I’m interested in allowing a user to be automatically sign in to my app (which uses Devise) by clicking on an emailed link that contains a unique hash. I have a few ideas on how to get started, but I couldn’t find too much online and would love to get some thoughts from everyone. Thanks!
I repeated your question in our internal Campfire room. @jferris has implemented something similar recently. Here were his thoughts:
I think I’m about to be pulled into a meeting, so - lightning version:
we send a token that’s “user_id|creation_timestamp” encrypted using a
private key that only the server knows
when a request comes in with an auth token, it decrypts it, checks to see that the timestamp is valid,
and then logs in the user with that ID if it is
so we can generate
them on the fly to insert in emails, etc, by encrypting the user id
and the current time
if the timestamp is too old, we go to the sign in
page instead I did not invent this approach and it has not been vetted
by any real security experts, so it may not be NSA proof
Hope that helps!