an email asking to confirm their opt-in.
If the user does not follow the link in the email then they will not appear in the dashboard.
You can bypass this by using:
'double_optin' => FALSE,
http://apidocs.mailchimp.com/api/1.3/listsubscribe.func.php
However this is only recommended for very occasional circumstances (essentially where you are handling the opt-in).
In my case I am not activating a user account until they verify their email address. If let the opt-in email be sent then the user is going to get a number of emails from my web app. I'm being very careful to make sure that they're verifying their subscription and all subscription stuff is being processed by the web app (eg a user unsubscribes within the web app, not via MailChimp).
I talked to the Mailchimp support, and they said those actions won't happen using their public API; there is no way to trigger them.