So I have 2 apps that are supposed to work together. I have app1 which is an app only our employees will be using and app2 which is a customer_portal app where customers can log in and pay their balance. I'm trying to make it so that in app1 we can create a customer account and link it up to specific customers. This process will use devise_invitable to create an account for app2 and email the selected customer a link to set up their portal app (which just accepts the invite) but for some reason, the invite link doesn't work and just redirects to the home page. So basically app2 can't sign up for an account, the account has to be created through app1 and sent to the customer via email.
I heard from someone that it should only be redirecting if the URL is incorrect. But it's a URL that's generated via the invite function
PortalUser.invite!({:name => params[:name], :email => params[:email]}, current_user)
That auto emails this link http://localhost:3000/portal_users/invitation/accept.20?invitation_token=p7UKK8Z8nKn4busWerpx
I also have an option to resend the invitation email just in case the customer requests but that sends the same email link
PortalUser.find(params[:id]).deliver_invitation
One thing I could think of it being would be if the encryption-decryption keys are different for the 2 different applications so when app2 tries to decrypt the token it just looks like the wrong token. If this is the case do you know how I would go about changing those keys to match? Or rather give app1 the encryption key of app2 and tell devise to use that encryption key for all invitations or the accounts for app2.
Edit: So I found out I could assign a secret_key in the config/initializers/devise.rb and it would work if both applications used the same key. However, I still have a question, does doing this present a security issue?
"does doing this present a security issue?" - In a way, there is a security issue. For example, anyone who is logged into one app would be able to access the other one. It sounds like one app is a back end or admin app, and the other is the consumer facing app. Logging into one should not give access to the other.
There is probably another way of doing it that is better. You could create a one-time use token that is processed when the page is loaded. It could log in the user and allow them to complete the sign up process.
Edit:
You can create a token that can be used to sign in.
token = SignInToken.find_by(token: token)
user = token&.user
sign_in(user, scope: :user) if user
Reference: Devise Wiki