Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(guests controller): make email mutable #99

Merged
merged 1 commit into from
Sep 1, 2021

Conversation

stakach
Copy link
Member

@stakach stakach commented Aug 30, 2021

resolves #95
making it nilable is not really possible given the design.
The entry should be deleted or a dummy email assigned

@kimburgess
Copy link
Contributor

Hmmmm, this may get messy. It looks like some of the approach to security here relies on these addresses being immutable:

if user_token.scope.includes?("guest") && (guest.email != user_token.id)

@kimburgess
Copy link
Contributor

What's the lifetime on those auth tokens? IIRC there are use cases where these can be longer lived (in an email etc).

Could an alt approach be to keep a list of emails so history is preserved? An accessor would then return either the head/tail of this, or some form of symbolic value / a placeholder address if one is not known (empty list) solving the nilable use case. Auth checks can then also walk this so that previously issued token would remain valid if these are the only keys.

Would still need to take some care to ensure there isn't the ability to claim another guests email (and associated privs) though.

@stakach
Copy link
Member Author

stakach commented Aug 30, 2021

Yeah, those tokens last until the meeting the guest is invited to ends
This is why they were not mutable in the first place

We can protect the email field from modification if there any upcoming visits?
(which prevents edits by the guest themselves and ensures no broken data)

@jcit1
Copy link

jcit1 commented Aug 30, 2021

Hi guys,

Yeah if a visitor rocked up and adjusted their email (after we find them with the incorrect email or their mobile) we were going to find the existing events (with old email) and re-add the new email automatically. This would resend out the invite to the correct email with new JWT. Would that not have worked?

@stakach
Copy link
Member Author

stakach commented Aug 30, 2021

yeah, that should work without this logic - so we can probably ignore this and close the issue?

@stakach stakach merged commit d1dda5f into master Sep 1, 2021
@stakach stakach deleted the make-guest-email-mutable branch September 1, 2021 04:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support nilable, mutable guest emails
3 participants