I've been trying for few days and couldn't really find answers about what I'm trying to do.
Take the example of a registration where a link to confirm your email is sent, and then when the link is clicked the account is confirmed.
I want to achieve this to do a kind of validation for announcement publication.
I tried taking the example of the symfony verify email feature, but in this case it's using the authenticated user when the link is clicked. In my case, the person clicking the link doesn't have an account on the website and shouldn't be authenticated.
How could the mail link, when clicked, change a booleon in the database, like 'is_confirmed' from 0 to 1 without needing a user authenticated?
Thanks
CodePudding user response:
You're still going to need to authenticate, but you'll do it with a one-time token instead of a userid and password. For each message:
- Generate a unique unguessable string, like a UUID v4.
- Generate an expiration timestamp for however many minutes/hours/days in the future you want the token to be good for.
- Save the token and the expiration timestamp in the db so it's associated somehow with the record in question. This might mean adding two columns to an existing table, or creating a new join table.
- Generate an email to the recipient, including a link that has the token embedded in it, like http://example.com/approve?token=whatever or http://example.com/approve/whatever
- Create the /approve page. Configure it to not require any traditional Symfony authentication. It should then:
- Look up the token that was provided.
- Verify that the associated timestamp isn't expired yet.
- Perform whatever process you want to occur.
- Wipe the token and the expiration from the db.