Sometimes what seems like a simple task ends up being an extensive tour of
all the rabbit holes in the vicinity of whatever it is I am working on.
I set out several days ago to build a better unsubscribe mechanism -- the emails that MV has been sending out forever had a few deficiencies, namely that you generally need to be logged in to unsubscribe from a given topic reply notification. And there wasn't a mechanism to unsubscribe from all topic reply notifications, nor private message notifications.
Seems like a straightforward task. But
hah.
Anyway, after days and days of coding and tweaking and researching, I've put in place a relatively modern unsubscribe mechanism that relies on
JWT tokens. These are essentially bits of authentication that I can append to an email, giving the recipient the right to make limited changes to their account without actually being logged in. Even if they've been banned, in fact.
Each token is signed by the server for security, but the contents are actually not opaque -- you can paste the token into the website above and it will tell you exactly what is in it.
The main thrust of JWT tokens is that the server can issue them at will but does not need to track them. Once released into the wild, it will either be returned when the recipient follows the link, or it will just sit in the recipients email archive until it expires. The expiration date is built into the token. And since the token is cryptographically signed, any tampering with the token will be easily detected and the token rejected.
Neat!
As always, let me know if you encounter any issues with this, if you actually ever see an email from MV.