Generate access token in a rule to get user info after redirect

dmytro.karpovych · February 1, 2022, 5:48pm

I used rules to redirect all unverified users to a custom page that asks to verify email.
To show user’s email I used query param:

context.redirect = {
  url: `${configuration.WEBSITE_URL}/email-verification?email=${encodeURIComponent(user.email)}`
};

There is a way to generate an access token that will allow fetching information for one particular user?
Because I don’t want to use query parameters for security reasons.

Instead of it, I want to use something like:

const token = genToken(user.user_id);
context.redirect = {
  url: `${configuration.WEBSITE_URL}/email-verification?token=${token}`
};

pranshushah · February 2, 2022, 6:07am

try to use post-login action instead of rules with that you can do this securely.

action-redirect

konrad.sopala · February 2, 2022, 2:08pm

Teamwork makes the dreamwork!

dmytro.karpovych · February 2, 2022, 3:50pm

Do you mean something like this?

Maybe do you know a way to do the same stuff from rules?
Because we have a lot of code and it will be not easy to transfer all of them into the actions

pranshushah · February 4, 2022, 5:07pm

I am not 100% sure but I think you can’t do this with rules. but in your case, if you can decouple redirection-related logic from the current rule and put it into action and it will be a secure approach.

pranshushah · February 4, 2022, 5:10pm

because in our example we are doing the same thing with (actions) and if you really want to use rules just throw and access deny error and handle logic by yourself.

system · February 19, 2022, 5:10pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.