Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding extra parameters after generating URL #195

Open
erikas-tranauskas opened this issue Sep 24, 2024 · 4 comments
Open

Adding extra parameters after generating URL #195

erikas-tranauskas opened this issue Sep 24, 2024 · 4 comments
Labels
Feature New Feature

Comments

@erikas-tranauskas
Copy link

So I have this issue with sending verification emails through SalesForce. They always add some extra query parameters to URL before adding the link into the email.

I see that if you add any extra parameter into URL - verification process fails and it won't work except you add those parameters while generating the URL itself.

Is there any way to add extra parameter after the verification link has been generated?

@bocharsky-bw
Copy link
Member

Why does SalesForce do this? What extra parameters exactly? Are the extra parameters always the same? I mean, how you can guarantee that those query parameters won't change in the future, or if their values won't change? It sounds like even if you were able to add some extra query parameters, you are still not 100% sure what SalesForce will add, right?

@erikas-tranauskas
Copy link
Author

Why does SalesForce do this? What extra parameters exactly? Are the extra parameters always the same? I mean, how you can guarantee that those query parameters won't change in the future, or if their values won't change? It sounds like even if you were able to add some extra query parameters, you are still not 100% sure what SalesForce will add, right?

Those are added by my company SalesForce managers I believe. Used to track some data about clicking anything in the verification email itself. So basically yeah I am not sure which parameters will be used and if new ones will appear sometime in the future.

For now I just update the query parameters (by removing the extra ones and just leaving the ones needed for this bundle) of the Symfony Request used to validate the email.

@jrushlow jrushlow added the Feature New Feature label Sep 25, 2024
@jrushlow
Copy link
Collaborator

Is there any way to add extra parameter after the verification link has been generated?

There is not a mechanism to modify the signed URL once it has been generated by

public function generateSignature(string $routeName, string $userId, string $userEmail, array $extraParams = []): VerifyEmailSignatureComponents

I'm not familiar with Salesforce - but I believe if you generate a signed URL -> modify the signed URL (e.g. what it sounds like salesforce is doing) -> attempt to validate the malformed signed URL -> validation will fail.

The best solution (although it may not be possible in your situation) would be to pass an extra query param's to

public function generateSignature(string $routeName, string $userId, string $userEmail, array $extraParams = []): VerifyEmailSignatureComponents
as the $extraParams arguments in your controller. Then those params would become apart of the signature.

Else, you would need to "sanitize" the signed URL before validation by removing any params that were not used when the signature was generated. See: https://github.com/SymfonyCasts/verify-email-bundle/blob/main/README.md#reserved-query-parameters


For v2, we could create a configuration based mechanism to remove some/all extra query params in

public function validateEmailConfirmationFromRequest(Request $request, string $userId, string $userEmail): void
thought I have not fully thought out the consequences for doing so in the bundle.

@jrushlow jrushlow added this to the v2 Possible feature milestone Sep 25, 2024
@erikas-tranauskas
Copy link
Author

Is there any way to add extra parameter after the verification link has been generated?

There is not a mechanism to modify the signed URL once it has been generated by

public function generateSignature(string $routeName, string $userId, string $userEmail, array $extraParams = []): VerifyEmailSignatureComponents

I'm not familiar with Salesforce - but I believe if you generate a signed URL -> modify the signed URL (e.g. what it sounds like salesforce is doing) -> attempt to validate the malformed signed URL -> validation will fail.

The best solution (although it may not be possible in your situation) would be to pass an extra query param's to

public function generateSignature(string $routeName, string $userId, string $userEmail, array $extraParams = []): VerifyEmailSignatureComponents

as the $extraParams arguments in your controller. Then those params would become apart of the signature.
Else, you would need to "sanitize" the signed URL before validation by removing any params that were not used when the signature was generated. See: https://github.com/SymfonyCasts/verify-email-bundle/blob/main/README.md#reserved-query-parameters

For v2, we could create a configuration based mechanism to remove some/all extra query params in

public function validateEmailConfirmationFromRequest(Request $request, string $userId, string $userEmail): void

thought I have not fully thought out the consequences for doing so in the bundle.

Thank you. Yes sanitization indeed helps. I believe this could be even implemented into the bundle itself. Just clean all the extra parameters that might be added by some email service providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature New Feature
Projects
None yet
Development

No branches or pull requests

3 participants