How to prevent abuse of unsubcription from a newsletter?

Question

Preface: I'm not a web developer, I'm just trying to learn as I go while making my first website.

I stumbled on an engineering problem in regards to unsubscribing from newsletter. I thought it would be a good idea to use a get method with a parameter like this:

/unsubscribe=qwerty@qwerty.com

Then I went ahead and implemented it in javascript:

app.get('/unsubscribe:subEmail', async (req, res) => {
    subEmail = req.params.subEmail.substring(1);
    let subscriber = await Subscriber.findOne({ email: subEmail })
    if(subscriber == null){
        res.send('subscriber doesnt exist')
        return;
    }
    await subscriber.delete()
    res.redirect('/')
})

But, then it occurred to me; how do I make sure the email provided does not belong to another subscriber?

Question: What are the good engineering solutions used to prevent abusing this?

score 0 · Accepted Answer · answered Jul 06 '22 at 09:58

0

There are a couple of traditional options.

Secrets

Unsubscribe users based on a secret and not an email address.

Traditionally, this is a GUID including in a link to the unsubscribe endpoint that is included in each email sent out.

Authentication

Require users to login to their account before providing access to the feature.

This is typically provided as a second option since the link in the email has less friction.

answered Jul 06 '22 at 09:58

Quentin

914,110
126
1,211
1,335

In regards to Secrets part of your answer; do I generate that GUID when subscription occurs? And save it to database along with the email? – PeePeeMoniker Jul 06 '22 at 10:04
That seems like a reasonable time to do so. Yes. – Quentin Jul 06 '22 at 10:06
I implemented default: uuid.v4 and used the value of that instead of email in the get method. And it works well, thank you. – PeePeeMoniker Jul 06 '22 at 10:30

How to prevent abuse of unsubcription from a newsletter?

1 Answers1

Secrets

Authentication