ruby-on-railsauthenticationruby-on-rails-4sorcery

Invite system design for Ruby on Rails application


I have a requirement for an authenticated user to be able to send an invite to someones email address. On clicking this invite, the user would be prompted to sign up, and on completion, would be associated with the same account as the originator.

I am struggling to design a secure mechanism for ensuring the invited user is associated with the intended account, and no other.

(If it's of help, I am using Ruby 2, Rails 4, and the sorcery gem for authentication)


Solution

  • The following works:

    1. Use Sorcery User Activation submodule

    2. On 'invite' action create User (non-active) and attach her to the account. Send invitation email with activation link, e.g. http://example.com/users/:token/activate.

    3. In your users_controller#activate:

    user = User.load_from_activation_token(params[:token])
    ... # update user fields, e.g. set password
    user.activate!