jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

emails: fix one-click unsubscription.

Browse Source 
Fix it so that emails are (hopefully) able to show the one-click
unsubscribe button in Gmail and other mail providers that support the
List-Unsubscribe header. This way users can unsubscribe instead of
marking emails as spam.

* Add the List-Unsubscribe-Post header.
* Fix the disable email notifications endpoint to support POST as well as DELETE requests.
* Fix the disable email notifications endpoint to disable XSRF protection (we don't need
  users to be logged in because we use a signed URL instead).

https://www.rfc-editor.org/rfc/rfc8058#section-3.1
https://www.rfc-editor.org/rfc/rfc8058#section-8.1
This commit is contained in:
evazion
2022-09-28 19:44:29 -05:00
parent 5051c6649d
commit ed9986def6
4 changed files with 34 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
app/controllers/maintenance/user/email_notifications_controller.rb
View File

@@ -7,8 +7,9 @@ module Maintenance
respond_to :html, :json, :xml
before_action :validate_sig, :only => [:destroy]
rescue_from VerificationError, with: :render_verification_error
before_action :validate_sig, only: [:create, :destroy]
skip_forgery_protection only: [:create, :destroy]
rescue_with VerificationError, status: 403
def show
end
@@ -16,15 +17,23 @@ module Maintenance
def destroy
@user = ::User.find(params[:user_id])
@user.update!(receive_email_notifications: false)
respond_with(@user)
# https://www.rfc-editor.org/rfc/rfc8058#section-3.1
#
# A mail receiver can do a one-click unsubscription by performing an HTTPS POST to the HTTPS URI in the
# List-Unsubscribe header. It sends the key/value pair in the List-Unsubscribe-Post header as the request body.
# The List-Unsubscribe-Post header MUST contain the single key/value pair "List-Unsubscribe=One-Click".
# The mail sender MUST NOT return an HTTPS redirect
if params["List-Unsubscribe"] == "One-Click"
head 200
else
respond_with(@user)
end
end
alias_method :create, :destroy
private
def render_verification_error
render plain: "", status: 403
end
def validate_sig
verifier = ActiveSupport::MessageVerifier.new(Danbooru.config.email_key, digest: "SHA256", serializer: JSON)
calculated_sig = verifier.generate(params[:user_id].to_s)