I have a requirement for an authenticated user to be able to send an invite to someones email address. On clicking this invite, the user would be prompted to sign up, and on completion, would be associated with the same account as the originator.
I am struggling to design a secure mechanism for ensuring the invited user is associated with the intended account, and no other.
(If it's of help, I am using Ruby 2, Rails 4, and the sorcery gem for authentication)
The following works:
Use Sorcery User Activation submodule
On 'invite' action create User (non-active) and attach her to the account. Send invitation email with activation link, e.g.
http://example.com/users/:token/activate
.In your
users_controller#activate
: