Email API for connecting in a marketplace? - javascript

I'm looking into what it would take to add a feature to my site so this is a pretty naive question.
I'd like to be able to connect buyers and sellers via an email message once the buyer clicks "buy".
I can see how I could do this in java script, querying the user database and sending an email with both parties involved. What I'm wondering is if there's a better way I can do this, playing monkey in the middle so they only receive an email from my site, and the it's automatically forwarded to the other party. That way they don't have to remember to hit reply-all, just reply. Also their email addresses remain anonymous.
Again assuming I generate a unique subject line with the transaction ID I could apply some rules here to just automatically forward the email from one party to the other but is there an API or library which can already do this for you?

What you're describing would be handled largely by your backend. If this were my project, I would choose the following simple route:
Store the messages the buyers/sellers send in your own database, then simply send notification emails when messages are sent. Have them reply to each other on your own site, like Facebook and eBay do.
An example flow would go like this:
(Gather the user and buyer's email addresses via registration)
Buyer enters a message and clicks 'Send Message' button on seller's page
Form is posted (via AJAX or via POST) to a backend script
Your backend code generates an email message
Sets the 'To' field to the seller
Your seller gets an email alert of the potential buyer which shows the buyer's message
The Seller then logs on to your site (made easy by a URL in the email) to respond
The Seller enters a response message on your site and hits 'Reply'
Buyer gets an email notification with the message body and a link to your site where they can compose a reply.
...and so on. So, replies would have to be authored on-site, rather than as an email 'reply.'
If you choose to go this route, there are some simple 3rd party "transactional email" providers, which is the phrase you'd use to find them. I've personally used SendGrid and found them easy to set up and use. They have a simple plug in for every major framework. There is also Mandrill, which is newer but gets good reviews as well.

Related

Firebase - Send Password via Email after User Account Creation

I am working on a college app in which only the administrator has the right to create user accounts. On successful User Account creation, the user gets an email with his user email and password as plain text.
I am already familiar with the email verification and password reset mail in firebase but I am not allowed to do that.
I already looked at answer to this question: Send User Password via Email with Firebase but it is very less helpful as the answer provided is complicated to understand.
So all I want is the password to be sent via email whenever a user is created.
PS: I am working with Web Interface (JavaScript). How do I do that? It would be even nice if I get help with some code chunks included.
You can achieve this using firebase cloud functions following the steps below
Setup Admin SDK following the documentation https://firebase.google.com/docs/admin/setup
Add a Firebase Authentication Listener https://firebase.google.com/docs/functions/auth-events
You can send mail with sendgrid See this article
If you want to really get familiar with cloud functions you can start here

Is there any way to get the email address of the one who clicked the link on outlook

I developed an application in which all the processes of organization is going to be handle online .
There are some processes which were run manually and it took time , now it is going to approve or disapprove online.
Let say there is an document who is going to be approved by HR ---> ADMIN ---> CEO.
Now when some one initiate a request application send two links to HR manager which is approve or disapprove , and HR can perform their action by clicking those link.
What is happening it if HR manager send this links to someone else , SO , That person can also approve or disapprove the process , although he is not the right person to do.
I can stop it by implementing authentication process on those two links , Than every authority must have to login in the application . which i don't want.
Is there any way that i can pick the email id of the person who click that link , so i can compare the email address on back end ?
As I see it you have 3 possible ways of doing this:
1: Implementing an authentication process
This is the best approach in my opinion as you can be sure that the person who should approve the process is the person actually approving it.
The con with this approach is that the users will have to log in, but you could implement this in such a way that they rarely have to, for example they could stay logged in for one a month or longer.
2: Using a link with a one time token
This is basically the approach you mentioned with the con that you mentioned, namely that someone can just forward the email and someone else can then approve it.
The only way in your case for this to work is if it's enforced from the top down, as in management could impose a penalty if such an email is sent to someone else. But this is rarely a good strategy and would be difficult to enforce.
3: Approve and Disapprove with a reply email
I think this approach might be the closest to what you're looking for, but as a disclaimer I've not tested something like this before.
You could setup the links in such a way that clicking on them will open a new mail screen with certain things populated, for example you could populate the subject and the address to send the mail to.
Example link: Approve
Then within the system you're creating you'll have to monitor that mailbox and then parse any email received, using the from address to validate if the correct person has sent the email.
A big note with this approach is that the from address in an email can easily be spoofed, so if you want to take this approach, I'd recommend at least adding some sort of random token in the email as well that will be validated on the back end.
Even with the unique token, there exists another vector of attack, although it would take some work. Let's say the system sends a mail to Alice because she needs to approve or disapprove something, she forwards the mail to Bob. Bob can't click on the link and send the email as is, because the system will see that it came from his email address, but what Bob can do is click on the link to see what the subject should be, and then spoof Alice's email using a spoofing site. The system would then see everything as in order because it will look like the email came from Alice.
Example spoofing site: https://emkei.cz/

How do I use the Reddit API to log a user in or register them in Spark and Javascript?

My project team and I are currently working on a Single Web Application project using Java Spark in the back-end and Javascript, HTML and CSS (with Bootstrap) in the front-end. We use MySQL as our DBMS.
We're trying to make a system to log a user on Reddit in to our site. We need Reddit to get a user's karma and not manage passwords and usernames ourselves.
We're using Reddit's OAuth API in order to ask for a token, and Reddit then redirects the user to our website again.
We've made a button on our website to log the user in.
What we're trying to achieve is:
The user clicks the log-in button.
The user gets redirected to the Reddit login page and needs to give permission to us to use their Reddit account with a few permissions.
The user accepts the request and then gets redirected to our website. The Reddit API sends a GET request to localhost/login and appends the state and Reddit token to the link (so the link becomes localhost/login?state=STATECODE&code=REDDITTOKEN).
In the back-end (Spark/Java), we catch that GET-request and extract the state and code. We then send the code to Reddit to get a JSON with the user's data (such as comment karma, link karma and username) using https://oauth.reddit.com/api/v1/me.
The back-end then checks if the username is already in our User table. If it is, the user already registered, and the user gets redirected to the mainpage and gets logged in. (We do log-ins by assigning session IDs to users in out User table.)
If, however, the usernameis not yet in our database, then the user gets redirected to the registration page/section of our website, and in some way, the username and karma-values are passed to this page.
The user then fills in the remaining details about their account (email, address, age, etc.) and then clicks on register. This then sends a POST-request to our server with all the details (username, comment karma, link karma, email, address, age, etc.) and puts that user in our Database. The user then gets logged into our website and gets redirected to our website.
The problems we are facing right now is
we don't know how we can pass the username, comment karma and link karma from our back-end to our front-end. We thought doing it with a cookie would do the trick, but this causes security-issues and just makes it more confusing for us.
Maybe there is a better way to handle this system. We would really appreciate suggestion for doing this in a better manner than this way. However, we have to deliver something working by Nov 10th.
Is there a way to pass values from Spark/Java to a webpage when registering someone?
I can share some bits of our code if wanted. Right now, our GitHub repository is private, however.
Your help is extremely appreciated. I might even buy you coffee.
Sincerely,
Jeroen Meijer.

Building an HTML Widget to embed paid content - how to secure communication with the backend?

I'm creating a widget that shows content when the page visitor pays for it. I'm handling the payment form inside the widget and I'm using Stripe for credit card handling, charges, etc.
My problem is: I want to make it easy for the user to pay for the content, right now, I'm my working proof of concept I only ask for the email, then:
Check if I already have this email on my system, check with my API server if it has a payment for this product associated and then let the user get to the content.
If the email is not present in the system, it is created, and return only the Stripe publishable key.
If the email is present, but it has no payment associated with this product, simply return the Stripe publishable key.
When the widget gets the Stripe key, then it shows the payment (credit card) form, which is used to get the Stripe token, and this token, along with the email, is sent back to my API server. If everything is Ok, then the widget retrieves the content and shows it to the user.
Now, the question(s): How to secure the communication between the widget and the server, besides using HTTPS? I already have support for application id/secret pairs, how can I use them to to authenticate the requests from the widget to the server? The widget will be inserted in pages on arbitrary domains, so using the Referer/Origin headers is out of the question.
I don't think that is really important, but if it helps, I'm using Django 1.7 and Django Rest Framework 3.0.5.
Thanks!
There is an api you can use, called CoinTent. Its sub-motto is "Purchase individual pieces of content for small prices with one account and one click." HEAD HEAD HEAD HEAD...

How do I allow a user approve a task from the email?

In our project the managers receive emails with their tasks. The new requirement is to allow the managers to approve their tasks from the emails. Near every tasks is an "Approve" button that should be added to allow approvals of tasks without going to the site of the company.
How do I do it?
As for me, that is not possible. Most email clients will never run javascript, so you can't use ajax to call your server.
Another option - iframe with a form to set an approval in it. According to this in some email clients it will work. In others - no.
As for me, the most realistic way is to put a simple link. Click on it will open browser, of course, but you can make that page close itself after everything is done.
The last option I see is to send an email to some specific address, like approve_task#company.com with subject containing an ID of a task and establish listener which will check email received by approve_task#company.com and mark task as approved. No problem to make a mailto: link in email body. But you can't send any emails automatically. Managers will need to click it and send an email manually. So I do not think this is really good solution.

Categories