How can I authenticate the authorized user for approval through email?

Question

1.00/5 (1 vote)

See more:

, +

When User raise a request for Access. User's Manager needs to approve the request through email.

The email will have Approve and Reject link as API endpoint URL.
i.e.,
Approve - https://example.com/api/approve,
Reject - https://example.com/api/reject

When Manager clicks either of the link, it hits the endpoint and their response is Captured in Database.

There is Complexity here, for better understanding I will go with example.

If the actual approver manager is AAA@ymail.com, and the user request is send to AAA@ymail.com.

If incase the Actual approver forwards the email to other manager BBB@ymail.com and if he/she approves from the email, then it needs to identified and the response should not be captured in the database.

For your Information,
1. Our Web application is developed in ASP.NET.
2. Manager doesn't have access to UI.

What I have tried:

I had an idea of sending API endpoint URL with TOKEN.
Is it possible to verify the responded user is whether the actual manager or different manager, when the response API endpoint URL is hit???

Looking for an approach to authenticate the authorized user.

Thanks,
Vaithilingam Alagappan

Posted 10-Apr-24 6:33am

Vaithilingam Alagappan

Updated 10-Apr-24 6:44am

Add a Solution

Comments

PIEBALDconsult 10-Apr-24 12:47pm

"2. Manager doesn't have access to UI." -- That seems like a bad idea to me. Why can't a manager access the UI and approve or deny any pending requests?

Vaithilingam Alagappan 10-Apr-24 13:07pm

Only particular user have access to the web application.
It is not mandatory for their Manager's to be the user of web application.

Dave Kreskowiak 10-Apr-24 15:18pm

That's a bad idea. You're giving managers only a single method of approving access using only an email that can accidentally be deleted.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Pete O'Hanlon · Answer 1 · 2024-04-10T09:44:00

I'm afraid you need to go back to whoever gave you the requirements and explain this is a monumentally bad idea, and also impossible to implement. If one manager forwards it to another, you can't prevent that, and you can't change the contents of the link back to your app. Basically, this is a bad requirement, so your client needs to be walked through why that's not good.

Graeme_Grant · Answer 2 · 2024-04-10T10:53:00

Solution 2

Quote:
When Manager clicks either of the link, it hits the endpoint and their response is Captured in Database.

To prevent sharing, the only option is for the intended recipient to log back in, then you verify both the account used to sign in and the code used to record the response.

Posted 10-Apr-24 10:53am

Graeme_Grant