Question

Secure Deeplink for setting password.

0

I am sending link in email to set initial password for newly added user. What is the best way to secure this link, as link is easy to predict and set password if we know the username.

asked 2021-10-27

Ankush Deshmukh

1 answers

Robert Price · Accepted Answer · 2021-10-27

One approach is to create an entity with a GUID string attribute you can use in the URL of the deeplink. This will be (almost) impossible to guess as it won’t be sequential. You can use the RandomHash action in the Community Commons module on the Marketplace to generate this value. You can then associate this entity to the user.

e.g. https://myapp.com/link/setup/87adf985-c9e7-4e53-bb0f-4de9f4e44b12

Where “setup” is the name of the deeplink, and “87adf985-c9e7-4e53-bb0f-4de9f4e44b12” is the value of the GUID.

When the link is visited, use the GUID to see what user it is associated with, and carry on as you were before.

Once the user has set their password, you can remove the association to the entity so the link no longer works.

Hope this helps.