-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add /unsubscribe-all endpoint #2731
Conversation
This will be used for one-click unsubscribes directly from the email client via the list-unsubscribe header in non-service emails from Braze. See also: https://datatracker.ietf.org/doc/html/rfc8058
I think including a message here is okay, even if it's not used currently. It's consistent with the behaviour of the other subscribe and unsubscribe endpoints.
|
||
return { | ||
userId, | ||
timestamp: +timestamp, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The +
is very elegant! I would have probably done Number(timestamp)
because it feels more explicit to me that it's making a number, but that's very much a personal preference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it's a good question. I went for consistency with the existing method just above this which also uses +timestamp
. What do you reckon? (I think we should either update both or update neither).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work!
Adds a new /unsubscribe-all endpoint, to be used in the List-Unsubscribe header of emails. According to [the spec] this must be a POST endpoint. By default CSRF protection is enabled on all POSTs, but that's not appropriate in this case as the request is made from an external location. So I've had to modify the middleware to allow POSTs to this endpoint with no CSRF token. See also guardian/identity#2514. [the spec]: https://datatracker.ietf.org/doc/html/rfc8058
Adds a new /unsubscribe-all endpoint, to be used in the List-Unsubscribe header of emails. According to [the spec] this must be a POST endpoint. By default CSRF protection is enabled on all POSTs, but that's not appropriate in this case as the request is made from an external location. So I've had to modify the middleware to allow POSTs to this endpoint with no CSRF token. See also guardian/identity#2514. [the spec]: https://datatracker.ietf.org/doc/html/rfc8058
What does this change?
Adds a new
/unsubscribe-all
endpoint, to be used in theList-Unsubscribe
header of emails.According to the spec this must be a
POST
endpoint. By default CSRF protection is enabled on allPOST
s, but that's not appropriate in this case as the request is made from an external location. So I've had to modify the middleware to allowPOST
s to this endpoint with no CSRF token.See also guardian/identity#2514.
How to test
I've done some end to end testing in CODE. I configured the List-Unsubscribe header in Braze B2C - Dev, and manually posted to the CODE url to simulate the email client making that request. It unsubscribed me from all newsletters and marketing email consents as expected.
How can we measure success?
Have we considered potential risks?
Images
Accessibility