Auth without user

Hi all

I’d like to allow non-users access to specific views in my project. I can see a number of ways to handle OT authentication via email, which is great. What I can’t find is any method of handling this based on not having a User record in the system.

(Use case is that an actual user can add non-users to a model via email. The non-user will get a link to the model record they have been added to, and will be able to confirm or deny their status. I don’t want these people to be forced to create accounts in order to do this, but neither do I want this open to anybody that happens to get hold of the link. The initial mail will contain a token that authorises them, and they will be able to request a new link any time that expires. They will ony have access to a couple of very specific views though when they “log in” like this.)

Has anybody else done this, and if so how?

Give LazySignup a try.

I used that on one of my side-projects for a while, but development has slowed. In the end I decided to just put my users through a no-email-required signup which did not affect conversions.

Good luck!

Unfortunately, this (above) directly conflicts with your desire below.

Regular email is not secure. The concept of an “Account” exists for a reason.

Either:

  • You have some type of account that allows an individual to authenticate themselves to the system (prove that they are who they claim to be) - whether it’s an ID/password credential pair or a challange/response - it doesn’t matter.
    or
  • Anyone who has the link can access it, because the system isn’t making any attempt to prove that the person using the link is the person who is supposed to use the link.

Keep in mind that a person doesn’t necessarily need to be the “agent” that creates the User object. That can be automated. But you still need something allowing the person attempting to use a link to prove that they’re the “right” person.

@KenWhitesell I realise there are vulnerabilities with email signup, and in this case, I don’t think it matters if somebody else gets hold of the link - what they can do (change a single status) is minimal - I simply want a convenient workflow for somebody to do that without having to sign up for an account.

Also, I phrased that badly - when I said “anybody that gets hold of the link”, I meant the URL to update that view - i.e. I want some auth on that view rather than leaving it open for just anybody to type appview/update/1/ and get to the first record. I wasn’t referring to the auth link in the email there. I should have been clearer there, sorry.

I mean, I’m using email auth to verify a new user’s mail address (which I’m using as the main user ID), so I guess somebody could already pretend to be somebody they’re not during that process if they’re able to intercept mails …

That looks like it might do the trick, thanks!!