Like many Rails websites, my first production Rails site needed user sign-ups. I wanted to have this work in a way that allowed a user to register only after confirming their email address.

The way to do this is with secret URLs.These are URLs that contain an encrypted string and are effectively impossible to guess. By sending a secret URL to an email address, if the URL is subsequently accessed, that’s pretty much a guarantee that the email was received, since there’s no other way that URL could have been obtained. (Check out the Rails Recipes book, which has a good chapter explaining secret URLs.)

Introducing the ActiveUrl Gem

As a first attempt at contributing to the Rails community, I’ve extracted my site’s secret URL functionality into a gem. Since it’s used in a similar fashion to ActiveRecord, I’ve called it ActiveUrl.

How is my implementation distinctive? Basically, it’s database-free. You don’t need any new database tables or fields to use it, since all the relevant information is persisted in the URL itself. All you need to do to hide a page behind a secret URL is to nest its route beneath an ActiveUrl object that the library provides. Neat!

Installation & Usage

First, install the gem:

gem sources -a http://gems.github.com
sudo gem install mholling-active_url

In your Rails app, make sure to specify the gem dependency in environment.rb:

config.gem "mholling-active_url", :lib => "active_url", :source => "http://gems.github.com"

[ UPDATE: The gem is now hosted on Gemcutter, with slightly different installation instructions – see here. ]

Specify a secret passphrase for the library to perform its encryption. You can set this by adding an initializer (say active_url.rb) in your config/initializers directory. This will just set the secret passphrase for your app (you might not want to check this into your source control):

ActiveUrl::Config.secret = "my-app-encryption-secret"

To generate secret URLs in your Rails application, simply inherit a model from ActiveUrl::Base, in the same way you would normally inherit from ActiveRecord::Base. These objects won’t be stored in your database; instead they will be persisted as an encrypted ID and placed in an URL given only to that user (typically by email).

class Secret < ActiveUrl::Base
  ...
end

The following class methods are available for your model:

• attribute(*attribute_names) [sets attributes on your model];
• belongs_to(model_name) [sets a “foreign key” attribute and an association method];
• attr_accessible(*attribute_names) [allows mass-assignment of attributes]
• validations: most of the ActiveRecord validations are available on the attributes you set;
• after_save(callback_name) [sets a callback to be run after the object is persisted];
• find(id) [finds an object from the specified ID, which will be extracted from an URL].

Save your object by using the ActiveUrl::Base#save method—this will run any validations and generate the encrypted ID if the validations pass. (You will usually use this method in your model’s controller.)

In your controllers which deal with ActiveUrl models, you’ll want to deal with the case of an invalid URL; usually just to render a 404. This is easily done using rescue_from in your application controller:

rescue_from ActiveUrl::RecordNotFound do
  render :file => "#{Rails.root}/public/404.html", :status => 404
end

Example: Confirming an Email Address

The typical use case for this example is the verification of an email address provided by a someone signing up to your website. You want to check that the address is valid by sending an email to that address; the user must follow a secret URL in the email to confirm they received the email.

Registration Model

We don’t want to create a User model until the email is confirmed, so instead we’ll use a ActiveUrl::Base model. This is what will be created when a user registers:

class Registration < ActiveUrl::Base  
  attribute :email, :accessible => true
  validates_format_of :email, :with => /^[\w\.=-]+@[\w\.-]+\.[a-zA-Z]{2,4}$/ix
  validate :email_not_taken
  
  after_save :send_registration_email
  
  protected
  
  def email_not_taken
    if User.find_by_email(email)
      errors.add(:email, "is already in use")
    end
  end
  
  def send_registration_email
    Mailer.deliver_registration(self)
  end
end

Going through this step-by-step:

1. First, we set our email attribute using attribute :email, which generates setter and getter methods for the attribute.
2. Next, validate the email address so it at least looks right (validates_format_of :email).
3. We also want to check that a user has not already signed up with that email address, so we add a custom validation (email_not_taken) which adds an error if a User with that email address is found.
4. Finally, we set an after_save callback to actually send the registration email when the model is saved. In the mailer method, we pass in the object so that we know what email address to send to and what secret URL to use.

Routes

Next, let’s set up our routes to allow user creation only via an email confirmation. In routes.rb the relevant routes would be:

map.resources :registrations, :only => [ :new, :create ] do |registration|
  registration.resources :users, :only => [ :new, :create ]
end

Registrations Controller

To allow a user to register, create a registrations controller with just two REST actions, new and create. The controller is entirely generic, as it should be:

class RegistrationsController < ApplicationController
  def new
    @registration = Registration.new
  end

  def create
    @registration = Registration.new(params[:registration])
    if @registration.save
      flash[:notice] = "Please check your email to complete the registration."
      redirect_to root_path # or wherever...
    else
      flash.now[:error] = "There were problems with that email address."
      render :action => "new"
    end
  end
end

When the create action succeeds, the registration object is saved and the registration email sent automatically by its after_save callback.

Registration View

In the new.html.erb view, the registration form would look something like:

<% form_for @registration do |form| %>
  

    <%= form.label :email %>
    <%= form.text_field :email %>
  

Mailer

Finally, we set the mailer to deliver a registration email to the supplied email address:

class Mailer < ActionMailer::Base
  def registration(registration)
    subject    "Registration successful"
    recipients registration.email
    from       "admin@website.com"
    
    body       :registration => registration
  end
end

The registration object is passed through to the email template, where we use it to get the email address and also to generate the new user URL. Since the URL is secret, if it is subsequently accessed then we know that whoever is accessing it was able to read that email. Thus we have confirmed the email address as a real one, which is what we wanted.

The email template might look something like:

Hi <%= @registration.email %>,

Thanks for registering! Please follow this link to complete your
registration process:

<%= new_registration_user_url(@registration, :host => "website.com") %>

Thanks!
website.com

The secret URL generated in the email would look something like:

http://website.com/registrations/yAfxbJIeUFKX9YiY6Pqv0UAwufcacnYabEYS7TxTgZY/users/new

User Model

In our User model, we want to make sure the email address cannot be mass-assigned, so be sure to use attr_protected (or even better, attr_accessible) to prevent this:

class User < ActiveRecord::Base
  ...
  attr_protected :email
  ...
end

Users Controller

Now let’s turn our attention to the users controller. We access the new and create actions only via the nested routes, so that we can load our Registration object from the controller parameters. We’ll use the ActiveUrl::Base.find method to retrieve the registration object, and then set the user’s email address from it:

class UsersController < ApplicationController
  def new
    @registration = Registration.find(params[:registration_id])
    @user = User.new
    @user.email = @registration.email
  end

  def create
    @registration = Registration.find(params[:registration_id])
    @user = User.new(params[:user])
    @user.email = @registration.email
    if @user.save
      flash[:notice] = "Thanks for registering!"
      redirect_to @user # or wherever...
    else
      flash.now[:error] = "There were problems with your information."
      render :action => "new"
    end
  end
end

New User View

The exact contents of the user creation form will depend on our User model, among other things. Notably however,it will not include a field for the email address, since we’ve already obtained the email address from the registration object and we don’t want the user to be able to subsequently change it. (It’s probably advisable to include the email address in the form’s text though, for the sake of clarity.)

The new user form might look something like this:

<% form_for [ @registration, @user ] do |form| %>
  

    Please enter new user details for <%= @user.email %>.
  

Benefits of ActiveUrl

In other email confirmation schemes, whenever a registration process is initiated, a new user object is created, even before the email address is confirmed. This causes a couple of problems:

• The user model will need some form of state (to distinguish between confirmed and unconfirmed users).
• If a registration is initiated but not completed, the unconfirmed record will remain in the database, and will need to be manually removed at a later date.

The ActiveUrl gem overcomes both these problems by persisting all the relevant data to the URL itself, in encrypted form. No database table is needed.

One potential problem with this approach? The URL may become quite long if you store much data in the model. Keep the number of attributes and the length of their names to a minimum to avoid this. Typically, a single attribute or a belongs_to reference is all that’s needed, and produces URLs of modest length.

Other Uses

Another use for secret URLs is to enable your website users to access user-specific parts of the site without being logged in.

A classic example of this is a forgotten-password page, where the user cannot log in because of a forgotten password. By sending a secret URL to the user’s email address, the user can access a password-editing page without being logged in (the knowledge of the secret URL being a alternate form of authentication).

Another example is a user-specific RSS or Atom feed. Since most newsreaders cannot access authenticated feeds, it may not be desirable to put the feeds behind an authenticated controller action. Secret URLs offer an alternative authentication method in this case.

[ UPDATE: A companion article describing another example is here. ]

Over to You

Rails developers: let me know what you think in the comments! Go easy, I’ve never published a gem before. Please feel free to fork and improve as you see fit; the code is on GitHub here. (I may even pull back the changes—if I can figure out how…)

The gem includes a set of RSpec tests, though they’re a bit rough. rake spec will run the tests.