Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 rails
Octocat-spinner-32 spec
Octocat-spinner-32 .document
Octocat-spinner-32 .gitignore
Octocat-spinner-32 LICENSE
Octocat-spinner-32 README.textile
Octocat-spinner-32 Rakefile
Octocat-spinner-32 VERSION
Octocat-spinner-32 active_url.gemspec
README.textile

ActiveUrl

Like many Rails websites, my first production Rails site needed user sign-ups. I wanted to have this work in a way that allowed a user to register only after confirming their email address.

The way to do this is with secret URLs.These are URLs that contain an encrypted string and are effectively impossible to guess. By sending a secret URL to an email address, if the URL is subsequently accessed, that’s pretty much a guarantee that the email was received, since there’s no other way that URL could have been obtained. (Check out the Rails Recipes book, which has a good chapter explaining secret URLs.)

Introducing the ActiveUrl Gem

As a first attempt at contributing to the Rails community, I’ve extracted my site’s secret URL functionality into a gem. Since it’s used in a similar fashion to ActiveRecord, I’ve called it ActiveUrl.

How is my implementation distinctive? Basically, it’s database-free. You don’t need any new database tables or fields to use it, since all the relevant information is persisted in the URL itself. All you need to do to hide a page behind a secret URL is to nest its route beneath an ActiveUrl object that the library provides. Neat!

Installation & Usage

First, install the gem:

gem sources -a http://gemcutter.org
sudo gem install active_url

In your Rails app, make sure to specify the gem dependency in environment.rb:

config.gem "active_url", :source => "http://gemcutter.org"

Specify a secret passphrase for the library to perform its encryption. You can set this by adding an initializer (say active_url.rb) in your config/initializers directory. This will just set the secret passphrase for your app (you might not want to check this into your source control):

ActiveUrl::Config.secret = "my-app-encryption-secret"

To generate secret URLs in your Rails application, simply inherit a model from ActiveUrl::Base, in the same way you would normally inherit from ActiveRecord::Base. These objects won’t be stored in your database; instead they will be persisted as an encrypted ID and placed in an URL given only to that user (typically by email).

class Secret < ActiveUrl::Base
  ...
end

The following class methods are available for your model:

  • attribute(*attribute_names) [sets attributes on your model];
  • belongs_to(model_name) [sets a “foreign key” attribute and an association method];
  • attr_accessible(*attribute_names) [allows mass-assignment of attributes]
  • validations: most of the ActiveRecord validations are available on the attributes you set;
  • after_save(callback_name) [sets a callback to be run after the object is persisted];
  • find(id) [finds an object from the specified ID, which will be extracted from an URL].

Save your object by using the ActiveUrl::Base#save method—this will run any validations and generate the encrypted ID if the validations pass. (You will usually use this method in your model’s controller.)

In your controllers which deal with ActiveUrl models, you’ll want to deal with the case of an invalid URL; usually just to render a 404. This is easily done using rescue_from in your application controller:

rescue_from ActiveUrl::RecordNotFound do
  render :file => "#{Rails.root}/public/404.html", :status => 404
end

Example: Confirming an Email Address

The typical use case for this example is the verification of an email address provided by a someone signing up to your website. You want to check that the address is valid by sending an email to that address; the user must follow a secret URL in the email to confirm they received the email.

Registration Model

We don’t want to create a User model until the email is confirmed, so instead we’ll use a ActiveUrl::Base model. This is what will be created when a user registers:

class Registration < ActiveUrl::Base  
  attribute :email, :accessible => true
  validates_format_of :email, :with => /^[\w\.=-]+@[\w\.-]+\.[a-zA-Z]{2,4}$/ix
  validate :email_not_taken
  
  after_save :send_registration_email
  
  protected
  
  def email_not_taken
    if User.find_by_email(email)
      errors.add(:email, "is already in use")
    end
  end
  
  def send_registration_email
    Mailer.deliver_registration(self)
  end
end

Going through this step-by-step:

  1. First, we set our email attribute using attribute :email, which generates setter and getter methods for the attribute.
  2. Next, validate the email address so it at least looks right (validates_format_of :email).
  3. We also want to check that a user has not already signed up with that email address, so we add a custom validation (email_not_taken) which adds an error if a User with that email address is found.
  4. Finally, we set an after_save callback to actually send the registration email when the model is saved. In the mailer method, we pass in the object so that we know what email address to send to and what secret URL to use.

Routes

Next, let’s set up our routes to allow user creation only via an email confirmation. In routes.rb the relevant routes would be:

map.resources :registrations, :only => [ :new, :create ] do |registration|
  registration.resources :users, :only => [ :new, :create ]
end

Registrations Controller

To allow a user to register, create a registrations controller with just two REST actions, new and create. The controller is entirely generic, as it should be:

class RegistrationsController < ApplicationController
  def new
    @registration = Registration.new
  end

  def create
    @registration = Registration.new(params[:registration])
    if @registration.save
      flash[:notice] = "Please check your email to complete the registration."
      redirect_to root_path # or wherever...
    else
      flash.now[:error] = "There were problems with that email address."
      render :action => "new"
    end
  end
end

When the create action succeeds, the registration object is saved and the registration email sent automatically by its after_save callback.

Registration View

In the new.html.erb view, the registration form would look something like:

<% form_for @registration do |form| %>
  <div>
    <%= form.label :email %>
    <%= form.text_field :email %>
  </div>
  <div>
    <%= form.submit "Register" %>
  </div>
<% end %>

Mailer

Finally, we set the mailer to deliver a registration email to the supplied email address:

class Mailer < ActionMailer::Base
  def registration(registration)
    subject    "Registration successful"
    recipients registration.email
    from       "admin@website.com"
    
    body       :registration => registration
  end
end

The registration object is passed through to the email template, where we use it to get the email address and also to generate the new user URL. Since the URL is secret, if it is subsequently accessed then we know that whoever is accessing it was able to read that email. Thus we have confirmed the email address as a real one, which is what we wanted.

The email template might look something like:

Hi <%= @registration.email %>,

Thanks for registering! Please follow this link to complete your
registration process:

<%= new_registration_user_url(@registration, :host => "website.com") %>

Thanks!
website.com

The secret URL generated in the email would look something like:

http://website.com/registrations/yAfxbJIeUFKX9YiY6Pqv0UAwufcacnYabEYS7TxTgZY/users/new

User Model

In our User model, we want to make sure the email address cannot be mass-assigned, so be sure to use attr_protected (or even better, attr_accessible) to prevent this:

class User < ActiveRecord::Base
  ...
  attr_protected :email
  ...
end

Users Controller

Now let’s turn our attention to the users controller. We access the new and create actions only via the nested routes, so that we can load our Registration object from the controller parameters. We’ll use the ActiveUrl::Base.find method to retrieve the registration object, and then set the user’s email address from it:

class UsersController < ApplicationController
  def new
    @registration = Registration.find(params[:registration_id])
    @user = User.new
    @user.email = @registration.email
  end

  def create
    @registration = Registration.find(params[:registration_id])
    @user = User.new(params[:user])
    @user.email = @registration.email
    if @user.save
      flash[:notice] = "Thanks for registering!"
      redirect_to @user # or wherever...
    else
      flash.now[:error] = "There were problems with your information."
      render :action => "new"
    end
  end
end

New User View

The exact contents of the user creation form will depend on our User model, among other things. Notably however,it will not include a field for the email address, since we’ve already obtained the email address from the registration object and we don’t want the user to be able to subsequently change it. (It’s probably advisable to include the email address in the form’s text though, for the sake of clarity.)

The new user form might look something like this:

<% form_for [ @registration, @user ] do |form| %>
  <div>
    Please enter new user details for <% @user.email %>.
  </div>
  <div>
    <%= form.label :name %>
    <%= form.text_field :name %>
  </div>
  <!-- ... other user fields here ... -->
  <div>
    <%= form.submit "OK" %>
  </div>
<% end %>

Example: Resetting a Lost Password

Let’s take a look at another application of the library – implementing a “reset password” function. Basically, we want to allow an user to change his/her password without logging in. We’ll achieve this by sending the secret URL to the user when they submit a “forgot your password?” form.

Again, the basic idea is to hide the password-editing page behind the secret URL. The password-editing page will not be protected by the usual authentication requirements; instead, the knowledge of the secret URL is what authenticates the user.

Model

Let’s first take a look at an ActiveUrl model for the secret URL. We want to create an instance from an email address, which is what the user will still know once the password is forgotten. We could declare an email attribute as in the previous article, but the only thing our model really needs is a reference to a user, which we can derive from the email.

For this purpose, we’ll use the belongs_to feature of ActiveUrl. This is a quick-and-dirty mirror of the corresponding ActiveRecord feature. (Its only purpose though is to relate a secret URL to an existing database record, so it’s only got the bare minimum of functionality.) Let’s use it:

class Secret < ActiveUrl::Base
  belongs_to :user
  validates_presence_of :user
  
  attr_reader :email
  attr_accessible :email
  
  def email=(email)
    @email = email
    self.user = User.find_by_email(email)
  end

  after_save :send_email
  
  protected
  
  def send_email
    Mailer.deliver_secret(self)
  end
end

Attributes

We’ve set the email as a virtual attribute_, just as we might for a normal ActiveRecord object. In addition to setting an instance variable, the email setter method also sets the user. The Secret#user= method is generated by the belongs_to association. (user_id=, user and userid methods are also generated.)

We can see what attributes are stored in the model, and what can be written by mass-assignment:

Secret.attribute_names
# => #<Set: {:user_id}>

Secret.accessible_attributes
# => #<Set: {:email}>

In other words, the only attribute stored in the model is the user id, but that id can only be set by setting the email.

User.first
# => #<User id: 1, email: "name@example.com", ... >

secret = Secret.new(:user_id => 1)
secret.user_id
# => nil

secret = Secret.new(:email => "name@example.com")
secret.user_id
# => 1

Validations

A validation, validates_presence_of :user, ensures that an existing user is found for the given email address. The object won’t save (and the email won’t get sent) if there’s no user with that email address.

(n.b. If you want to use the Rails error markup in your form, you might want to set an error on email instead.)

Callbacks

Finally, note the after_save callback. It’s a method which sends the secret URL to the user in an email, and it will get called when the controller successfully saves the object.

Routes

Our routes are pretty simple. We only want to be able to create secrets, so we’ll just have new and create routes. Nested under a secret, we want some routes for changing the user’s password. This could be arranged in a few different ways, but let’s put the password-changing actions in their own controller:

map.resources :secrets, :only => [ :new, :create ] do |secret|
  secret.resources :passwords, :only => [ :new, :create ]
end

Controller

As always, we strive for generic controllers, and we pretty much get one here:

class SecretsController < ApplicationController
  def new
    @secret = Secret.new
  end
  
  def create
    @secret = Secret.new(params[:secret])
    if @secret.save
      flash[:notice] = "Please check your email for a link to change your password."
      redirect_to root_path # or wherever...
    else
      flash.now[:error] = "Unrecognised email address" # if you want to disclose this...
      render :action => "new"
    end
  end
end

Of course, there’s also a PasswordController, which will contain the actions for changing the user’s password. (The user to edit will be obtained from the secret, which in turn will be found from params[:secret_id].) Its implementation will depend on the User model. Since these actions are hidden behind the secret URL, we’d want to skip the normal user authentication filters for the actions.

View

How does the user actually request a password reset? By submitting his/her email address in a form. Link to this form on the login page:

<%= link_to "I forgot my password", new_secret_path %>

The form itself just asks for an email address:

<% form_for @secret do |form| %>
  <p>
    OK, so you forgot your password.
    No problems! Just enter your email address.
    We'll send you a link to change your password.
  </p>
  <div>
    <%= form.label :email %>
    <%= form.text_field :email %>
  </div>
  <div>
    <%= form.submit "OK" %>
  </div>
<% end %>

Mailer

In our mailer we want to send an email containing the secret URL for the password edit action. The ActiveUrl object obtained from the URL contains all we need to know, so we just pass it through to the email template. We send the email to the secret’s associated user:

class Mailer < ActionMailer::Base
  def secret(secret)
    subject    "Change password requested"
    recipients secret.user.email
    from       "admin@website.com"
    
    body       :secret => secret
  end
end

The email template might look something like:

Hi <%= @secret.user.first_name %>,

To change your password, please visit the following link:

<%= new_secret_password_url(@secret, :host => "website.com") %>

(If you did not request a password change, just ignore this email.)

Thanks!
website.com

Expiring the URL

There’s a potential problem with the above implementation though. As it stands, the secret URL is static – the password reset URL for any given user will always be the same. This may or may not be a problem, depending on your security requirements.

It would be nice to have the URL expire once the password has been changed – in effect, to have a single-use URL. This is easily done. We add an attribute to the model containing the current password hash (or the cleartext password, if you store your user passwords in the clear – you shouldn’t):

attribute :password_hash

def email=(email)
  @email = email
  self.user = User.find_by_email(email)
  self.password_hash = user.password_hash if user
end

Then, simply validate the password hash to ensure it’s the same as the user’s:

validate :password_hash_is_current, :if => :user

def password_hash_is_current
  errors.add(:password_hash) unless user.password_hash == password_hash
end

Since ActiveUrl::Base.find only finds valid objects, once the password has been changed, the secret URL won’t validate and an ActiveUrl::RecordNotFound error will be raised. The controller will then drop through to a 404. Easy!

Benefits of ActiveUrl

In other email confirmation schemes, whenever a registration process is initiated, a new user object is created, even before the email address is confirmed. This causes a couple of problems:

  • The user model will need some form of state (to distinguish between confirmed and unconfirmed users).
  • If a registration is initiated but not completed, the unconfirmed record will remain in the database, and will need to be manually removed at a later date.

The ActiveUrl gem overcomes both these problems by persisting all the relevant data to the URL itself, in encrypted form. No database table is needed.

One potential problem with this approach? The URL may become quite long if you store much data in the model. Keep the number of attributes and the length of their names to a minimum to avoid this. Typically, a single attribute or a belongs_to reference is all that’s needed, and produces URLs of modest length.

Copyright © 2009 Matthew Hollingworth. See LICENSE for details.

Something went wrong with that request. Please try again.