Validate the Authenticity of a User For Site Subscriptions - asp.net

I have a web application that creates user accounts, but I would also like to have the ability to have users that can sign up for subscriptions without accounts. All they have is a subscription page to modify email settings and enable the newsletter subscription.
My questions is how do I verify that the user is who they say they are without a username/password, and my second is how should they access this page. I dont want just anyone typing in the url with the email and access subscription settings for that user.

For each user entry you create a unique access code that you use in the url in order to validate that this is the user you want.
The subscription form will give these options:
subscribe by filling in your email
request to change your settings by just putting your email to another field
both action will send an email to you with a special url
the first to validate that this is made by you so you will enable this user & his email
the second to send him another special url to make any changes to his settings in the case that this use is active in your database.
For this unique code you can use md5 of his email with a timestamp when he was registered.

Related

Firebase Authentication Provider for a User changed automatically to E-Mail. How to change back?

In a Firebase project, I have activated multiple sign-in methods (e-mail, Google, and Microsoft), which all work fine. I also have it activated to only allow one account per e-mail address.
The problem arises when a user successfully signs in via Google or Microsoft, then signs out and then signs in via e-mail, using the same e-mail address as before using Google or Microsoft. Then his account type changes to e-Mail and it seems like a no way back.
Is there a way to change user account types from e-mail back to Microsoft or Google?
Your code must have different functions written for different signin's. When the user first logs in, store his login method on firestore. You can get this from the signin function triggered or simply by the button user clicked. Then during each login add a check that if user exists and user's current signin method is not the same as the one stored on firestore, notify the user to use the correct one.
Or you can let the user signin using whatever they please but ultimately in your code, the function which is triggered will tell you the current signin method and you'd have the first/previous method stored. So you can do stuff accordingly.
What you are writing in question seams not how it works. When you sign in using Google provider your email is verified automatly and if you try to sign in using same email authentication will throw error that account with that email allredy exists.
If you created first account using email and password and didn't verify your email addres then if you sign in using google provider with same email address in it, email and password provider will gone because of was not verified and you wont be able to login using email end password unless you will setup a new password for this email.
If email was verified and you sign in using google provider with same email address. This provider will be added to providers array and you will be able to login using email and password and google provider.
To add multiple providers to your accaunt you can use linkWithPopup() function. If you created accound with diferent email address and want to be able to log in on this account with provider who has diferent email address for example.

Firebase subaccounts

I'm currently building a POS/Store admin app, when a user gets into my app, the Owner of the store will then be asked to login only once for setup purpose (e.g. a new machine), the app will then display a list of staffsName that has already been added by this owner, and then everytime a staff wants to start a new transaction, he/she will only need to click on his/her name, then enter his/her 4-digit pincode to 'login' and process the transaction.
How do i go about achieving this?
I was thinking of using firebase auth for the 'login' of the staff, but then when i log in using the staff credential, I will lose access to the uid of the owner, which is needed to access the owner's store data such as his/her products.
i'm also thinking of using firestore to store the 4digit pincode, but then i'm also concerned about security
There are multiple ways you can approach this, one where you utilize the email login by simply appending a fake domain to the username to create a valid email domain. This user account could be the designated 'user' in question, or utilize credentials inside custom claims or hidden in a database that allows the client or server (depending on your preference) to then log in as the user.
Moreover if you want the manager to login once you can add Authentication State Persistence to specify whether a signed in user should be indefinitely persisted until explicit sing out, page reload etc.
Another approach requires the user also to have a valid auth that is not an email password and you link your pin auth to that main account with Firebase Auth Linking per the documentation: https://firebase.google.com/docs/auth/web/account-linking.
This does however require that the user be registered from an auth provider such as Google, Twitter, Apple, etc. then the user will have to activate this link by logging in for authentication purposes. This can in theory be automatically generated and processed without the user knowing.
It is a long way around it since this is essentially a custom solution but it does create the flow you are looking for without having to use a custom auth provider.

Creating WordPress account based on email only submit

Is it possible to create a WordPress account for users who submit an email (no password or username) through an email collection form?
I am looking at sending the user a link to their email to set a password and setup the account in full. The use case is content locking to signed up/logged in users without requiring them to go through the full sign up process. Thanks
I would recommend one of two options: 1) search wordpress.org for a frontend user registration form that may allow you to customize the password options or 2) simply use a generic form or subscription plugin to collect user info, create the new user on the backend manually and then send them an email with a link to change their password

How to login a new user by default after mail Invite in Meteor?

I have a requirement where I need to log in a new user to a Meteor application by default, and take the user to the reset password route after that.
I looked into this documentation, but I don't think it would apply here, because the password is not known. Here's my use case in detail :-
A user invites another new user by providing the invited user's email ID. The application sends email invite to the user, asking them to be taken to a route which normally requires logging into the application.
The new user who receives the email invite, is not yet signed up with the application. So, they need to pick a password to log in to the invited area of the application.
Currently, I am using the meteor-useraccounts:core package; to trigger the resetPasswd route for FlowRouter. Using the onSubmitHook, one can redirect the user to the proper location after successful reset of the password.
However, I am not able to figure out how to first log in the user automatically. Because if the user is not logged in, the reset password page won't open. Instead, it would show some error, indicating unauthorized action.
How could a link be sent via mail to the invited user, which would automatically log in the user?
I looked into this documentation, but I don't think it would apply
here, because the password is not known.
That is right, and because of that, in order to achieve that you have to create an account for that e-mail at the time the user enters a link sent by e-mail. Or create the account at time of invitation.
So possible solutions:
1) create an account for an e-mail provided in query (http://app/login?email=blabla#google.com) for a route, random password, reset password e-mail sent immediately after the login. (create login automatically login the user). That would also required some security key, so that no-one could create lots of accounts on different e-mail addresses.
2) create account at time of invitation, take random password and send it as a query parameter of the link sent to the invited user. When user enters the site, you take that password (and e-mail) and login him with that, and immediately send reset password for that e-mail

Forms Authentication - How to verify username and pwd of inactive user?

I'm using forms authentication for an app that allows users to register but not active. We will send out an activation code via snail mail (long story) and the user can return with that info and activate their account.
I want to create a page where the user can come back and enter their username, password and generated key to activate the account. The key I have stored in another table and I plan to generate it. I'm having trouble verifying the username and password with an inactive account. I've tried Membership.ValidateUser(username,password) and it fails but if I activate the account, it works.
Ideas on how to check this?
Activate the account first.
If you are sending them the activation code in an email, have a anonymous access page which receives the activation code from the email (perhaps via querystring), activates the account, and redirects them to a login page with forms authentication activated (assuming the username and password are already created).
If the access code is invalid and fails, you can optionally deactivate the account.
I would not set IsActive = false. That is for disabling an account, preventing any type of login. Instead, I do not see a problem leaving them with the ability to login. I would use a Membership Role to specify when a user is verified. I.e. "Verified".
If they have not activated their account and attempt to login, you simply check to see if they have the Verified role. If not, redirect them to a page of "You account is not yet activated. Please wait for snail mail". Or a "Please enter your verification code below." message.
When they do finally enter the proper verification code from snail mail, you simply add them to the Verified role.
This gives you the control of allowing them to login and "check" the status of their account. And, resolves your IsActive issue.

Resources