Add /unsubscribe-all endpoint #2731
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tjmw
changed the title
This will be used for one-click unsubscribes directly from the email client via the list-unsubscribe header in non-service emails from Braze. See also: https://datatracker.ietf.org/doc/html/rfc8058
I think including a message here is okay, even if it's not used currently. It's consistent with the behaviour of the other subscribe and unsubscribe endpoints.
raphaelkabo
reviewed
May 20, 2024
|
|
||
| return { | ||
| userId, | ||
| timestamp: +timestamp, |
There was a problem hiding this comment.
The + is very elegant! I would have probably done Number(timestamp) because it feels more explicit to me that it's making a number, but that's very much a personal preference.
There was a problem hiding this comment.
Yeah it's a good question. I went for consistency with the existing method just above this which also uses +timestamp. What do you reckon? (I think we should either update both or update neither).
raphaelkabo
pushed a commit
that referenced
this pull request
May 21, 2024
Adds a new /unsubscribe-all endpoint, to be used in the List-Unsubscribe header of emails. According to [the spec] this must be a POST endpoint. By default CSRF protection is enabled on all POSTs, but that's not appropriate in this case as the request is made from an external location. So I've had to modify the middleware to allow POSTs to this endpoint with no CSRF token. See also guardian/identity#2514. [the spec]: https://datatracker.ietf.org/doc/html/rfc8058
raphaelkabo
pushed a commit
that referenced
this pull request
May 23, 2024
Adds a new /unsubscribe-all endpoint, to be used in the List-Unsubscribe header of emails. According to [the spec] this must be a POST endpoint. By default CSRF protection is enabled on all POSTs, but that's not appropriate in this case as the request is made from an external location. So I've had to modify the middleware to allow POSTs to this endpoint with no CSRF token. See also guardian/identity#2514. [the spec]: https://datatracker.ietf.org/doc/html/rfc8058
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
Adds a new
/unsubscribe-allendpoint, to be used in theList-Unsubscribeheader of emails.According to the spec this must be a
POSTendpoint. By default CSRF protection is enabled on allPOSTs, but that's not appropriate in this case as the request is made from an external location. So I've had to modify the middleware to allowPOSTs to this endpoint with no CSRF token.See also guardian/identity#2514.
How to test
I've done some end to end testing in CODE. I configured the List-Unsubscribe header in Braze B2C - Dev, and manually posted to the CODE url to simulate the email client making that request. It unsubscribed me from all newsletters and marketing email consents as expected.
How can we measure success?
Have we considered potential risks?
Images
Accessibility