0

I have a requirement for an authenticated user to be able to send an invite to someones email address. On clicking this invite, the user would be prompted to sign up, and on completion, would be associated with the same account as the originator.

I am struggling to design a secure mechanism for ensuring the invited user is associated with the intended account, and no other.

(If it's of help, I am using Ruby 2, Rails 4, and the sorcery gem for authentication)

pingu
  • 8,719
  • 12
  • 50
  • 84
  • Checkout devise: https://github.com/plataformatec/devise, and devise invitable: https://github.com/scambra/devise_invitable. – AytanLeibowitz Nov 28 '14 at 18:40

1 Answers1

1

The following works:

  1. Use Sorcery User Activation submodule

  2. On 'invite' action create User (non-active) and attach her to the account. Send invitation email with activation link, e.g. http://example.com/users/:token/activate.

  3. In your users_controller#activate:

user = User.load_from_activation_token(params[:token])
... # update user fields, e.g. set password
user.activate!
palkan
  • 171
  • 1
  • 4
  • If I am already using user activation for the purpose it was designed for, how can I also use it for invites please? – pingu Jan 07 '15 at 14:39
  • Almost the same way: create user, attach her to account and setup invitation token for user; send email with link containing the token; in the controller find user by token, update info and activate her. – palkan Jan 07 '15 at 16:39
  • Just hit this link looking for a similar feature. The problem with abusing the activation feature for this, is that if you create a user without a password, sorcery [will not trigger an email](https://github.com/NoamB/sorcery/issues/88) . – Abe Petrillo Jun 10 '17 at 14:15