← Back to Upcase

[Devise] Log in user with link


(David Lee) #1

Hi,

I’m interested in allowing a user to be automatically sign in to my app (which uses Devise) by clicking on an emailed link that contains a unique hash. I have a few ideas on how to get started, but I couldn’t find too much online and would love to get some thoughts from everyone. Thanks!


(Ben Orenstein) #2

Hey there!

I repeated your question in our internal Campfire room. @jferris has implemented something similar recently. Here were his thoughts:

I think I’m about to be pulled into a meeting, so - lightning version:

we send a token that’s “user_id|creation_timestamp” encrypted using a
private key that only the server knows

when a request comes in with an auth token, it decrypts it, checks to see that the timestamp is valid,
and then logs in the user with that ID if it is

so we can generate
them on the fly to insert in emails, etc, by encrypting the user id
and the current time

if the timestamp is too old, we go to the sign in
page instead I did not invent this approach and it has not been vetted
by any real security experts, so it may not be NSA proof

Hope that helps!