jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

emails: fix one-click unsubscription.

Browse Source 
Fix it so that emails are (hopefully) able to show the one-click
unsubscribe button in Gmail and other mail providers that support the
List-Unsubscribe header. This way users can unsubscribe instead of
marking emails as spam.

* Add the List-Unsubscribe-Post header.
* Fix the disable email notifications endpoint to support POST as well as DELETE requests.
* Fix the disable email notifications endpoint to disable XSRF protection (we don't need
  users to be logged in because we use a signed URL instead).

https://www.rfc-editor.org/rfc/rfc8058#section-3.1
https://www.rfc-editor.org/rfc/rfc8058#section-8.1
This commit is contained in:
evazion
2022-09-28 19:44:29 -05:00
parent 5051c6649d
commit ed9986def6
4 changed files with 34 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
app/controllers/maintenance/user/email_notifications_controller.rb
View File

@@ -7,8 +7,9 @@ module Maintenance
respond_to :html, :json, :xml respond_to :html, :json, :xml
before_action :validate_sig, :only => [:destroy] before_action :validate_sig, only: [:create, :destroy]
rescue_from VerificationError, with: :render_verification_error skip_forgery_protection only: [:create, :destroy]
rescue_with VerificationError, status: 403
def show def show
end end
@@ -16,15 +17,23 @@ module Maintenance
def destroy def destroy
@user = ::User.find(params[:user_id]) @user = ::User.find(params[:user_id])
@user.update!(receive_email_notifications: false) @user.update!(receive_email_notifications: false)
respond_with(@user)
# https://www.rfc-editor.org/rfc/rfc8058#section-3.1
#
# A mail receiver can do a one-click unsubscription by performing an HTTPS POST to the HTTPS URI in the
# List-Unsubscribe header. It sends the key/value pair in the List-Unsubscribe-Post header as the request body.
# The List-Unsubscribe-Post header MUST contain the single key/value pair "List-Unsubscribe=One-Click".
# The mail sender MUST NOT return an HTTPS redirect
if params["List-Unsubscribe"] == "One-Click"
head 200
else
respond_with(@user)
end
end end
alias_method :create, :destroy
private private
def render_verification_error
render plain: "", status: 403
end
def validate_sig def validate_sig
verifier = ActiveSupport::MessageVerifier.new(Danbooru.config.email_key, digest: "SHA256", serializer: JSON) verifier = ActiveSupport::MessageVerifier.new(Danbooru.config.email_key, digest: "SHA256", serializer: JSON)
calculated_sig = verifier.generate(params[:user_id].to_s) calculated_sig = verifier.generate(params[:user_id].to_s)

9
app/mailers/application_mailer.rb
View File

@@ -11,7 +11,14 @@ class ApplicationMailer < ActionMailer::Base
default from: "#{Danbooru.config.canonical_app_name} <#{Danbooru.config.contact_email}>", content_type: "text/html" default from: "#{Danbooru.config.canonical_app_name} <#{Danbooru.config.contact_email}>", content_type: "text/html"
def mail(user, require_verified_email:, **options) def mail(user, require_verified_email:, **options)
headers["List-Unsubscribe"] = disable_email_notifications_url(user) # https://www.rfc-editor.org/rfc/rfc8058#section-3.1
#
# A mail receiver can do a one-click unsubscription by performing an HTTPS POST to the HTTPS URI in the
# List-Unsubscribe header. It sends the key/value pair in the List-Unsubscribe-Post header as the request body.
# The List-Unsubscribe-Post header MUST contain the single key/value pair "List-Unsubscribe=One-Click".
headers["List-Unsubscribe"] = "<#{disable_email_notifications_url(user)}>"
headers["List-Unsubscribe-Post"] = "List-Unsubscribe=One-Click"
message = super(to: user.email_address&.address, **options) message = super(to: user.email_address&.address, **options)
message.perform_deliveries = user.can_receive_email?(require_verified_email: require_verified_email) message.perform_deliveries = user.can_receive_email?(require_verified_email: require_verified_email)
message message

2
config/routes.rb
View File

@@ -49,7 +49,7 @@ Rails.application.routes.draw do
namespace :maintenance do namespace :maintenance do
namespace :user do namespace :user do
resource :count_fixes, only: [:new, :create] resource :count_fixes, only: [:new, :create]
resource :email_notification, :only => [:show, :destroy] resource :email_notification, only: [:show, :create, :destroy]
resource :deletion, :only => [:show, :destroy] resource :deletion, :only => [:show, :destroy]
end end
end end

11
test/functional/maintenance/user/email_notifications_controller.rb
View File

@@ -19,14 +19,21 @@ module Maintenance
context "#destroy" do context "#destroy" do
should "disable email notifications" do should "disable email notifications" do
delete_auth maintenance_user_email_notification_path(user_id: @user.id, sig: @sig), @user delete maintenance_user_email_notification_path(user_id: @user.id, sig: @sig)
assert_response :success
assert_equal(false, @user.reload.receive_email_notifications)
end
should "disable email notifications from a one-click unsubscribe" do
post maintenance_user_email_notification_path(user_id: @user.id, sig: @sig), params: { "List-Unsubscribe": "One-Click" }
assert_response :success assert_response :success
assert_equal(false, @user.reload.receive_email_notifications) assert_equal(false, @user.reload.receive_email_notifications)
end end
should "not disable email notifications when given an incorrect signature" do should "not disable email notifications when given an incorrect signature" do
delete_auth maintenance_user_email_notification_path(user_id: @user.id, sig: "foo"), @user delete maintenance_user_email_notification_path(user_id: @user.id, sig: "foo")
assert_response 403 assert_response 403
assert_equal(true, @user.reload.receive_email_notifications) assert_equal(true, @user.reload.receive_email_notifications)